dcrat | 5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
Size

1.7MB
MD5

c6419678552ecc4e3b7ab9fb8af14746
SHA1

1f7473310ee24366acec3b901412adedf7be8308
SHA256

5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86
SHA512

f3dcccd3110d065d9453add7b28975bed60d010199798710d21064ef0b54acebcc4b4ed1090a3335bb1050d468b37c9e864a3cf9ab948af77dfc8a8d6b5454b1
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvC:eTHUxUoh1IF9gl2t

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2752	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2752	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3068-1-0x0000000000100000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/files/0x000600000001749c-27.dat	dcrat
behavioral1/files/0x0005000000019250-42.dat	dcrat
behavioral1/files/0x0015000000011c2c-77.dat	dcrat
behavioral1/memory/2344-161-0x0000000000300000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/968-243-0x0000000000E60000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/2500-255-0x0000000000290000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2216-268-0x0000000000310000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/1628-280-0x0000000000F20000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/2400-303-0x0000000001210000-0x00000000013D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2624	powershell.exe
852	powershell.exe
1836	powershell.exe
2492	powershell.exe
1944	powershell.exe
1464	powershell.exe
2020	powershell.exe
1764	powershell.exe
1548	powershell.exe
1156	powershell.exe
1984	powershell.exe
1736	powershell.exe
1576	powershell.exe
1652	powershell.exe
1456	powershell.exe
708	powershell.exe
1544	powershell.exe
1120	powershell.exe
1252	powershell.exe
1152	powershell.exe
1780	powershell.exe
1272	powershell.exe
2452	powershell.exe
2480	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe

Executes dropped EXE 8 IoCs

pid	Process
2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
968	taskhost.exe
2500	taskhost.exe
2216	taskhost.exe
1628	taskhost.exe
760	taskhost.exe
2400	taskhost.exe
1256	taskhost.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\en-US\sppsvc.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Program Files\Windows Media Player\en-US\0a1fd5f707cd16	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCX2C29.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\RCX2C97.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Program Files\Windows Media Player\en-US\sppsvc.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\csrss.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\Tasks\886983d96e3d3e	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Windows\Tasks\RCX233C.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Windows\Tasks\RCX23AA.tmp	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\Logs\HomeGroup\taskhost.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\Logs\HomeGroup\b75386f1303e64	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File opened for modification	C:\Windows\Logs\HomeGroup\taskhost.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
File created	C:\Windows\Tasks\csrss.exe	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe
2788	schtasks.exe
2344	schtasks.exe
448	schtasks.exe
2772	schtasks.exe
2916	schtasks.exe
2904	schtasks.exe
2792	schtasks.exe
2836	schtasks.exe
2696	schtasks.exe
2256	schtasks.exe
1816	schtasks.exe
2172	schtasks.exe
1880	schtasks.exe
3056	schtasks.exe
2844	schtasks.exe
2880	schtasks.exe
2268	schtasks.exe
2404	schtasks.exe
2420	schtasks.exe
2472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
1456	powershell.exe
1576	powershell.exe
1464	powershell.exe
2020	powershell.exe
1272	powershell.exe
1548	powershell.exe
1736	powershell.exe
1764	powershell.exe
1156	powershell.exe
1780	powershell.exe
1984	powershell.exe
1944	powershell.exe
2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
708	powershell.exe
2480	powershell.exe
2624	powershell.exe
2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
1836	powershell.exe
1152	powershell.exe
2452	powershell.exe
1544	powershell.exe
1252	powershell.exe
2492	powershell.exe
1652	powershell.exe
852	powershell.exe
1120	powershell.exe
968	taskhost.exe
968	taskhost.exe
968	taskhost.exe
968	taskhost.exe
968	taskhost.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1984	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	968	taskhost.exe
Token: SeDebugPrivilege	2500	taskhost.exe
Token: SeDebugPrivilege	2216	taskhost.exe
Token: SeDebugPrivilege	1628	taskhost.exe
Token: SeDebugPrivilege	760	taskhost.exe
Token: SeDebugPrivilege	2400	taskhost.exe
Token: SeDebugPrivilege	1256	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1944	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	46
PID 3068 wrote to memory of 1944	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	46
PID 3068 wrote to memory of 1944	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	46
PID 3068 wrote to memory of 1156	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	47
PID 3068 wrote to memory of 1156	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	47
PID 3068 wrote to memory of 1156	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	47
PID 3068 wrote to memory of 1464	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	48
PID 3068 wrote to memory of 1464	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	48
PID 3068 wrote to memory of 1464	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	48
PID 3068 wrote to memory of 1456	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	49
PID 3068 wrote to memory of 1456	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	49
PID 3068 wrote to memory of 1456	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	49
PID 3068 wrote to memory of 1984	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	50
PID 3068 wrote to memory of 1984	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	50
PID 3068 wrote to memory of 1984	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	50
PID 3068 wrote to memory of 1736	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	51
PID 3068 wrote to memory of 1736	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	51
PID 3068 wrote to memory of 1736	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	51
PID 3068 wrote to memory of 1576	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	52
PID 3068 wrote to memory of 1576	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	52
PID 3068 wrote to memory of 1576	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	52
PID 3068 wrote to memory of 2020	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	53
PID 3068 wrote to memory of 2020	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	53
PID 3068 wrote to memory of 2020	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	53
PID 3068 wrote to memory of 1548	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	54
PID 3068 wrote to memory of 1548	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	54
PID 3068 wrote to memory of 1548	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	54
PID 3068 wrote to memory of 1780	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	55
PID 3068 wrote to memory of 1780	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	55
PID 3068 wrote to memory of 1780	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	55
PID 3068 wrote to memory of 1764	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	56
PID 3068 wrote to memory of 1764	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	56
PID 3068 wrote to memory of 1764	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	56
PID 3068 wrote to memory of 1272	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	57
PID 3068 wrote to memory of 1272	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	57
PID 3068 wrote to memory of 1272	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	57
PID 3068 wrote to memory of 1732	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	70
PID 3068 wrote to memory of 1732	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	70
PID 3068 wrote to memory of 1732	3068	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	70
PID 1732 wrote to memory of 568	1732	cmd.exe	72
PID 1732 wrote to memory of 568	1732	cmd.exe	72
PID 1732 wrote to memory of 568	1732	cmd.exe	72
PID 1732 wrote to memory of 2344	1732	cmd.exe	73
PID 1732 wrote to memory of 2344	1732	cmd.exe	73
PID 1732 wrote to memory of 2344	1732	cmd.exe	73
PID 2344 wrote to memory of 2624	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	80
PID 2344 wrote to memory of 2624	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	80
PID 2344 wrote to memory of 2624	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	80
PID 2344 wrote to memory of 708	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	81
PID 2344 wrote to memory of 708	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	81
PID 2344 wrote to memory of 708	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	81
PID 2344 wrote to memory of 2452	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	82
PID 2344 wrote to memory of 2452	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	82
PID 2344 wrote to memory of 2452	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	82
PID 2344 wrote to memory of 2480	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	83
PID 2344 wrote to memory of 2480	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	83
PID 2344 wrote to memory of 2480	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	83
PID 2344 wrote to memory of 1252	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	84
PID 2344 wrote to memory of 1252	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	84
PID 2344 wrote to memory of 1252	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	84
PID 2344 wrote to memory of 1152	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	85
PID 2344 wrote to memory of 1152	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	85
PID 2344 wrote to memory of 1152	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	85
PID 2344 wrote to memory of 1544	2344	5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
"C:\Users\Admin\AppData\Local\Temp\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KeWzk8OD4y.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:568
- - C:\Users\Admin\AppData\Local\Temp\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe
    "C:\Users\Admin\AppData\Local\Temp\5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1252
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1152
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1544
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2492
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eE9QbXcUOX.bat"
      4⤵
      PID:2832
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1740
    - - C:\Windows\Logs\HomeGroup\taskhost.exe
        
        "C:\Windows\Logs\HomeGroup\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7fbcfa73-4501-4c6d-bb01-85666b364975.vbs"
        6⤵
        
        PID:2192
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2e33802-55cf-411a-b655-33fd54fc420c.vbs"
        8⤵
        
        PID:1744
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fd81fea9-8b44-4ff8-8bbd-5f044f73e0eb.vbs"
        10⤵
        
        PID:1660
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee486f13-5425-4980-a801-76c1f1b8b68a.vbs"
        12⤵
        
        PID:2732
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94c5a159-5b64-4894-b558-0e64bdb2b50a.vbs"
        14⤵
        
        PID:2184
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9e93f634-72f3-4991-b97b-b10060d74195.vbs"
        16⤵
        
        PID:2436
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        
        C:\Windows\Logs\HomeGroup\taskhost.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b81950b3-2d14-4c05-a617-172a7961980c.vbs"
        18⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2605e988-dd1f-4659-9c9a-14cd358c54a2.vbs"
        18⤵
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0e98809-f8af-4827-961b-cae155e8986d.vbs"
        16⤵
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5e825f3-f845-40ec-adaa-f84657d0b6c6.vbs"
        14⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e58b8050-ebc7-481e-8567-3188f2f39036.vbs"
        12⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f03ec4a-09e3-4c17-ab03-67de685796b7.vbs"
        10⤵
        
        PID:2392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\544609a2-13a9-4f46-839a-92bf6531d798.vbs"
        8⤵
        
        PID:2364
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3155d3de-535e-4992-a1ce-5cfab069146b.vbs"
        6⤵
        
        PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\PrintHood\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Logs\HomeGroup\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Logs\HomeGroup\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\HomeGroup\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows Media Player\en-US\sppsvc.exe

Filesize
1.7MB

MD5
c6419678552ecc4e3b7ab9fb8af14746

SHA1
1f7473310ee24366acec3b901412adedf7be8308

SHA256
5bfc6e78d8c1ba1f57ca71be8e3044fc5ced325b8251091aa36247e8db6a3c86

SHA512
f3dcccd3110d065d9453add7b28975bed60d010199798710d21064ef0b54acebcc4b4ed1090a3335bb1050d468b37c9e864a3cf9ab948af77dfc8a8d6b5454b1

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe

Filesize
1.7MB

MD5
09e39cc18187f6f0f718ff2613dae597

SHA1
bde1a6b4f91fb978e100311f2195ec93af6766b8

SHA256
b9b1c19738ce1660246f494a52c4de8832a5475552867fece1047f793ef766b0

SHA512
9c12a193968e369cc33fd6d51ff9886341d731adc2a55100d79d71b57b3bf1755b9269a2ae8f9fe5acec92615bab351c9c8aa65d10eefe299cfd5876363a45de

Download Submit
C:\Users\Admin\AppData\Local\Temp\3155d3de-535e-4992-a1ce-5cfab069146b.vbs

Filesize
490B

MD5
c99283298e08cfa35810ec14b8e3f1d4

SHA1
50edc329c35a8ddd1d33620d1e2ce9aed8f75392

SHA256
014ab0c2fcb233d94ad74f9ab99016ab7ccb3573d422d741873981804b0341e1

SHA512
4f7729e78cf007878bb09d35ab303e5aa9252fb87fb63ed6689616e9f7c4bd06a73f538be2b69fea8140561180fa2e81e55677640435f68818a91434c3716133

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fbcfa73-4501-4c6d-bb01-85666b364975.vbs

Filesize
713B

MD5
21408d5de5aabba2aa01e0ba07f2fee0

SHA1
f234881c39daf437190d5afe24a439163bc0424a

SHA256
b9f83f171fa6621df87df3c38706c22d811d18ea30a85fe531cc44ccfc481ae7

SHA512
ff3dbd80c3840cc6c2df3d5fd6e821b08f30f29fa4bc8e02ca54f2c754a3de0d97a206c58902833cb47a2c67e5435621b77c7cd5493ea25dab4928f642fab6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\94c5a159-5b64-4894-b558-0e64bdb2b50a.vbs

Filesize
713B

MD5
eefc5ab5fbdcbf715e8b0ec2afcd1400

SHA1
ad8cf697f3e3eea14388fe06c62f1140e7ce1e58

SHA256
22b9314be4695c659e09e1edffe7f838ee7887c2300ae466149307988e336542

SHA512
946b64d461f6a171eae25e90160297578053c0c34febd3adf519c54116e960cf56b50697e40dbce06b95ff5dfa538d1c43bf57c9965ee612556c77d4eaf80330

Download Submit
C:\Users\Admin\AppData\Local\Temp\9e93f634-72f3-4991-b97b-b10060d74195.vbs

Filesize
714B

MD5
810f8715a1b813e6947824889262ee3f

SHA1
27703c441b160b83c95c8c726b75593eb43cfaa9

SHA256
0fb624d6bf52c833346c92ba27673cb04ce1ac0d2a3be4907133042b2266eec6

SHA512
9cc88f653a6e325747fe4e76b4018e653da63444576fb6ec74ec96a9755115feb7b64284775abd1eec35724b90f346a552a9890af576c43923455452c74336ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\KeWzk8OD4y.bat

Filesize
267B

MD5
6a7d14baceda2d5411e4860e577fb717

SHA1
53c87b13b5699b5d07ec514c13264096b8a8f659

SHA256
1a885bf7de65c074c045ea8a87f81898ced93a7cb8ac5affd33199d5e2829116

SHA512
543e678740cce4be91f3cc325ec48a6ddfae535332ed454fe44ac8f12cb47cb821568be743983b5440044abb16fe85a21f4999711e3a848249b155f3acefaf7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2e33802-55cf-411a-b655-33fd54fc420c.vbs

Filesize
714B

MD5
79c2cae1fc674ab4773f1632609f2bc9

SHA1
650929b73f02bac56b9df92f4c2e226970bbe5f6

SHA256
7bf762ca14b9c3e92bb1bb8819663677a2e731c59ffd07df9c50044d4b6d5a21

SHA512
40f3b3155c4798a136176bbb7bdf47894cd5eb8643dee3ae8b3a25dd4db6b9bd6a1f2f48b74459b89a8ebb06441c4ac8185fd6292a88bc9e54a89c42508fd10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\b81950b3-2d14-4c05-a617-172a7961980c.vbs

Filesize
714B

MD5
0cfbb703412534aee794303ee505acbe

SHA1
b9d6a51b1f4c533d51284b07ad359c94627dedde

SHA256
92c7a7c637e7983f3c705860bf9e9a2da8362dce920ff837c2ae5a9a8b90c8e7

SHA512
88bb5f84e0f37a995c73aa2f7e949102a977b82e63e6842d0ff66969d9031f24378d3ea13c3a717933df38aaf4b974051fcb0f7b7ce76d611ea3ce487261dd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eE9QbXcUOX.bat

Filesize
203B

MD5
73338e19a8afc7521c8ccc452068b387

SHA1
c7a710a302a6ca88389daece6a1b02817a967270

SHA256
d385ade3a83a3f40294444dfbd4ff9ea7d6aadff557034814b6018f252241a9c

SHA512
f00295b0c87618ef5d784e299e43b8c31adb6a51a58b8d4c9a0dd22174268819c2badda3fc78c11ad453669098c6944d7a59ed5c080eb35349b080aabe64ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee486f13-5425-4980-a801-76c1f1b8b68a.vbs

Filesize
714B

MD5
9671adfd723e872284cd49fa70065d3d

SHA1
2bac55856fb92d3c8a5ce4149a8001feb53081a6

SHA256
7a7cb1616b68fc8d500cccf01acd64d2388f95228c735039d20239410e9642bc

SHA512
02bec61ee48b601c2b45344408507dedb75ff538b7c60ccd6c9902d14a8de28751ee737461d1856a84a220f55afcd50e18cc819b3634d5f119bc139681c4f84d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fd81fea9-8b44-4ff8-8bbd-5f044f73e0eb.vbs

Filesize
714B

MD5
640d6314a4a09beff5d1fef277d82b8a

SHA1
7fee3fa5d5884a82c797b406f69b2dfba4d95b31

SHA256
26e527a68d8a3a158cb4686413e1972dd40a2decb9895e475b06e093089b619b

SHA512
b32485aef7221c318a2f70162e8a5d715fbf735fcc6d2dd45f6f5055f2125ad04dc815c8e5436ed8f713e2ff66f8e9ea1728589911a97009fd44363693e59062

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b424601ed7a5dff9534faea80900e534

SHA1
737990f1060c24b9ebcb13ada33d2c67b339ca1b

SHA256
b400d8d1d3168e5982c0681a11a0344314367f7658561bff515008de559313a1

SHA512
06714f75164f2bd4fd3050954d3da81e56a810a84e75322c69d06c4483f84f6afc3b1cad0bb1e063afe1db717caea533de595674c105d670460f9cfe52ce9efa

Download Submit
C:\Windows\Tasks\csrss.exe

Filesize
1.7MB

MD5
2ade981de7317f58fe9a67171fc61c81

SHA1
167e2091e46b722b7a4e57ca31d336d3d089084f

SHA256
b33ef697084cd1570cb7b913a9374a88bdcb048d9767bbdce0101cf76a83e1f1

SHA512
454ad5b24719a86bc452ec49bd5e9c70945c2f067cfe751471addbe398eaa1396618e5f276a352937362fde0b6292003d82d2dd822c6ac67dca203cdfaa4d472

Download Submit
memory/708-185-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/708-190-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/968-243-0x0000000000E60000-0x0000000001020000-memory.dmp

Filesize
1.8MB

Download
memory/968-244-0x0000000000D90000-0x0000000000DA2000-memory.dmp

Filesize
72KB

Download
memory/1456-127-0x0000000001E30000-0x0000000001E38000-memory.dmp

Filesize
32KB

Download
memory/1576-126-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1628-280-0x0000000000F20000-0x00000000010E0000-memory.dmp

Filesize
1.8MB

Download
memory/2216-268-0x0000000000310000-0x00000000004D0000-memory.dmp

Filesize
1.8MB

Download
memory/2344-162-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/2344-161-0x0000000000300000-0x00000000004C0000-memory.dmp

Filesize
1.8MB

Download
memory/2400-303-0x0000000001210000-0x00000000013D0000-memory.dmp

Filesize
1.8MB

Download
memory/2500-256-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2500-255-0x0000000000290000-0x0000000000450000-memory.dmp

Filesize
1.8MB

Download
memory/3068-11-0x000000001AC80000-0x000000001AC92000-memory.dmp

Filesize
72KB

Download
memory/3068-99-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/3068-13-0x000000001AD70000-0x000000001AD7A000-memory.dmp

Filesize
40KB

Download
memory/3068-12-0x000000001AD30000-0x000000001AD3C000-memory.dmp

Filesize
48KB

Download
memory/3068-18-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/3068-9-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/3068-8-0x0000000001FB0000-0x0000000001FBC000-memory.dmp

Filesize
48KB

Download
memory/3068-6-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/3068-15-0x000000001AD50000-0x000000001AD58000-memory.dmp

Filesize
32KB

Download
memory/3068-14-0x000000001AD40000-0x000000001AD4E000-memory.dmp

Filesize
56KB

Download
memory/3068-7-0x0000000001FA0000-0x0000000001FB0000-memory.dmp

Filesize
64KB

Download
memory/3068-16-0x000000001AD60000-0x000000001AD6C000-memory.dmp

Filesize
48KB

Download
memory/3068-5-0x0000000000840000-0x0000000000850000-memory.dmp

Filesize
64KB

Download
memory/3068-0-0x000007FEF6103000-0x000007FEF6104000-memory.dmp

Filesize
4KB

Download
memory/3068-4-0x0000000000720000-0x0000000000728000-memory.dmp

Filesize
32KB

Download
memory/3068-3-0x0000000000700000-0x000000000071C000-memory.dmp

Filesize
112KB

Download
memory/3068-17-0x000000001AD80000-0x000000001AD8C000-memory.dmp

Filesize
48KB

Download
memory/3068-2-0x000007FEF6100000-0x000007FEF6AEC000-memory.dmp

Filesize
9.9MB

Download
memory/3068-1-0x0000000000100000-0x00000000002C0000-memory.dmp

Filesize
1.8MB

Download