dcrat | 546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531b

Analysis

max time kernel
34s
max time network
114s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
Size

1.7MB
MD5

9e38d3b137fb47178d7a651e0faab690
SHA1

5d95d535526305e76bd6371eecba4ca2f44f3a42
SHA256

546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531b
SHA512

229d68f06d073d7cae4460a0b5c31140c6e9a5746e26b23418a47c3a1b06974f9b552c53e6e22280b430982d966a87f74d248fee0dfae74f4cf6e0ffdddc8ff9
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2896	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2896	schtasks.exe	30

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2640-1-0x00000000012B0000-0x0000000001470000-memory.dmp	dcrat
behavioral1/files/0x0005000000019c34-27.dat	dcrat
behavioral1/files/0x000f000000018b68-127.dat	dcrat
behavioral1/memory/2892-259-0x0000000000A70000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/2644-270-0x0000000000D60000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/2656-282-0x0000000001220000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/664-305-0x0000000001360000-0x0000000001520000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2712	powershell.exe
1572	powershell.exe
1980	powershell.exe
2580	powershell.exe
2768	powershell.exe
2604	powershell.exe
908	powershell.exe
1504	powershell.exe
3012	powershell.exe
2968	powershell.exe
1968	powershell.exe
1652	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe

Executes dropped EXE 2 IoCs

pid	Process
2892	Idle.exe
2644	Idle.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\audiodg.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\RCX5957.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\5940a34987c991	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\56085415360792	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\RCX4ED2.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX50D7.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\Idle.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX52DB.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\RCX5958.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File created	C:\Program Files (x86)\Google\CrashReports\6ccacd8608530f	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\wininit.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\RCX4ED3.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX50D6.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\wininit.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\dllhost.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File created	C:\Program Files (x86)\Google\CrashReports\Idle.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\42af1c969fbb7b	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\dllhost.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX52DC.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\audiodg.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PolicyDefinitions\csrss.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Windows\Setup\State\RCX5FE2.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Windows\Setup\State\RCX5FE3.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File created	C:\Windows\PolicyDefinitions\886983d96e3d3e	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCX5B5C.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File created	C:\Windows\Setup\State\b75386f1303e64	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCX5B5D.tmp	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File opened for modification	C:\Windows\Setup\State\taskhost.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File created	C:\Windows\PolicyDefinitions\csrss.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
File created	C:\Windows\Setup\State\taskhost.exe	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
448	schtasks.exe
2344	schtasks.exe
2856	schtasks.exe
2012	schtasks.exe
1468	schtasks.exe
2160	schtasks.exe
1172	schtasks.exe
2712	schtasks.exe
2560	schtasks.exe
2140	schtasks.exe
1768	schtasks.exe
2632	schtasks.exe
1644	schtasks.exe
1856	schtasks.exe
1632	schtasks.exe
2144	schtasks.exe
2356	schtasks.exe
2832	schtasks.exe
2172	schtasks.exe
2224	schtasks.exe
1940	schtasks.exe
2768	schtasks.exe
2920	schtasks.exe
1928	schtasks.exe
1736	schtasks.exe
1804	schtasks.exe
3048	schtasks.exe
1020	schtasks.exe
2780	schtasks.exe
892	schtasks.exe
2868	schtasks.exe
2120	schtasks.exe
2372	schtasks.exe
1992	schtasks.exe
2960	schtasks.exe
2180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
2968	powershell.exe
2712	powershell.exe
2580	powershell.exe
2768	powershell.exe
1504	powershell.exe
2604	powershell.exe
1968	powershell.exe
3012	powershell.exe
1572	powershell.exe
1652	powershell.exe
1980	powershell.exe
908	powershell.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe
2892	Idle.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2892	Idle.exe
Token: SeDebugPrivilege	2644	Idle.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2604	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	67
PID 2640 wrote to memory of 2604	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	67
PID 2640 wrote to memory of 2604	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	67
PID 2640 wrote to memory of 2712	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	68
PID 2640 wrote to memory of 2712	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	68
PID 2640 wrote to memory of 2712	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	68
PID 2640 wrote to memory of 1572	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	69
PID 2640 wrote to memory of 1572	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	69
PID 2640 wrote to memory of 1572	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	69
PID 2640 wrote to memory of 908	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	70
PID 2640 wrote to memory of 908	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	70
PID 2640 wrote to memory of 908	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	70
PID 2640 wrote to memory of 1504	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	71
PID 2640 wrote to memory of 1504	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	71
PID 2640 wrote to memory of 1504	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	71
PID 2640 wrote to memory of 3012	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	72
PID 2640 wrote to memory of 3012	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	72
PID 2640 wrote to memory of 3012	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	72
PID 2640 wrote to memory of 2968	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	73
PID 2640 wrote to memory of 2968	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	73
PID 2640 wrote to memory of 2968	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	73
PID 2640 wrote to memory of 1980	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	74
PID 2640 wrote to memory of 1980	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	74
PID 2640 wrote to memory of 1980	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	74
PID 2640 wrote to memory of 2580	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	75
PID 2640 wrote to memory of 2580	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	75
PID 2640 wrote to memory of 2580	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	75
PID 2640 wrote to memory of 2768	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	76
PID 2640 wrote to memory of 2768	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	76
PID 2640 wrote to memory of 2768	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	76
PID 2640 wrote to memory of 1968	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	77
PID 2640 wrote to memory of 1968	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	77
PID 2640 wrote to memory of 1968	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	77
PID 2640 wrote to memory of 1652	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	78
PID 2640 wrote to memory of 1652	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	78
PID 2640 wrote to memory of 1652	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	78
PID 2640 wrote to memory of 2892	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	91
PID 2640 wrote to memory of 2892	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	91
PID 2640 wrote to memory of 2892	2640	546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe	91
PID 2892 wrote to memory of 2704	2892	Idle.exe	92
PID 2892 wrote to memory of 2704	2892	Idle.exe	92
PID 2892 wrote to memory of 2704	2892	Idle.exe	92
PID 2892 wrote to memory of 2708	2892	Idle.exe	93
PID 2892 wrote to memory of 2708	2892	Idle.exe	93
PID 2892 wrote to memory of 2708	2892	Idle.exe	93
PID 2704 wrote to memory of 2644	2704	WScript.exe	94
PID 2704 wrote to memory of 2644	2704	WScript.exe	94
PID 2704 wrote to memory of 2644	2704	WScript.exe	94
PID 2644 wrote to memory of 1496	2644	Idle.exe	95
PID 2644 wrote to memory of 1496	2644	Idle.exe	95
PID 2644 wrote to memory of 1496	2644	Idle.exe	95
PID 2644 wrote to memory of 3044	2644	Idle.exe	96
PID 2644 wrote to memory of 3044	2644	Idle.exe	96
PID 2644 wrote to memory of 3044	2644	Idle.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe
"C:\Users\Admin\AppData\Local\Temp\546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531bN.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
  "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44435e60-d860-41c5-97b5-b9ac4d70c0c0.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
      C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dc7ed65-fe08-4c37-bbb7-88a6604dc292.vbs"
        5⤵
        
        PID:1496
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        6⤵
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c816fe3f-4099-4a74-8e43-e490b51738ad.vbs"
        7⤵
        
        PID:2880
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        8⤵
        
        PID:828
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9a5e3ac-f119-40a1-9664-e716be002fa8.vbs"
        9⤵
        
        PID:292
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        10⤵
        
        PID:664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\791af3af-4b69-4e4a-addd-cc5633396bef.vbs"
        11⤵
        
        PID:2940
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        12⤵
        
        PID:2724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e504c9f-3669-4e3c-b110-3a184d4d80dd.vbs"
        13⤵
        
        PID:1992
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        14⤵
        
        PID:924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7fd2dfa-e52d-4f4b-94de-66694001e6dc.vbs"
        15⤵
        
        PID:684
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        16⤵
        
        PID:1072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96f6dacc-5d4c-493b-9004-90925ac35ddc.vbs"
        17⤵
        
        PID:900
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe
        18⤵
        
        PID:1316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8f33dea3-2a83-433e-82c5-74c1702da18e.vbs"
        19⤵
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\291bf8fe-c5bc-45b4-9199-8ee01b4f2a5c.vbs"
        19⤵
        
        PID:3024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\38d72543-9c54-465b-a337-4e18aec20a7d.vbs"
        17⤵
        
        PID:2404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93eda823-2d35-4540-ae63-05c0dc2f6df3.vbs"
        15⤵
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea9bd24e-fc1d-4d61-b857-90341a22e309.vbs"
        13⤵
        
        PID:2060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36a548a8-0d51-4b6e-82ae-2c5a8dcba880.vbs"
        11⤵
        
        PID:2600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1c2fe81-080e-4008-886f-298f12c5e24e.vbs"
        9⤵
        
        PID:2148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6aa98557-42a0-46be-aca9-236e7174cba9.vbs"
        7⤵
        
        PID:2092
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\922446a3-6a7a-4c86-9577-70792027eb64.vbs"
        5⤵
        
        PID:3044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb3f5c1c-5207-4b66-99a9-678451c14d0d.vbs"
    3⤵
    PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Setup\State\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Setup\State\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\Office14\1033\wininit.exe

Filesize
1.7MB

MD5
9e38d3b137fb47178d7a651e0faab690

SHA1
5d95d535526305e76bd6371eecba4ca2f44f3a42

SHA256
546ca44e32049e1e1de5227c9107a4412e667006b68c46b257f07fa649b0531b

SHA512
229d68f06d073d7cae4460a0b5c31140c6e9a5746e26b23418a47c3a1b06974f9b552c53e6e22280b430982d966a87f74d248fee0dfae74f4cf6e0ffdddc8ff9

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe

Filesize
1.7MB

MD5
266a14bb8a7dad816a58226944cad06f

SHA1
7623226213fe21c42604e241e515cef62ab6b685

SHA256
a6ce52e77b5eb1fbc62297189b013e6685f7b9338dd1491c1c5036115e8b3b07

SHA512
87541b6e30c855db37d8b95e0e5ed3cda99f93bd3c7600d2b016c564de2df846996486df7df5915f5775deac836a32201fc95e671c001763dedf63cf801200a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\44435e60-d860-41c5-97b5-b9ac4d70c0c0.vbs

Filesize
733B

MD5
b1bcd681f43f1ab5a1bc01dd08a9a103

SHA1
675ed32694b7722dfcd901ef167988aa5738b222

SHA256
98ac3f776acb0d313637bd461a9ebdc8db8eed373fc2931f30389055f15585c5

SHA512
51c85a6bc047dab21f4890694f078cc5acce972e51d7f05a5fadc2ae33145601c7679c8ecedb7aa5490c1f5e5ae00588bda80b6fbcddf1da1dbb347fe93a76cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e504c9f-3669-4e3c-b110-3a184d4d80dd.vbs

Filesize
733B

MD5
87b194490509ee3f817772c7d8dc15f2

SHA1
a2608bdcae3815976a67092c152545b57a9c0d9b

SHA256
7a6128885775609d35891126e3d28768232b63477dc7e6ab4b62e6697f3d6915

SHA512
226541a9cfa223b33df230f66f5ee12033b1882e830a4b93bbdd61c56b2bf78fe5c9e1aa2d861eeb8721d036fadc46c61f69520607a254cef333811056634e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\791af3af-4b69-4e4a-addd-cc5633396bef.vbs

Filesize
732B

MD5
b40d393e081f914373b96492851ca2d2

SHA1
d1fe0fbaf8e35ccf265fff5c4532d3d4950f8269

SHA256
b2e2096d1f5ad8b585167fa6025b2a7a1d399cb69f08a93683d93e2a6ed8cd67

SHA512
b87de5f7270248db3e9bc4ea9cdc36e4ac167796e984d231fc268d83d802dbc816ef5a6c68fd7a214c4203b304d29f2d5d65f1d5fa564e64231f12fccf0e70a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8dc7ed65-fe08-4c37-bbb7-88a6604dc292.vbs

Filesize
733B

MD5
93603d49436a28da5e49a430d47b24ec

SHA1
efe8b0bd17371e9a024642671a5b57d57f658caa

SHA256
9323103793729cc2619770277143fa3188cde6ca20423ccd163f4fd6a53a49f7

SHA512
5ad859be6e2225dfea383af9ce6ab1ff4f8ffa1d440984a503b216865b6fe74c53e7ebdbbcfdc9591cbad3dfb1060c231f3f2cebcd2f95fd729ac0c4c21951cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f33dea3-2a83-433e-82c5-74c1702da18e.vbs

Filesize
733B

MD5
0838c27b7a88c785ce7e9cd34a4be650

SHA1
9c8b68a39200cd83fb30f8dc432f981f44ad5f6c

SHA256
e77e572ccf1769728b55b6e70c135f12dc1eb18bd2abdee53404fe3250c5f668

SHA512
28e2a2637279df7454937d595ae29f17dbf13cdda40b2c97a687b2f8f75262130412802c57f29902a07df67e540852cf39463447c0a47750c2a74947568c44d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f6dacc-5d4c-493b-9004-90925ac35ddc.vbs

Filesize
733B

MD5
bcb9c05aac8a6c6401d6d4338fbd792b

SHA1
1d3aaf63ff4df2e00d16ea327fa9ddb073df9c23

SHA256
821cac714536e9756a5a66873648e4ff731f5311e00291ea19a747f97372b4de

SHA512
3f06b6b66606e6166e12f0a50eb9b8e3c1adf320da28f07162c4e986a1f8081996edc94ecc74525bd2294c34921350dfc6bb6fbfbf1412b711f67fe1ff44ba05

Download Submit
C:\Users\Admin\AppData\Local\Temp\c816fe3f-4099-4a74-8e43-e490b51738ad.vbs

Filesize
733B

MD5
09cef3627e31abee2dd30eca5bff495e

SHA1
8f6b5e9a60ebfd79c35f08c6c2312c193b7ae55c

SHA256
7d587295c1ad9fdfc48e925c6c46d0ee27c66dd4a442ae076f95be1e62523715

SHA512
327e4588f323f237714b46cb4c5e1546b27063211d841a82159c0eb9b5b96313abb9f6f00a00d71aea7e292deb01842c3e16213c1ab26a7b6c7bfd6046fdb5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb3f5c1c-5207-4b66-99a9-678451c14d0d.vbs

Filesize
509B

MD5
9a43d879cb669714d74b55ef738d1eed

SHA1
628c29975893a11bdf3c4e15ff242e66dd9d52e6

SHA256
5430420ff32484da926f6384387fd3b91656ec479abe2f350eab5fa6e4e8f36c

SHA512
ae7c409a2e2d733e3449fde04ae3026f7c5131c83949717d2d68dbeabe425ba438a1afaf8609a5721db57d48fd1c03a9710849061eba7693e643a63d3afe3a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\d9a5e3ac-f119-40a1-9664-e716be002fa8.vbs

Filesize
732B

MD5
4d1c03a92be13a51304891e63bc6b7e8

SHA1
1249640d57e9712d0afb1731aa638b253e0b7241

SHA256
15d1e1cfd3c07a2a903c9ed2982ca1d8ef8a5c565c9312e12751ea66808d70b3

SHA512
38806c38412bc9b010f84bfbacac0ba6c0823c185dfe80d4575e3a6eadb12548c4141eaec819457131f4328ce088c4289ede3ca18031549ce0e0bf8ca2910c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f7fd2dfa-e52d-4f4b-94de-66694001e6dc.vbs

Filesize
732B

MD5
e27c6e9351d76af7059f6766809c4a47

SHA1
45f4ca5f8d7870e33f0f83f22e8ef13ef48775bf

SHA256
7fa275e2d098f5b409704ff5de62bbefeab93495db1f0c09cf0e61ba1c9b06c7

SHA512
62358e37c5db11be13f37b00507bc2bba4da069875174795df2f5276a44d6e504243ab95e063fd9e5b854a598d133c4d24efd50d6a4bfcbce672a569aa2a44de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f5553cce57f28aafdd97ff4ac243d5cf

SHA1
609d9fccec216b5fbdff11217e02c3379079ccd3

SHA256
91230220f72a69054f1761278479509a306498c5c156c8a273a8f642ca21ff3b

SHA512
e861cd667e34245a17cb0c6c992ed9fcb8e0e2e047f1adb4eef8cda272217c7f52643c49a2f8ab173e5555513121dea1a2e7c2c1cd3573273445abdad6eb5e0a

Download Submit
memory/664-305-0x0000000001360000-0x0000000001520000-memory.dmp

Filesize
1.8MB

Download
memory/1316-350-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2640-190-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp

Filesize
4KB

Download
memory/2640-257-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-18-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-16-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2640-15-0x0000000000630000-0x0000000000638000-memory.dmp

Filesize
32KB

Download
memory/2640-0-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp

Filesize
4KB

Download
memory/2640-1-0x00000000012B0000-0x0000000001470000-memory.dmp

Filesize
1.8MB

Download
memory/2640-2-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-13-0x0000000000610000-0x000000000061A000-memory.dmp

Filesize
40KB

Download
memory/2640-4-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2640-3-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/2640-14-0x0000000000620000-0x000000000062E000-memory.dmp

Filesize
56KB

Download
memory/2640-12-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2640-17-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2640-11-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2640-5-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2640-9-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2640-8-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2640-7-0x00000000005A0000-0x00000000005B0000-memory.dmp

Filesize
64KB

Download
memory/2640-6-0x0000000000370000-0x0000000000386000-memory.dmp

Filesize
88KB

Download
memory/2644-270-0x0000000000D60000-0x0000000000F20000-memory.dmp

Filesize
1.8MB

Download
memory/2656-282-0x0000000001220000-0x00000000013E0000-memory.dmp

Filesize
1.8MB

Download
memory/2712-201-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2892-259-0x0000000000A70000-0x0000000000C30000-memory.dmp

Filesize
1.8MB

Download
memory/2968-202-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download