dcrat | dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
Size

1.7MB
MD5

5c23172320d7107e9c3dfd6d6f0abbd0
SHA1

97b7676138ca777520ca12a35eb63d71ca7953e6
SHA256

dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969
SHA512

a049b7045ddd94269fa367b4ebe533097376f4ec4ceccaa00c5a9d641bd145bee72ad3e1ed52e99425a8de1ac0f36314a38957cf397e20205607af88153ada80
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2824	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2824	schtasks.exe	30

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1180-1-0x0000000000C60000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/files/0x000500000001a494-27.dat	dcrat
behavioral1/files/0x00090000000194da-118.dat	dcrat
behavioral1/files/0x00100000000194e6-202.dat	dcrat
behavioral1/memory/2396-236-0x0000000001180000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/2924-310-0x00000000011D0000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2732-323-0x00000000012B0000-0x0000000001470000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2764	powershell.exe
2648	powershell.exe
2348	powershell.exe
2344	powershell.exe
1360	powershell.exe
2228	powershell.exe
672	powershell.exe
1476	powershell.exe
1804	powershell.exe
2244	powershell.exe
2520	powershell.exe
1788	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe

Executes dropped EXE 8 IoCs

pid	Process
2396	lsass.exe
2372	lsass.exe
2924	lsass.exe
2732	lsass.exe
2412	lsass.exe
2364	lsass.exe
2432	lsass.exe
1712	lsass.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\OSPPSVC.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\services.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\c5b4cb5e9653cc	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files\Windows Mail\it-IT\Idle.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files\Windows Mail\it-IT\6ccacd8608530f	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\services.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Windows Mail\dllhost.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX38DD.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\taskhost.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\MSBuild\taskhost.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\MSBuild\b75386f1303e64	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\OSPPSVC.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX2B79.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Windows Mail\RCX2FEE.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Windows Mail\RCX2FEF.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX3260.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\RCX38DC.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\1610b97d3ab4a7	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\RCX2B78.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX3261.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\RCX3EEA.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\Idle.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files\Windows Mail\dllhost.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Program Files\Windows Mail\5940a34987c991	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Program Files\Windows Mail\it-IT\RCX3EEB.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CSC\Idle.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Windows\CSC\v2.0.6\lsm.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Windows\CSC\Idle.exe	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File created	C:\Windows\CSC\6ccacd8608530f	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Windows\CSC\RCX4566.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
File opened for modification	C:\Windows\CSC\RCX4567.tmp	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3048	schtasks.exe
2400	schtasks.exe
904	schtasks.exe
2728	schtasks.exe
2492	schtasks.exe
2016	schtasks.exe
2596	schtasks.exe
2764	schtasks.exe
2448	schtasks.exe
684	schtasks.exe
1328	schtasks.exe
2628	schtasks.exe
2984	schtasks.exe
2864	schtasks.exe
568	schtasks.exe
588	schtasks.exe
2072	schtasks.exe
2456	schtasks.exe
1856	schtasks.exe
2652	schtasks.exe
1788	schtasks.exe
2860	schtasks.exe
2136	schtasks.exe
1260	schtasks.exe
288	schtasks.exe
2992	schtasks.exe
2140	schtasks.exe
2620	schtasks.exe
2424	schtasks.exe
2128	schtasks.exe
1288	schtasks.exe
1736	schtasks.exe
1928	schtasks.exe
852	schtasks.exe
1724	schtasks.exe
2968	schtasks.exe
332	schtasks.exe
1100	schtasks.exe
1512	schtasks.exe
2696	schtasks.exe
2064	schtasks.exe
2172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
2344	powershell.exe
2764	powershell.exe
2244	powershell.exe
672	powershell.exe
2648	powershell.exe
2228	powershell.exe
1476	powershell.exe
2520	powershell.exe
1788	powershell.exe
2348	powershell.exe
1804	powershell.exe
1360	powershell.exe
2396	lsass.exe
2396	lsass.exe
2396	lsass.exe
2396	lsass.exe
2396	lsass.exe
2396	lsass.exe
2396	lsass.exe
2396	lsass.exe
2396	lsass.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	2396	lsass.exe
Token: SeDebugPrivilege	2372	lsass.exe
Token: SeDebugPrivilege	2924	lsass.exe
Token: SeDebugPrivilege	2732	lsass.exe
Token: SeDebugPrivilege	2412	lsass.exe
Token: SeDebugPrivilege	2364	lsass.exe
Token: SeDebugPrivilege	2432	lsass.exe
Token: SeDebugPrivilege	1712	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1788	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	73
PID 1180 wrote to memory of 1788	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	73
PID 1180 wrote to memory of 1788	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	73
PID 1180 wrote to memory of 2520	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	74
PID 1180 wrote to memory of 2520	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	74
PID 1180 wrote to memory of 2520	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	74
PID 1180 wrote to memory of 2344	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	75
PID 1180 wrote to memory of 2344	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	75
PID 1180 wrote to memory of 2344	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	75
PID 1180 wrote to memory of 2348	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	76
PID 1180 wrote to memory of 2348	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	76
PID 1180 wrote to memory of 2348	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	76
PID 1180 wrote to memory of 2648	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	77
PID 1180 wrote to memory of 2648	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	77
PID 1180 wrote to memory of 2648	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	77
PID 1180 wrote to memory of 2764	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	78
PID 1180 wrote to memory of 2764	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	78
PID 1180 wrote to memory of 2764	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	78
PID 1180 wrote to memory of 1476	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	79
PID 1180 wrote to memory of 1476	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	79
PID 1180 wrote to memory of 1476	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	79
PID 1180 wrote to memory of 672	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	80
PID 1180 wrote to memory of 672	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	80
PID 1180 wrote to memory of 672	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	80
PID 1180 wrote to memory of 2228	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	83
PID 1180 wrote to memory of 2228	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	83
PID 1180 wrote to memory of 2228	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	83
PID 1180 wrote to memory of 1360	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	84
PID 1180 wrote to memory of 1360	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	84
PID 1180 wrote to memory of 1360	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	84
PID 1180 wrote to memory of 2244	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	85
PID 1180 wrote to memory of 2244	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	85
PID 1180 wrote to memory of 2244	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	85
PID 1180 wrote to memory of 1804	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	87
PID 1180 wrote to memory of 1804	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	87
PID 1180 wrote to memory of 1804	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	87
PID 1180 wrote to memory of 2396	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	97
PID 1180 wrote to memory of 2396	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	97
PID 1180 wrote to memory of 2396	1180	dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe	97
PID 2396 wrote to memory of 2836	2396	lsass.exe	98
PID 2396 wrote to memory of 2836	2396	lsass.exe	98
PID 2396 wrote to memory of 2836	2396	lsass.exe	98
PID 2396 wrote to memory of 536	2396	lsass.exe	99
PID 2396 wrote to memory of 536	2396	lsass.exe	99
PID 2396 wrote to memory of 536	2396	lsass.exe	99
PID 2836 wrote to memory of 2372	2836	WScript.exe	100
PID 2836 wrote to memory of 2372	2836	WScript.exe	100
PID 2836 wrote to memory of 2372	2836	WScript.exe	100
PID 2372 wrote to memory of 2512	2372	lsass.exe	101
PID 2372 wrote to memory of 2512	2372	lsass.exe	101
PID 2372 wrote to memory of 2512	2372	lsass.exe	101
PID 2372 wrote to memory of 2620	2372	lsass.exe	102
PID 2372 wrote to memory of 2620	2372	lsass.exe	102
PID 2372 wrote to memory of 2620	2372	lsass.exe	102
PID 2512 wrote to memory of 2924	2512	WScript.exe	103
PID 2512 wrote to memory of 2924	2512	WScript.exe	103
PID 2512 wrote to memory of 2924	2512	WScript.exe	103
PID 2924 wrote to memory of 2860	2924	lsass.exe	104
PID 2924 wrote to memory of 2860	2924	lsass.exe	104
PID 2924 wrote to memory of 2860	2924	lsass.exe	104
PID 2924 wrote to memory of 952	2924	lsass.exe	105
PID 2924 wrote to memory of 952	2924	lsass.exe	105
PID 2924 wrote to memory of 952	2924	lsass.exe	105
PID 2860 wrote to memory of 2732	2860	WScript.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe
"C:\Users\Admin\AppData\Local\Temp\dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1804
- C:\Users\Default User\lsass.exe
  "C:\Users\Default User\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05c61d85-4d2f-4731-a1d9-68cf88b19fc0.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Default User\lsass.exe
      "C:\Users\Default User\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2372
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edb91a59-a87d-4ab6-b5f4-d5b8f4d7ef54.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2512
      - C:\Users\Default User\lsass.exe
        
        "C:\Users\Default User\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0b4b3aeb-7784-4f84-8254-12cbd8940b28.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Users\Default User\lsass.exe
        
        "C:\Users\Default User\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b5609816-737f-43d0-bc48-1e174510f512.vbs"
        9⤵
        
        PID:1740
        
        C:\Users\Default User\lsass.exe
        
        "C:\Users\Default User\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6670e8e5-5cbb-47c4-81ee-6d73c724048e.vbs"
        11⤵
        
        PID:2312
        
        C:\Users\Default User\lsass.exe
        
        "C:\Users\Default User\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd936c0e-fa3f-4644-ac71-a48a31b10e6c.vbs"
        13⤵
        
        PID:2424
        
        C:\Users\Default User\lsass.exe
        
        "C:\Users\Default User\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a71a5a53-19b0-4779-958e-1a2739e29392.vbs"
        15⤵
        
        PID:904
        
        C:\Users\Default User\lsass.exe
        
        "C:\Users\Default User\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33aa6e59-84d0-483a-8051-90c5e8a3a9d9.vbs"
        17⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21300d69-c585-408d-9c21-77d82a83bc0d.vbs"
        17⤵
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb3c22c5-1d0f-44f4-aba9-3f20e9ce62ed.vbs"
        15⤵
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a7e081c-9fcb-4b74-8344-e69e060a331a.vbs"
        13⤵
        
        PID:1580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3056771e-f9ce-4811-9e7a-ec74a5ac8496.vbs"
        11⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7792b0c5-71a3-42e5-9f73-079520cf99a9.vbs"
        9⤵
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eab53d8f-7936-4706-9a5b-d36abfa5414e.vbs"
        7⤵
        
        PID:952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6363fd9-5549-4c91-9724-6b65a3959941.vbs"
        5⤵
        
        PID:2620
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb1ece3c-b21f-4871-842c-c2b79bd9d332.vbs"
    3⤵
    PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\Default\My Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\CSC\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\CSC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\CSC\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MSBuild\taskhost.exe

Filesize
1.7MB

MD5
5c23172320d7107e9c3dfd6d6f0abbd0

SHA1
97b7676138ca777520ca12a35eb63d71ca7953e6

SHA256
dea6d6cb7f46f0236f831b99612a7ff6890871b5309292dbcf6801d6c06da969

SHA512
a049b7045ddd94269fa367b4ebe533097376f4ec4ceccaa00c5a9d641bd145bee72ad3e1ed52e99425a8de1ac0f36314a38957cf397e20205607af88153ada80

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\taskhost.exe

Filesize
1.7MB

MD5
2ee04de57aed562bde269ce03825d163

SHA1
75ba3ef72a100e4e1372e943c41a95d59f14a523

SHA256
b3a8b83b5510e3c4ed1ab092486011398f640712eba9bc8e588cf1d77d466948

SHA512
1e4cafc2b483c2b012e3856b181864848bda93a796e74d05b9268a904dabecd4b2e3c9b3f992d50bbe9ceded649c356e2de38c8493b00e5faf09f39130817d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\05c61d85-4d2f-4731-a1d9-68cf88b19fc0.vbs

Filesize
707B

MD5
681a19785f6c584a1e1eb2d09fb29c14

SHA1
4681704796cd53f4173f7fa133fbbbf0b800e156

SHA256
ab526a10d420948bc0beb86d50591caf6a5201331bd54b20dd95464e98d65a0f

SHA512
c8aca64d83792f3a9cbdc71c05c024fbf187f72d3d2458d1203af1b0b38bd7ee2336d3351a082d912f09280dc2ba1634c7d52713091fbd6a48254bc4360ec322

Download Submit
C:\Users\Admin\AppData\Local\Temp\0b4b3aeb-7784-4f84-8254-12cbd8940b28.vbs

Filesize
707B

MD5
a99f5081fb07ab8df20f676817f1afa0

SHA1
2e452f056fbc0e08e992be31842f32ca2f9fb0f7

SHA256
dae81514a0596eefea23dc581d322cb0cce1acbd10e30614dd8f11e232cbddad

SHA512
a1710bf2d16eaf122f3452ee3537233c2169efa7923df0343fabc149a6e25f5354e474c569ff9fb97707b8bf5ace9f492bb967c69f04ba4460ac2ebc3cb709a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\33aa6e59-84d0-483a-8051-90c5e8a3a9d9.vbs

Filesize
707B

MD5
fe811ccb2ce8ee2f4496da2978f36dd4

SHA1
9047077402c671b0c26a08e34698c05f386ebaa9

SHA256
4d3326a6ec248f60e4a73f989e293bc11f39e1995658493b3b3ca201d31d2986

SHA512
c7e7788845a5cc05f9cd9b9a656bb375814e0d290ddc9d33ef8a5a270358b77d9740398e69d24ca0d1aab3c0ca7cf10a53d51dee6a4eeacf3ad84191d80416e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6670e8e5-5cbb-47c4-81ee-6d73c724048e.vbs

Filesize
707B

MD5
520f6fab22355f22fab759d26cb7303c

SHA1
8d43b94aa69a55fa53fc1827b13f2baae4a74342

SHA256
8d6b58e3357b1897f283b011b1f3fc3ad7fe4e4c90510e26d1e8be172b7c1a7a

SHA512
59a8d02f2983f98954335d42e6a505bbdfbfcf57abf9a22449d2c89edf8fcea16ac6a792085035a7caa7023a0eed74851d2f189c900bb72fe1b81bb78c9e8b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a71a5a53-19b0-4779-958e-1a2739e29392.vbs

Filesize
707B

MD5
94c807a07d9513006cc088f6f5cb02be

SHA1
a2eea865ff2198358dd665b0bcfb078b653775d5

SHA256
677c7ecea48142d38a42caeb8e76e170c749490b3f34f2232c0739c3b6410f7d

SHA512
d3f476c0d4810061ffeedae7721a53cdbe678a0674b3fd09604c4a13cc52ae6d996d01b0708c24aeadfb1bf844ded76f89fcc6ac63517a825234260222f5c365

Download Submit
C:\Users\Admin\AppData\Local\Temp\b5609816-737f-43d0-bc48-1e174510f512.vbs

Filesize
707B

MD5
30e526922365f0b9ddceead10444fc5c

SHA1
f6be32b8b19ef3055cc73628e845b580981b8f7f

SHA256
57140690249b6e6338b4e1e2fd1d2adea24755e0d762aab9f581273c841f6a0c

SHA512
2b82a3c7c8dba6c4ead0c9066a2fd30eec2c88b42f35c32c788f56f7fa28e374d4920e5b40dd91fa2c87a305dc33abf3df1159629bdb287b75ff53ebc53c3535

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb1ece3c-b21f-4871-842c-c2b79bd9d332.vbs

Filesize
483B

MD5
f140d8f51dfcaefa6b7420de35820aef

SHA1
d6fe0272dac696890526485c3c1e58dd9524fffd

SHA256
4c96feb45bc93dad22f60dd75a15c2f366bcbc9cb661d7fe414f9a2d02039123

SHA512
c5adc750f8baf555ce0bb93ac38a75f12aeb213a19c0a3c9051f0c2679426b0705bc5473dc574e1f4197293a8f6505701f60c2e1f58da38f07172998fac1747a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd936c0e-fa3f-4644-ac71-a48a31b10e6c.vbs

Filesize
707B

MD5
b8629be71aa75cccc652f62fce9c4e06

SHA1
4d216283282fc6bdc4a194d96ceddc9197e5fd84

SHA256
76d6b61fd9ebc229560a3e91b3ca2410637094aa7ee9cbe00bba4494ccbc66aa

SHA512
969521cebe6f803ff67c7421f40019ad107b972188f45d960504dcce209f5691625a9975bbd88b2ac6124f183fa1e017bed8cc36c4cf7176c7aa681204c0cd0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\edb91a59-a87d-4ab6-b5f4-d5b8f4d7ef54.vbs

Filesize
707B

MD5
da11501571c1b9f1fdf4e0fa94bb8f02

SHA1
9e58e1ec836109665e70ffa61663db5c078d70f5

SHA256
9c2c946cdba6aa5b55983d4b208aec1f71d539a356fcf60bb3540a15d6fb4e81

SHA512
a73a86f7e19e768f6ddb8ff6cd153b3b08417f14f3fd66f0853629df4c7c7ff450caf91209123fe151cf12327de6bfa54c4128f82743ce110dbf0c78879bef54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
df0845de72c2010cfb5c1d511205b708

SHA1
bf6967d6316bc67b6315f910f9a147e87dc6ffbb

SHA256
eaae01ca6655dcd8d86bde680b6850762f2a6a785cdb8c5719e3fdfe617adbb3

SHA512
9e24a0e34d3d0e1ea75bd41295c9104e0c97057ee56bec35a40a4b7f0bffc5b82e90cb8ec725943be14c337d6de4f6a8185fef40e7af8721fa7cd5175c22364b

Download Submit
C:\Users\Default\Documents\spoolsv.exe

Filesize
1.7MB

MD5
43a04592bfe91bfe2db11c3d28a73ebe

SHA1
17d4f25438eefc853368a5a6cfb9ad61cd08708b

SHA256
28faed48705f24da731f09b6352c9c957ee98155e1800f52ab974838906c6d73

SHA512
3f6171455df036f249518abad25ab05f0ee22d0f6453c0ef7f016b2c74aeaadd54ae71c240fb83ee733d7c493f1d8643b76ed254818d697401862882a756edc1

Download Submit
memory/1180-11-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/1180-1-0x0000000000C60000-0x0000000000E20000-memory.dmp

Filesize
1.8MB

Download
memory/1180-16-0x0000000002320000-0x000000000232C000-memory.dmp

Filesize
48KB

Download
memory/1180-17-0x0000000002330000-0x000000000233C000-memory.dmp

Filesize
48KB

Download
memory/1180-20-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

Filesize
9.9MB

Download
memory/1180-14-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/1180-13-0x0000000002310000-0x000000000231A000-memory.dmp

Filesize
40KB

Download
memory/1180-193-0x000007FEF5963000-0x000007FEF5964000-memory.dmp

Filesize
4KB

Download
memory/1180-12-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/1180-217-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

Filesize
9.9MB

Download
memory/1180-0-0x000007FEF5963000-0x000007FEF5964000-memory.dmp

Filesize
4KB

Download
memory/1180-4-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/1180-2-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

Filesize
9.9MB

Download
memory/1180-15-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/1180-234-0x000007FEF5960000-0x000007FEF634C000-memory.dmp

Filesize
9.9MB

Download
memory/1180-9-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/1180-8-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/1180-7-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/1180-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1180-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/1180-6-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/2396-236-0x0000000001180000-0x0000000001340000-memory.dmp

Filesize
1.8MB

Download
memory/2732-323-0x00000000012B0000-0x0000000001470000-memory.dmp

Filesize
1.8MB

Download
memory/2764-238-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2764-239-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2924-311-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2924-310-0x00000000011D0000-0x0000000001390000-memory.dmp

Filesize
1.8MB

Download