dcrat | 94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
Size

1.7MB
MD5

64f23bf509820aaebdd17acf6ee2215f
SHA1

98a5be357387e3951149c993b0fc3e8753a57709
SHA256

94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1
SHA512

cd068260c8ba60ef50f461677141872f79e3f13c14977bba519a57848f3ec96af4823955f28c7cf0d1ce362f145d59284e6e2a71f33897f7f818eb44c7564f29
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2840	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2840	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2636-1-0x0000000000D70000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/files/0x00050000000194e6-27.dat	dcrat
behavioral1/files/0x000c0000000195fd-149.dat	dcrat
behavioral1/files/0x0007000000019659-173.dat	dcrat
behavioral1/memory/2336-256-0x0000000000F80000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/2996-268-0x0000000000FB0000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/3052-292-0x00000000002C0000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2560-304-0x0000000001060000-0x0000000001220000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2980	powershell.exe
2612	powershell.exe
2992	powershell.exe
1900	powershell.exe
1092	powershell.exe
1792	powershell.exe
1608	powershell.exe
2848	powershell.exe
1660	powershell.exe
1800	powershell.exe
1932	powershell.exe
3068	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe

Executes dropped EXE 10 IoCs

pid	Process
2336	explorer.exe
2996	explorer.exe
540	explorer.exe
3052	explorer.exe
2560	explorer.exe
2140	explorer.exe
840	explorer.exe
1008	explorer.exe
2756	explorer.exe
2528	explorer.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0946f200608dad	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXCA6D.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\lsm.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Windows Mail\lsm.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Windows Mail\101b941d020240	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files\Windows Mail\fr-FR\dwm.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXD7F0.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Microsoft Office\886983d96e3d3e	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Google\CrashReports\spoolsv.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\csrss.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXC5F6.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCXCC72.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\dwm.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXCE87.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files\Windows Mail\fr-FR\6cb0b6c459d5d3	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXC1EC.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\spoolsv.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXC5F7.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXCE86.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXCA6E.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Google\CrashReports\f3b6ecef712a24	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXC1ED.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXD7F1.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File created	C:\Program Files (x86)\Microsoft Office\csrss.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCXCC71.tmp	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2684	schtasks.exe
1376	schtasks.exe
2980	schtasks.exe
2992	schtasks.exe
1916	schtasks.exe
2680	schtasks.exe
1232	schtasks.exe
2200	schtasks.exe
2732	schtasks.exe
1940	schtasks.exe
752	schtasks.exe
2456	schtasks.exe
1688	schtasks.exe
2804	schtasks.exe
2984	schtasks.exe
2552	schtasks.exe
1980	schtasks.exe
2312	schtasks.exe
2276	schtasks.exe
2748	schtasks.exe
656	schtasks.exe
1240	schtasks.exe
2940	schtasks.exe
2460	schtasks.exe
2196	schtasks.exe
2712	schtasks.exe
2036	schtasks.exe
2756	schtasks.exe
2924	schtasks.exe
2656	schtasks.exe
3040	schtasks.exe
1904	schtasks.exe
1936	schtasks.exe
1724	schtasks.exe
2204	schtasks.exe
2512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
1932	powershell.exe
2848	powershell.exe
2612	powershell.exe
1792	powershell.exe
1608	powershell.exe
1092	powershell.exe
1900	powershell.exe
3068	powershell.exe
1800	powershell.exe
2980	powershell.exe
2992	powershell.exe
1660	powershell.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe
2336	explorer.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	2336	explorer.exe
Token: SeDebugPrivilege	2996	explorer.exe
Token: SeDebugPrivilege	540	explorer.exe
Token: SeDebugPrivilege	3052	explorer.exe
Token: SeDebugPrivilege	2560	explorer.exe
Token: SeDebugPrivilege	2140	explorer.exe
Token: SeDebugPrivilege	840	explorer.exe
Token: SeDebugPrivilege	1008	explorer.exe
Token: SeDebugPrivilege	2756	explorer.exe
Token: SeDebugPrivilege	2528	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 1608	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	68
PID 2636 wrote to memory of 1608	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	68
PID 2636 wrote to memory of 1608	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	68
PID 2636 wrote to memory of 1660	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	69
PID 2636 wrote to memory of 1660	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	69
PID 2636 wrote to memory of 1660	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	69
PID 2636 wrote to memory of 2848	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	70
PID 2636 wrote to memory of 2848	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	70
PID 2636 wrote to memory of 2848	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	70
PID 2636 wrote to memory of 2980	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	71
PID 2636 wrote to memory of 2980	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	71
PID 2636 wrote to memory of 2980	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	71
PID 2636 wrote to memory of 1800	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	73
PID 2636 wrote to memory of 1800	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	73
PID 2636 wrote to memory of 1800	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	73
PID 2636 wrote to memory of 1932	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	74
PID 2636 wrote to memory of 1932	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	74
PID 2636 wrote to memory of 1932	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	74
PID 2636 wrote to memory of 2612	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	75
PID 2636 wrote to memory of 2612	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	75
PID 2636 wrote to memory of 2612	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	75
PID 2636 wrote to memory of 3068	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	76
PID 2636 wrote to memory of 3068	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	76
PID 2636 wrote to memory of 3068	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	76
PID 2636 wrote to memory of 2992	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	77
PID 2636 wrote to memory of 2992	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	77
PID 2636 wrote to memory of 2992	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	77
PID 2636 wrote to memory of 1792	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	78
PID 2636 wrote to memory of 1792	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	78
PID 2636 wrote to memory of 1792	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	78
PID 2636 wrote to memory of 1092	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	80
PID 2636 wrote to memory of 1092	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	80
PID 2636 wrote to memory of 1092	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	80
PID 2636 wrote to memory of 1900	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	81
PID 2636 wrote to memory of 1900	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	81
PID 2636 wrote to memory of 1900	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	81
PID 2636 wrote to memory of 1152	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	92
PID 2636 wrote to memory of 1152	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	92
PID 2636 wrote to memory of 1152	2636	94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe	92
PID 1152 wrote to memory of 1012	1152	cmd.exe	94
PID 1152 wrote to memory of 1012	1152	cmd.exe	94
PID 1152 wrote to memory of 1012	1152	cmd.exe	94
PID 1152 wrote to memory of 2336	1152	cmd.exe	95
PID 1152 wrote to memory of 2336	1152	cmd.exe	95
PID 1152 wrote to memory of 2336	1152	cmd.exe	95
PID 2336 wrote to memory of 2348	2336	explorer.exe	96
PID 2336 wrote to memory of 2348	2336	explorer.exe	96
PID 2336 wrote to memory of 2348	2336	explorer.exe	96
PID 2336 wrote to memory of 1088	2336	explorer.exe	97
PID 2336 wrote to memory of 1088	2336	explorer.exe	97
PID 2336 wrote to memory of 1088	2336	explorer.exe	97
PID 2348 wrote to memory of 2996	2348	WScript.exe	98
PID 2348 wrote to memory of 2996	2348	WScript.exe	98
PID 2348 wrote to memory of 2996	2348	WScript.exe	98
PID 2996 wrote to memory of 1004	2996	explorer.exe	99
PID 2996 wrote to memory of 1004	2996	explorer.exe	99
PID 2996 wrote to memory of 1004	2996	explorer.exe	99
PID 2996 wrote to memory of 880	2996	explorer.exe	100
PID 2996 wrote to memory of 880	2996	explorer.exe	100
PID 2996 wrote to memory of 880	2996	explorer.exe	100
PID 1004 wrote to memory of 540	1004	WScript.exe	101
PID 1004 wrote to memory of 540	1004	WScript.exe	101
PID 1004 wrote to memory of 540	1004	WScript.exe	101
PID 540 wrote to memory of 3036	540	explorer.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe
"C:\Users\Admin\AppData\Local\Temp\94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bjknkRRiu6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1012
- - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe
    "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af1a746f-8ff4-4146-a4cb-99f995880144.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2348
    - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\145f0923-6d7e-470e-bc57-b8bac1c5e055.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1b2c8b68-d7ad-4f44-b5be-161d68f10b1f.vbs"
        8⤵
        
        PID:3036
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a48a7fab-29f7-4fd1-a8d9-e140718231ac.vbs"
        10⤵
        
        PID:1800
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2196e693-d2c9-428f-b659-51ac265150b4.vbs"
        12⤵
        
        PID:876
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b042edc6-8008-4ba4-83a0-1199e6c691a6.vbs"
        14⤵
        
        PID:2524
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ebfd1d36-b20b-4bdf-a43e-8eeecdc286e3.vbs"
        16⤵
        
        PID:540
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3953e02f-be7c-4276-9679-7c362d636b5d.vbs"
        18⤵
        
        PID:1632
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14ec3dd9-5589-4b10-9559-d6c703a91cf8.vbs"
        20⤵
        
        PID:1416
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61c8ee6e-10a3-4d8c-a193-af3065ad6706.vbs"
        20⤵
        
        PID:2776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cc3de45-e909-4d01-9ef1-4e2798adfff3.vbs"
        18⤵
        
        PID:2020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16053875-fcca-49ef-ac85-1a23d92444f5.vbs"
        16⤵
        
        PID:328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44353ea6-2697-4a31-93aa-4bbd81d58ffb.vbs"
        14⤵
        
        PID:1552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9c6005ba-e770-47e1-bf9b-7b71cd4cf970.vbs"
        12⤵
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b672f6db-6dd7-4537-a45e-b691d249af9a.vbs"
        10⤵
        
        PID:1952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acbc3c27-81c4-4c02-925b-d11e444190fb.vbs"
        8⤵
        
        PID:768
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2f8326e-c0ff-496b-ad68-069a43cbd2f1.vbs"
        6⤵
        
        PID:880
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3785fd2d-3f6a-4185-b6a6-fd9979cae67f.vbs"
      4⤵
      PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Application Data\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af19" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af19" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe

Filesize
1.7MB

MD5
64f23bf509820aaebdd17acf6ee2215f

SHA1
98a5be357387e3951149c993b0fc3e8753a57709

SHA256
94b1ba15a35f137c8596a97f28241c496b61bccec7597ed2f2004510e47b4af1

SHA512
cd068260c8ba60ef50f461677141872f79e3f13c14977bba519a57848f3ec96af4823955f28c7cf0d1ce362f145d59284e6e2a71f33897f7f818eb44c7564f29

Download Submit
C:\ProgramData\taskhost.exe

Filesize
1.7MB

MD5
8cadad3652227a58d189bebda3986d9c

SHA1
935ead0e63f3022d1fa589675959780cd28397dd

SHA256
185e6930450992352e8a4d3c6005a4da9ae065d566c1e2f65cfc596b6bdf1989

SHA512
bd1b875881fb9581e715c1f1cace79808b2d195ae088494d775222f2a02f06b1872924bcaab45b30a78102feda10bbe9d96bbf7ca910aca6485250e4358b381c

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe

Filesize
1.7MB

MD5
016840830c543c7099dc803daf04fc9f

SHA1
382a3150ac6e12c4b6b9361e35056cad55d8b3f9

SHA256
275b2b66cef248001e8fc7625345dfa775d72eaa8fa761d2addd5371b4fc108c

SHA512
b32b213b4d0ae389b7ad4cc5e64e99f86658c6a98878abc52dec7a7a2c77b64435ed98f369776b3d1dcd0d09e0e958f3421a1359f62b2dbfc52726cc0ba57dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\145f0923-6d7e-470e-bc57-b8bac1c5e055.vbs

Filesize
751B

MD5
7ac6d2dbed7c3782b126387619fdf7ef

SHA1
40f0647773fb74f5100caff0c327abe66cd6d32b

SHA256
7ebe9302a950b4d92bcb2d6292f128291ea4a718df609b8214cd97b4cf738fe9

SHA512
4d9a0fdfb40ef5852e5b32adc40faab4591922218bdd4479096f96cd4cb389a739ebad081f48974fbb6af6481b87e9cca06fb929524dfe9bf569a001758c93ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\14ec3dd9-5589-4b10-9559-d6c703a91cf8.vbs

Filesize
751B

MD5
3832ece883d067d3bebb019f15b4e1b4

SHA1
de314741addb8bd5f1d9720a617d3ab05e9c70b0

SHA256
6a935a20a3d04761f33ae30a4ad7b53301d5fddb7d6c254f4e24959bb5c7b015

SHA512
c0bf0064626a9805ad64d79bad4826545cb1f9075c9fc1cbfa7072067cfc8cf38e36dbc7ddbca24ed3473c5f7dfc7a8e3300d2f759cad1d213f26a575e4374a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1b2c8b68-d7ad-4f44-b5be-161d68f10b1f.vbs

Filesize
750B

MD5
499419d30650ac1ca0c4fbe1956b21c9

SHA1
1206b1dd1d9f8b762445fa2be8f8b434d294742b

SHA256
1fd48d90379df0b2b1bc05790d756d172e8d1c4cdff2baf969cc9dc29403cb85

SHA512
bf887ba0113e8435ad54842b9d519324486ad179bf93ec7c85a8df44c60ce4b0e5f0a27dce5577548ec686077ca65ac9c084277574b5749b04e3788d523f9766

Download Submit
C:\Users\Admin\AppData\Local\Temp\2196e693-d2c9-428f-b659-51ac265150b4.vbs

Filesize
751B

MD5
4e0247d31465c55d80e120b7d5f4ff7b

SHA1
8b2ad2288296653c5f2aa28c60b61e3cb4cea30f

SHA256
ae0a95ab18cc8dbc9bd22a4f6c70ba3de0d930acfe22f0d3350d241ad08e1ca4

SHA512
267467cc1a09497fd93bd6e2a837c25085e4ba71b7b1491bc19e5c6e4a9cc9c26d10ad1dff5846cb0b1b4d9777109a30d0226cb66e5205363a36859b7db31855

Download Submit
C:\Users\Admin\AppData\Local\Temp\3785fd2d-3f6a-4185-b6a6-fd9979cae67f.vbs

Filesize
527B

MD5
ca9df0b50afcb53ad7e6debc4b55e624

SHA1
dfb51f0f00f8560665c03fe9aee3ad243d3cce48

SHA256
9f616491e1c720944bd544eb059a525a4459fc2eef966a6d26213cf601fcb702

SHA512
4e62c0eded04e2191c28bc61dbf00802439f7a497b0050a58511515dfaab93ed84a2e550e7116b43118e06b64d7f68f3beda388dc38ecc1241b790326b59b0e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3953e02f-be7c-4276-9679-7c362d636b5d.vbs

Filesize
751B

MD5
62d0662a8230f8a367d43a789f113324

SHA1
e347f314822897578b93c8c0fadc122f72d62422

SHA256
0d8fdc47ccc5588ada7c715f777628f53cd95a78e6f71554a9ebcfdf32b3b65a

SHA512
9dbd1d18e557775b51a81216b039f069a6e5dd03528b676a58bbb5a06717a48ab4eb36e83f0f07ed70a8a7b6647e741c8d67b1ec7baf439265ad8a0c0f858388

Download Submit
C:\Users\Admin\AppData\Local\Temp\a48a7fab-29f7-4fd1-a8d9-e140718231ac.vbs

Filesize
751B

MD5
9773bd80d7d5fa5ea9f59dc08733743b

SHA1
2533cfd05e21d28155a07cfeee6080cc8517e444

SHA256
71e9717a55a4b38f34fc0f4736ff4b7174084b2fea89cda2039d9c9b0741a765

SHA512
33c2a70e873eb8d630fe2e5d8875e0b87b81138bd2e22edd130b9b508beb564f815d106bac50bd0b3449b9540f907b1eb9de2fde2dd80bb25dc6a589efd43476

Download Submit
C:\Users\Admin\AppData\Local\Temp\af1a746f-8ff4-4146-a4cb-99f995880144.vbs

Filesize
751B

MD5
c45e5115b8d41cfd89b55c9cc6bb4177

SHA1
f2f1d962cad42f41d6ad7e02a6d6e6ff09a4e3ce

SHA256
75b1b553a7614b39333d777b1f4b9809014406c3b3a81a97ea0f23ffbacc4b2d

SHA512
65bd110277af766616a1786495772bf94badb654f4fd5891c170b4bb83723b1a3911560ccc183c879c80774d82707f733534061b49ca090e63365ecf3660836e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b042edc6-8008-4ba4-83a0-1199e6c691a6.vbs

Filesize
751B

MD5
bd81498cb90676b49604bed19bfc16ce

SHA1
56c8f7996723d64135a182fb452141a24ba5a396

SHA256
9af58193c0470aa5a864a40287d32b50259d083a52a4b9889a14debda1eaffed

SHA512
91118963222ecf8b314a33350ee4e70875cf3967475ad8411fc34144f65e1754bee99ecd6b49335eb0ad01bcd94efbb5c9845133c32dbb720d49d1554c754798

Download Submit
C:\Users\Admin\AppData\Local\Temp\bjknkRRiu6.bat

Filesize
240B

MD5
e4b4d1827a9a34ff921dc223716538e6

SHA1
8f5739c9602e735cf7d7868be80be64cae118e3f

SHA256
d63b224c4fc6d452ce2ceaf6b468380cccb63864928db26cb49a65803a2e64a3

SHA512
e5d85559176929d8de75993dffde8fcecd2ab69b11e2c69ccb210f34eee44ad1a8a6d1a0dcfea8dd14d239cac7ef97b16bb9ba9adef10a53ed0ea509f3f5347b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ebfd1d36-b20b-4bdf-a43e-8eeecdc286e3.vbs

Filesize
750B

MD5
0aef5c6e55f1ec0bcc29919896de7693

SHA1
9015c8b86c13a4deec61d09e9cc7f35b2ac8fab9

SHA256
b21c9816a86418681ae7e23aca299f91066a4a719ef6cbe285cfc4824a20da5c

SHA512
b6f33781ded8bd7ab4d0284fb6f878249e17dbba56ef30c1e07416e2e315b47300e9254dbf588d5f2d297a644fd12374645904bb810d861918f999b9f74b8f4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
012f81cce82b674d706cc0bb8a5e6c34

SHA1
db312f093293e55f60e8f8bd49c528831e89867b

SHA256
6ded600994f8c2ab08d9150dbcd1781c32b6c119d764559941fccc5857b5f592

SHA512
94af9bace76de8dfc66b485dff1ebb1ea3c0c5c688a62eff9dac43778a5a16e07319641d9a3f2186c2e54bcc6c93a5dd9d1ae4a5a1401d0f528fb729a46777a3

Download Submit
memory/840-327-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1932-212-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2336-256-0x0000000000F80000-0x0000000001140000-memory.dmp

Filesize
1.8MB

Download
memory/2336-257-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/2528-361-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download
memory/2560-304-0x0000000001060000-0x0000000001220000-memory.dmp

Filesize
1.8MB

Download
memory/2636-12-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/2636-8-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2636-188-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

Filesize
4KB

Download
memory/2636-18-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-1-0x0000000000D70000-0x0000000000F30000-memory.dmp

Filesize
1.8MB

Download
memory/2636-17-0x0000000002330000-0x000000000233C000-memory.dmp

Filesize
48KB

Download
memory/2636-16-0x0000000000D60000-0x0000000000D6C000-memory.dmp

Filesize
48KB

Download
memory/2636-15-0x0000000000D50000-0x0000000000D58000-memory.dmp

Filesize
32KB

Download
memory/2636-13-0x0000000000D30000-0x0000000000D3A000-memory.dmp

Filesize
40KB

Download
memory/2636-14-0x0000000000D40000-0x0000000000D4E000-memory.dmp

Filesize
56KB

Download
memory/2636-2-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-3-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2636-0-0x000007FEF5FA3000-0x000007FEF5FA4000-memory.dmp

Filesize
4KB

Download
memory/2636-11-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2636-4-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2636-9-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2636-194-0x000007FEF5FA0000-0x000007FEF698C000-memory.dmp

Filesize
9.9MB

Download
memory/2636-6-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/2636-7-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2636-5-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2848-217-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2996-269-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2996-268-0x0000000000FB0000-0x0000000001170000-memory.dmp

Filesize
1.8MB

Download
memory/3052-292-0x00000000002C0000-0x0000000000480000-memory.dmp

Filesize
1.8MB

Download