dcrat | 8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
Size

1.7MB
MD5

6c26f99f8cc5c28eedd98e866861d80d
SHA1

44d8cc809e4617152a9d8d2f0ff45991407d3ca4
SHA256

8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b
SHA512

d460bd742c0044711dd64d656977d924fc67e5580277a5649b931dd07d1de8951f408a711091037e8b08a81c391bccc1a8388745455180791af6c2b66c1a2359
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2820	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2820	schtasks.exe	30

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2036-1-0x0000000000230000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/files/0x0008000000016dc0-27.dat	dcrat
behavioral1/files/0x000600000001a4b7-66.dat	dcrat
behavioral1/files/0x000a000000016dc0-77.dat	dcrat
behavioral1/files/0x000a000000017021-102.dat	dcrat
behavioral1/files/0x00070000000195fe-113.dat	dcrat
behavioral1/memory/1088-234-0x0000000000BE0000-0x0000000000DA0000-memory.dmp	dcrat
behavioral1/memory/952-258-0x00000000001B0000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/1628-270-0x0000000001360000-0x0000000001520000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1940	powershell.exe
1804	powershell.exe
1444	powershell.exe
2772	powershell.exe
2416	powershell.exe
2232	powershell.exe
2976	powershell.exe
2228	powershell.exe
2276	powershell.exe
2424	powershell.exe
2832	powershell.exe
2688	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe

Executes dropped EXE 9 IoCs

pid	Process
1088	audiodg.exe
1456	audiodg.exe
952	audiodg.exe
1628	audiodg.exe
532	audiodg.exe
2112	audiodg.exe
1252	audiodg.exe
1492	audiodg.exe
2504	audiodg.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXC06E.tmp	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File created	C:\Program Files (x86)\Uninstall Information\spoolsv.exe	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File created	C:\Program Files (x86)\Uninstall Information\f3b6ecef712a24	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXB9D5.tmp	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXB9D6.tmp	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXC0DC.tmp	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\Idle.exe	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\Idle.exe	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\6ccacd8608530f	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\lsass.exe	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File created	C:\Windows\Cursors\6203df4a6bafc7	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Windows\Cursors\RCXB2BE.tmp	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File opened for modification	C:\Windows\Cursors\RCXB2BF.tmp	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
File created	C:\Windows\Cursors\lsass.exe	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1292	schtasks.exe
2680	schtasks.exe
2884	schtasks.exe
1792	schtasks.exe
588	schtasks.exe
2912	schtasks.exe
2720	schtasks.exe
1688	schtasks.exe
1684	schtasks.exe
480	schtasks.exe
1196	schtasks.exe
1720	schtasks.exe
2712	schtasks.exe
1864	schtasks.exe
2392	schtasks.exe
2324	schtasks.exe
3052	schtasks.exe
2908	schtasks.exe
2444	schtasks.exe
1660	schtasks.exe
372	schtasks.exe
908	schtasks.exe
2768	schtasks.exe
1652	schtasks.exe
1648	schtasks.exe
2520	schtasks.exe
3000	schtasks.exe
2844	schtasks.exe
3036	schtasks.exe
824	schtasks.exe
828	schtasks.exe
2960	schtasks.exe
1268	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2416	powershell.exe
2688	powershell.exe
2228	powershell.exe
2424	powershell.exe
1940	powershell.exe
2832	powershell.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
1804	powershell.exe
2232	powershell.exe
2976	powershell.exe
1444	powershell.exe
2772	powershell.exe
2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
2276	powershell.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe
1088	audiodg.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1088	audiodg.exe
Token: SeDebugPrivilege	1456	audiodg.exe
Token: SeDebugPrivilege	952	audiodg.exe
Token: SeDebugPrivilege	1628	audiodg.exe
Token: SeDebugPrivilege	532	audiodg.exe
Token: SeDebugPrivilege	2112	audiodg.exe
Token: SeDebugPrivilege	1252	audiodg.exe
Token: SeDebugPrivilege	1492	audiodg.exe
Token: SeDebugPrivilege	2504	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1940	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	65
PID 2036 wrote to memory of 1940	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	65
PID 2036 wrote to memory of 1940	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	65
PID 2036 wrote to memory of 1804	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	66
PID 2036 wrote to memory of 1804	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	66
PID 2036 wrote to memory of 1804	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	66
PID 2036 wrote to memory of 1444	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	67
PID 2036 wrote to memory of 1444	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	67
PID 2036 wrote to memory of 1444	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	67
PID 2036 wrote to memory of 2276	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	68
PID 2036 wrote to memory of 2276	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	68
PID 2036 wrote to memory of 2276	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	68
PID 2036 wrote to memory of 2772	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	69
PID 2036 wrote to memory of 2772	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	69
PID 2036 wrote to memory of 2772	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	69
PID 2036 wrote to memory of 2416	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	70
PID 2036 wrote to memory of 2416	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	70
PID 2036 wrote to memory of 2416	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	70
PID 2036 wrote to memory of 2424	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	71
PID 2036 wrote to memory of 2424	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	71
PID 2036 wrote to memory of 2424	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	71
PID 2036 wrote to memory of 2232	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	72
PID 2036 wrote to memory of 2232	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	72
PID 2036 wrote to memory of 2232	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	72
PID 2036 wrote to memory of 2976	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	73
PID 2036 wrote to memory of 2976	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	73
PID 2036 wrote to memory of 2976	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	73
PID 2036 wrote to memory of 2832	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	74
PID 2036 wrote to memory of 2832	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	74
PID 2036 wrote to memory of 2832	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	74
PID 2036 wrote to memory of 2688	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	75
PID 2036 wrote to memory of 2688	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	75
PID 2036 wrote to memory of 2688	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	75
PID 2036 wrote to memory of 2228	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	76
PID 2036 wrote to memory of 2228	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	76
PID 2036 wrote to memory of 2228	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	76
PID 2036 wrote to memory of 1088	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	89
PID 2036 wrote to memory of 1088	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	89
PID 2036 wrote to memory of 1088	2036	8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe	89
PID 1088 wrote to memory of 764	1088	audiodg.exe	90
PID 1088 wrote to memory of 764	1088	audiodg.exe	90
PID 1088 wrote to memory of 764	1088	audiodg.exe	90
PID 1088 wrote to memory of 1508	1088	audiodg.exe	91
PID 1088 wrote to memory of 1508	1088	audiodg.exe	91
PID 1088 wrote to memory of 1508	1088	audiodg.exe	91
PID 764 wrote to memory of 1456	764	WScript.exe	92
PID 764 wrote to memory of 1456	764	WScript.exe	92
PID 764 wrote to memory of 1456	764	WScript.exe	92
PID 1456 wrote to memory of 2888	1456	audiodg.exe	93
PID 1456 wrote to memory of 2888	1456	audiodg.exe	93
PID 1456 wrote to memory of 2888	1456	audiodg.exe	93
PID 1456 wrote to memory of 2308	1456	audiodg.exe	94
PID 1456 wrote to memory of 2308	1456	audiodg.exe	94
PID 1456 wrote to memory of 2308	1456	audiodg.exe	94
PID 2888 wrote to memory of 952	2888	WScript.exe	95
PID 2888 wrote to memory of 952	2888	WScript.exe	95
PID 2888 wrote to memory of 952	2888	WScript.exe	95
PID 952 wrote to memory of 1292	952	audiodg.exe	96
PID 952 wrote to memory of 1292	952	audiodg.exe	96
PID 952 wrote to memory of 1292	952	audiodg.exe	96
PID 952 wrote to memory of 1708	952	audiodg.exe	97
PID 952 wrote to memory of 1708	952	audiodg.exe	97
PID 952 wrote to memory of 1708	952	audiodg.exe	97
PID 1292 wrote to memory of 1628	1292	WScript.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe
"C:\Users\Admin\AppData\Local\Temp\8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
  "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fa7f481-b414-46eb-b429-684532fc9749.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
      "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\abfe6f65-fc64-4613-aa56-9f16ac2117b6.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec427e94-a5bb-4174-a2ee-e94eb8cf4f77.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\39b56498-d7c6-4865-a964-2f1905484557.vbs"
        9⤵
        
        PID:2572
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d29c53ea-87e8-4398-8b55-858ef5fb8c94.vbs"
        11⤵
        
        PID:1592
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59150f38-5955-43fa-a276-6d71ced3cad8.vbs"
        13⤵
        
        PID:1744
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb15d973-246e-4e9f-ae12-e69a8e3f620d.vbs"
        15⤵
        
        PID:376
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a58bde9-eb15-43d9-b95e-1d58d8340741.vbs"
        17⤵
        
        PID:2736
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90a2684f-57a2-4c54-8c0d-a8c1d92f4e13.vbs"
        19⤵
        
        PID:2752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1506b986-8e9b-48a9-b20b-81ce891fed0e.vbs"
        19⤵
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0059a26a-43f5-492f-8131-912d6f6898a5.vbs"
        17⤵
        
        PID:1556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44685554-e376-4fc9-b900-48e5c2df12a4.vbs"
        15⤵
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf7d5b1a-4ef7-47c6-af19-c163674bf767.vbs"
        13⤵
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bdf8cd2a-0d7d-433c-a330-e519fd83c9ff.vbs"
        11⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e89ee45a-786e-42cc-b743-d6d1008f1b94.vbs"
        9⤵
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d05ca41a-d8bb-4dce-9cb2-61c645acf70b.vbs"
        7⤵
        
        PID:1708
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2b34784e-4e45-4137-ae69-7c96dc3314e9.vbs"
        5⤵
        
        PID:2308
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e27d0d76-1adf-4f79-8335-22af0ddda8b9.vbs"
    3⤵
    PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\lsass.exe

Filesize
1.7MB

MD5
874bb56f7393759e04d9fc8a96801093

SHA1
35bef4430531d25cb2f7487cbb9e01fb7c9bf631

SHA256
67a317d173ea669597600b48d55a8fb2b02e1e024152e54f046b524521d4dd52

SHA512
7930327e6284f97fcc4164ed1e5f58ebc31a0c51da3984e784a74e2db25941067e4b89aa518cf00d0cef9796f473b3af60d1419890604529e8d2464c3d85f6a3

Download Submit
C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\audiodg.exe

Filesize
1.7MB

MD5
8eaa7fb60725a55dc99f026a0f81491e

SHA1
c37eb1ad64503b17c7ea373690e8a714ca79118e

SHA256
8e6872f00f355af34b963b9862e2ce2e30f5e0b29fa554048dca105c74fba650

SHA512
328ebb853f42e0b800e46324956da82a37d219357650fb21da92d44cb5467a7d19d43b6ccae55f1f224a19fd521d425d9046048fcd8cc44ce4bf19174c8afd03

Download Submit
C:\Program Files (x86)\Windows Mail\de-DE\Idle.exe

Filesize
1.7MB

MD5
2628664fab5f2d3a2673fb85d71a4057

SHA1
9c39a8127724ed7b52cbd1d6c24964e0d62b0ad4

SHA256
b84ec7f7cff20471cdbf7aa47bb6ebc23599edbb32d87e94a478707387812afe

SHA512
ab434bb36f42b45eafeea3adff7b5ea21bbe2801bac2636bec19452611c027ff4c2e308e879c43f9430d5cdbfc8fa252932fe9ad061891be25c9cc4fb473205f

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe

Filesize
1.7MB

MD5
79cfbf3d6fe2517f7dedc0c6acf01291

SHA1
bb520646674aee12419f7b2eb5a94b59c7a9eb3f

SHA256
fe559a2a29322106831c2d058a09e5b5eae35a5af1c33f979834a1859c36e0ee

SHA512
b5e794f2dd46db7c6d7a9dfd7cb978ed5eaa651210b2e2e16dca90547431594f62af99941dbccf5c974d471f837abc8c35d008c4288e5b3c31a7a561a517dcf5

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe

Filesize
1.7MB

MD5
6c26f99f8cc5c28eedd98e866861d80d

SHA1
44d8cc809e4617152a9d8d2f0ff45991407d3ca4

SHA256
8c2d4a055d7bae0f75dbbb218f47693d189eac67ab7b9958fc24e437b5a1965b

SHA512
d460bd742c0044711dd64d656977d924fc67e5580277a5649b931dd07d1de8951f408a711091037e8b08a81c391bccc1a8388745455180791af6c2b66c1a2359

Download Submit
C:\Users\Admin\AppData\Local\Temp\39b56498-d7c6-4865-a964-2f1905484557.vbs

Filesize
750B

MD5
328caee86594fe59c57396bb069650e5

SHA1
92d9c04c448f25e4b3e5917b14cb2754543c8f1f

SHA256
aa1604e2648b30b5148567aee8cf55db66c06d58069434ffde429d3ced2c78b3

SHA512
e21268b136a9a103956ccc9709c9d7c9c87bbc2bd8c1e00dc2be4f74d30f51cd6bac0eb7be368f395fe8695ec5d495aef671804fe418444f5519de8e1ec7ee3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3fa7f481-b414-46eb-b429-684532fc9749.vbs

Filesize
750B

MD5
a2d2c12a783a18fbae081677168b2e25

SHA1
76a74ed6e9d1a390524e77eca3952e95aeade3cc

SHA256
0faad44d6386d4d41fa1551e89b284a6458cd2280206166f8747dd3d600f14bd

SHA512
5c1122ec44b3f322e5f59b9385417421bf20f8d9caa5fe057160ac658c68ec18f0dbaabd86ffba51686e39e24b5ebc52b6ff316383a09792e1f393ad4511ec58

Download Submit
C:\Users\Admin\AppData\Local\Temp\59150f38-5955-43fa-a276-6d71ced3cad8.vbs

Filesize
750B

MD5
bee5b805a179a92716ff4c0e10bf3bc7

SHA1
a6aa1c45e23f1c146f1acc1ead5ffd37c1516753

SHA256
44fc4afa94a9a09177b75ed2fae3eaa35b4142b3adbeef073b05cc091701ce74

SHA512
b608a85f9ef1dd2ed8603e660648ff8a554039041f6f693d9bf40a1004062190007b1695efca87e60254c2e745511ba6746e0e40844eda6b0f0f88fe5bedd6e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a58bde9-eb15-43d9-b95e-1d58d8340741.vbs

Filesize
750B

MD5
8a9c62685721ac11ed6d37b959c088f1

SHA1
606f5e32993913b763581568538c7b0602b4cb00

SHA256
4c705298e8c2dc34e4f3c0f1c81a8f20e3c7501e640d52855f31e5904889cd93

SHA512
a7486cc42b8e93c7d8fe5c631e739869ca1433f5a05b8d5df2197207eca288972403f7452115ea57cb0470fece00fe3eceef5f1ea7cac26fbbadd16b724489df

Download Submit
C:\Users\Admin\AppData\Local\Temp\90a2684f-57a2-4c54-8c0d-a8c1d92f4e13.vbs

Filesize
750B

MD5
457cdeb115d51829367f1e596189d15a

SHA1
ff598c1a516b8f4ce49d4422a9e95934c9ff7a8e

SHA256
acbd9b5dcab88eec79bcd9491a78d8b243228f3bbec4aafcbf81bd3865684145

SHA512
2d5f4670a3fc6f788f623740cd1fe62a1d9633e5fb9f99f34fc525daac1bd63c2b99430fd3c4cd894e0d9c46507b2b6ef16589dd3120c6f5482e1e3818b957e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\abfe6f65-fc64-4613-aa56-9f16ac2117b6.vbs

Filesize
750B

MD5
36a1a3e578fd6ab6754bb0f065b5883e

SHA1
7b38e685cd6e03bfbcfe2d3a2baa102b453eff26

SHA256
45b5ae8fab9a6926a3f4f64dc0939350bb125399a45f1f777ae6b142f1539bd8

SHA512
37e6aef1850364a30c4fe420cb95e6d012243eabdc640837651bc30ca832a5a173aaca8268795c43415b277f0e1ef7183f31ed2d0290579e0e1a39b19ef0f5d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\d29c53ea-87e8-4398-8b55-858ef5fb8c94.vbs

Filesize
749B

MD5
d7819ffc82f6ae64b4c4ba397d4ad041

SHA1
5df94ef5ae25dabe4e48af54c415e613cc8b6691

SHA256
bd165b046abec062d9d30897734f2ccc1180f36fc64d5b1b9107b84954609d30

SHA512
2d007b415721d2e598e6f018fe327748481adcb666a44ae167c40428026930b137022f812433e5f43f50420edf9aaef99f83233c4ac628635b5637ead13b9bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\e27d0d76-1adf-4f79-8335-22af0ddda8b9.vbs

Filesize
526B

MD5
9583dbcb163f828b2a2f9a710150e9bb

SHA1
b0339b17943a64b131453f498f5f463b7deb28b5

SHA256
482f615ab1fc47510d277c4ea0a4bbe9c1f218fb9a6ce552f4ffd71f0739b2c7

SHA512
3d716cde9c33835cd0b13bd072f03b2b7fdcdec36653833297f5238dc4c1e5416f6285ee7cd99e840cc594196dd192449f82581cbabb8c604a5c112c5647727c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec427e94-a5bb-4174-a2ee-e94eb8cf4f77.vbs

Filesize
749B

MD5
7fd790c4ccbfdb95acbc2d7010accd4a

SHA1
01ca2b0159ac582bf9bb9d7b12f9e886878ce184

SHA256
0263e911c8c411e6bf4fb90fe7c6dd97506c444bceb298addb885bc46513e562

SHA512
29ae2ec041b6f8b5b1eefdc750ff8eef2e20abc9bceb59d4bb06e86cf5a7e73b5165ae463c073a76e4fd751e275bae7e153883559ff2d11515b5a8de8fafc8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb15d973-246e-4e9f-ae12-e69a8e3f620d.vbs

Filesize
750B

MD5
35a3b65c3df7ddf6a78da7ba9d6b0a80

SHA1
c203b5293530cf99183c792f1bb00e994ec022e0

SHA256
a4036bf2779975695767b435e23f13783e74ebe62989ec6a06060213ec81e05d

SHA512
aa894785f998ac4e6dca46092ebc0c0e7ed96b6af58039ef025058cae6645d99f59d4d39bbe037289162bed95ab3a97eae14763e4e628086e5a19650b50d5925

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
115e6942eff6563940d0ac59a19da44f

SHA1
0e3d4c597a3ea60f969ce4a2e2dc31fe6a84c2dd

SHA256
034cdfa66dcfcbf2ceb7b1c616b72e4cd60da6037b08da443066dbaf751b9ffa

SHA512
5785faa2edde8fd5c1f3769393175f5c1ea1ff41a1221aa5afa6611f761bf0b6f957063a03254773d4e32d7e75a823cf282cf10f4a3f1654388096c8c38f9308

Download Submit
memory/952-258-0x00000000001B0000-0x0000000000370000-memory.dmp

Filesize
1.8MB

Download
memory/1088-234-0x0000000000BE0000-0x0000000000DA0000-memory.dmp

Filesize
1.8MB

Download
memory/1088-236-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/1252-304-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/1628-270-0x0000000001360000-0x0000000001520000-memory.dmp

Filesize
1.8MB

Download
memory/2036-17-0x00000000021D0000-0x00000000021DC000-memory.dmp

Filesize
48KB

Download
memory/2036-0-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

Filesize
4KB

Download
memory/2036-1-0x0000000000230000-0x00000000003F0000-memory.dmp

Filesize
1.8MB

Download
memory/2036-196-0x000007FEF5D93000-0x000007FEF5D94000-memory.dmp

Filesize
4KB

Download
memory/2036-2-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2036-12-0x0000000001FE0000-0x0000000001FEC000-memory.dmp

Filesize
48KB

Download
memory/2036-235-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2036-7-0x0000000000760000-0x0000000000770000-memory.dmp

Filesize
64KB

Download
memory/2036-6-0x0000000000740000-0x0000000000756000-memory.dmp

Filesize
88KB

Download
memory/2036-15-0x00000000021B0000-0x00000000021B8000-memory.dmp

Filesize
32KB

Download
memory/2036-5-0x0000000000730000-0x0000000000740000-memory.dmp

Filesize
64KB

Download
memory/2036-18-0x000007FEF5D90000-0x000007FEF677C000-memory.dmp

Filesize
9.9MB

Download
memory/2036-8-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2036-16-0x00000000021C0000-0x00000000021CC000-memory.dmp

Filesize
48KB

Download
memory/2036-9-0x0000000000890000-0x0000000000898000-memory.dmp

Filesize
32KB

Download
memory/2036-4-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/2036-13-0x00000000022D0000-0x00000000022DA000-memory.dmp

Filesize
40KB

Download
memory/2036-3-0x0000000000500000-0x000000000051C000-memory.dmp

Filesize
112KB

Download
memory/2036-11-0x0000000001FD0000-0x0000000001FE2000-memory.dmp

Filesize
72KB

Download
memory/2036-14-0x00000000021A0000-0x00000000021AE000-memory.dmp

Filesize
56KB

Download
memory/2416-195-0x00000000021C0000-0x00000000021C8000-memory.dmp

Filesize
32KB

Download
memory/2416-186-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download