dcrat | 7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Size

1.7MB
MD5

89b97de873721b7f7c0e290f3009714a
SHA1

a497ecfd40010292888930dad8e90139555a53a1
SHA256

7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2
SHA512

48a4de3da13249137fac6c62df309a3be67c2123f689a0186fb48af00d2f60ab9faf1d2f7e865af9e3e3403f1d9abfee77386f92d7fb476a6717b10f2bc5d474
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvX:eTHUxUoh1IF9gl2o

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2360	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2360	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2976-1-0x00000000013D0000-0x0000000001590000-memory.dmp	dcrat
behavioral1/files/0x000500000001a3e6-27.dat	dcrat
behavioral1/files/0x000600000001a4b8-66.dat	dcrat
behavioral1/files/0x000a00000001a3ea-101.dat	dcrat
behavioral1/files/0x000900000001a3e6-124.dat	dcrat
behavioral1/files/0x000700000001a423-135.dat	dcrat
behavioral1/files/0x000600000001a470-159.dat	dcrat
behavioral1/memory/2380-230-0x00000000010B0000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/3048-241-0x0000000000090000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2756-253-0x0000000000850000-0x0000000000A10000-memory.dmp	dcrat
behavioral1/memory/1696-265-0x0000000000D60000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/1516-277-0x0000000000210000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/3060-289-0x0000000001130000-0x00000000012F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2304	powershell.exe
2076	powershell.exe
2060	powershell.exe
2692	powershell.exe
2928	powershell.exe
2668	powershell.exe
2804	powershell.exe
1712	powershell.exe
1056	powershell.exe
2708	powershell.exe
2680	powershell.exe
2464	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Executes dropped EXE 7 IoCs

pid	Process
2380	OSPPSVC.exe
3048	OSPPSVC.exe
2756	OSPPSVC.exe
1696	OSPPSVC.exe
1516	OSPPSVC.exe
3060	OSPPSVC.exe
2660	OSPPSVC.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\es-ES\audiodg.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\DVD Maker\de-DE\56085415360792	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\audiodg.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXD1CC.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCXCB31.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RCXDDD7.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Microsoft Office\RCXD1CD.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Microsoft Office\WmiPrvSE.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RCXDD68.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\Microsoft Office\WmiPrvSE.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\Microsoft Office\24dbde2999530e	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\DVD Maker\de-DE\wininit.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCXCB32.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\42af1c969fbb7b	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\wininit.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\rescache\rc0005\sppsvc.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXC8A0.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\LiveKernelReports\services.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\system\RCXDAF6.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\system\spoolsv.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\LiveKernelReports\services.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\LiveKernelReports\c5b4cb5e9653cc	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\system\spoolsv.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\system\f3b6ecef712a24	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXC90E.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\system\RCXDAF7.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2680	schtasks.exe
2752	schtasks.exe
3036	schtasks.exe
2664	schtasks.exe
576	schtasks.exe
2120	schtasks.exe
1732	schtasks.exe
1392	schtasks.exe
2860	schtasks.exe
1592	schtasks.exe
2148	schtasks.exe
2276	schtasks.exe
2728	schtasks.exe
2564	schtasks.exe
3028	schtasks.exe
1356	schtasks.exe
2892	schtasks.exe
2280	schtasks.exe
2244	schtasks.exe
3008	schtasks.exe
372	schtasks.exe
1740	schtasks.exe
2012	schtasks.exe
2044	schtasks.exe
2436	schtasks.exe
2560	schtasks.exe
2884	schtasks.exe
2724	schtasks.exe
2720	schtasks.exe
1984	schtasks.exe
1780	schtasks.exe
1656	schtasks.exe
1324	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
1056	powershell.exe
2464	powershell.exe
2060	powershell.exe
1712	powershell.exe
2708	powershell.exe
2804	powershell.exe
2928	powershell.exe
2076	powershell.exe
2668	powershell.exe
2692	powershell.exe
2680	powershell.exe
2304	powershell.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe
2380	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2380	OSPPSVC.exe
Token: SeDebugPrivilege	3048	OSPPSVC.exe
Token: SeDebugPrivilege	2756	OSPPSVC.exe
Token: SeDebugPrivilege	1696	OSPPSVC.exe
Token: SeDebugPrivilege	1516	OSPPSVC.exe
Token: SeDebugPrivilege	3060	OSPPSVC.exe
Token: SeDebugPrivilege	2660	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2464	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	65
PID 2976 wrote to memory of 2464	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	65
PID 2976 wrote to memory of 2464	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	65
PID 2976 wrote to memory of 1056	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	66
PID 2976 wrote to memory of 1056	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	66
PID 2976 wrote to memory of 1056	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	66
PID 2976 wrote to memory of 2060	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	67
PID 2976 wrote to memory of 2060	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	67
PID 2976 wrote to memory of 2060	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	67
PID 2976 wrote to memory of 2076	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	68
PID 2976 wrote to memory of 2076	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	68
PID 2976 wrote to memory of 2076	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	68
PID 2976 wrote to memory of 1712	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	70
PID 2976 wrote to memory of 1712	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	70
PID 2976 wrote to memory of 1712	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	70
PID 2976 wrote to memory of 2304	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	71
PID 2976 wrote to memory of 2304	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	71
PID 2976 wrote to memory of 2304	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	71
PID 2976 wrote to memory of 2692	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	76
PID 2976 wrote to memory of 2692	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	76
PID 2976 wrote to memory of 2692	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	76
PID 2976 wrote to memory of 2928	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	77
PID 2976 wrote to memory of 2928	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	77
PID 2976 wrote to memory of 2928	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	77
PID 2976 wrote to memory of 2708	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	78
PID 2976 wrote to memory of 2708	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	78
PID 2976 wrote to memory of 2708	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	78
PID 2976 wrote to memory of 2680	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	79
PID 2976 wrote to memory of 2680	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	79
PID 2976 wrote to memory of 2680	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	79
PID 2976 wrote to memory of 2668	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	80
PID 2976 wrote to memory of 2668	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	80
PID 2976 wrote to memory of 2668	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	80
PID 2976 wrote to memory of 2804	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	81
PID 2976 wrote to memory of 2804	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	81
PID 2976 wrote to memory of 2804	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	81
PID 2976 wrote to memory of 1496	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	89
PID 2976 wrote to memory of 1496	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	89
PID 2976 wrote to memory of 1496	2976	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	89
PID 1496 wrote to memory of 1648	1496	cmd.exe	91
PID 1496 wrote to memory of 1648	1496	cmd.exe	91
PID 1496 wrote to memory of 1648	1496	cmd.exe	91
PID 1496 wrote to memory of 2380	1496	cmd.exe	92
PID 1496 wrote to memory of 2380	1496	cmd.exe	92
PID 1496 wrote to memory of 2380	1496	cmd.exe	92
PID 2380 wrote to memory of 1248	2380	OSPPSVC.exe	93
PID 2380 wrote to memory of 1248	2380	OSPPSVC.exe	93
PID 2380 wrote to memory of 1248	2380	OSPPSVC.exe	93
PID 2380 wrote to memory of 2832	2380	OSPPSVC.exe	94
PID 2380 wrote to memory of 2832	2380	OSPPSVC.exe	94
PID 2380 wrote to memory of 2832	2380	OSPPSVC.exe	94
PID 1248 wrote to memory of 3048	1248	WScript.exe	95
PID 1248 wrote to memory of 3048	1248	WScript.exe	95
PID 1248 wrote to memory of 3048	1248	WScript.exe	95
PID 3048 wrote to memory of 2608	3048	OSPPSVC.exe	96
PID 3048 wrote to memory of 2608	3048	OSPPSVC.exe	96
PID 3048 wrote to memory of 2608	3048	OSPPSVC.exe	96
PID 3048 wrote to memory of 2144	3048	OSPPSVC.exe	97
PID 3048 wrote to memory of 2144	3048	OSPPSVC.exe	97
PID 3048 wrote to memory of 2144	3048	OSPPSVC.exe	97
PID 2608 wrote to memory of 2756	2608	WScript.exe	98
PID 2608 wrote to memory of 2756	2608	WScript.exe	98
PID 2608 wrote to memory of 2756	2608	WScript.exe	98
PID 2756 wrote to memory of 1056	2756	OSPPSVC.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
"C:\Users\Admin\AppData\Local\Temp\7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hK16ZrMtBk.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1648
- - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
    "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef0821ae-7a64-467e-a74f-4c4519569808.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ae02fea-6b96-483d-a117-8d81e902d7f9.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e3d9c51-71de-42ee-ad68-4ce8298e90fe.vbs"
        8⤵
        
        PID:1056
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6eac2a6-92d9-4f5c-9e33-7b8dc72c89a3.vbs"
        10⤵
        
        PID:1792
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6e559e2-d6e5-4fac-bdb6-a331d7eb0bd0.vbs"
        12⤵
        
        PID:2624
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d5ec1ae5-5f5f-4369-862b-0dae31116c92.vbs"
        14⤵
        
        PID:656
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2f95708-416c-412f-a0fb-bde77152a055.vbs"
        16⤵
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5e438828-6ff4-4350-9835-177fe786fb64.vbs"
        16⤵
        
        PID:1220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae764209-d856-42e5-a845-8341efd24d36.vbs"
        14⤵
        
        PID:3036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c8ba41b-19f4-4528-93c6-c000398c0fcb.vbs"
        12⤵
        
        PID:568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba7f1b52-63b3-4a5c-8d4f-f8f411f07ba5.vbs"
        10⤵
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4f7ff4f-d99e-4e79-aab2-a71a9c100224.vbs"
        8⤵
        
        PID:684
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60c66690-5c8d-4e3a-96e4-e48f29996105.vbs"
        6⤵
        
        PID:2144
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\326415c1-8681-494d-87df-75f9d0f2235a.vbs"
      4⤵
      PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\system\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\system\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\system\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe

Filesize
1.7MB

MD5
acf612214ada3f9d74c8d1e1eb203c65

SHA1
a19a73258f76fae1b45f6f87733bb1b55fe0c6bd

SHA256
9587097c561d279a067446dee7185d773a02ab8fff19afc3ac98d78595b83700

SHA512
1f15dad865eeef6d01409b652e29b90409f703b88375eb504535bf406b6bd7ea7ae66649f3c9b39f34ed3fbf4f7d2e3290a5a1cbe51d978e13fb1cfd613c9dcc

Download Submit
C:\Program Files\DVD Maker\de-DE\wininit.exe

Filesize
1.7MB

MD5
d6e4bf207c682fb1d79a03a0e8824a06

SHA1
6fdc81de5756211ace1fac4b675608cd3375ca59

SHA256
dbb6a6094054619486d8499e8f4b9edda29ad64800b71c602c1050c6a9b31cc9

SHA512
ba3b441109796a8795f7ed013ad04be0fa7ff193ca6e695a8a3c024adeecd406361b79ce3793529a5250fb95ff311f9fdc5596e92f69dc9a3a6a8545a108a625

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\explorer.exe

Filesize
1.7MB

MD5
89b97de873721b7f7c0e290f3009714a

SHA1
a497ecfd40010292888930dad8e90139555a53a1

SHA256
7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2

SHA512
48a4de3da13249137fac6c62df309a3be67c2123f689a0186fb48af00d2f60ab9faf1d2f7e865af9e3e3403f1d9abfee77386f92d7fb476a6717b10f2bc5d474

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\explorer.exe

Filesize
1.7MB

MD5
2478242cf30c52a1db0714367352ec74

SHA1
71be58096a0cd68b583074b2e0bdc61bc963a4d8

SHA256
c6ee627e9b5fe2d016601e7dde96caad7f22626a396c4788a310a32dc5f18b1c

SHA512
03fc28d088d6dadb39291955ef09080476a3a19f21e89eda3d9427db768bd82cb6a53f7ff601f36b00de59f96a8e1b51f6dd16c08e76d79c1265d348628b4d1e

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe

Filesize
1.7MB

MD5
5d815ce0b018afe9899e6bd00ef3cb55

SHA1
ede0a3a55661e80d8b8505a2bfcb239e459322a0

SHA256
f1a95c293a52a8f2f322553e14e423108d53259360262d4fba04eea56b3b2d62

SHA512
d09679d4aef362f7bd94e6cd56ac00a24c36275798645d6a581beced0984a81682ac1b351ec000c6343bcfb712d6d334bea6de2c2e0c2f7980c551b7360c51e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ae02fea-6b96-483d-a117-8d81e902d7f9.vbs

Filesize
736B

MD5
670aef3038b47b68eb86c0839f3d3a15

SHA1
d093653a3e7a6446c0cbe2e9e33a496601611c12

SHA256
9b5e940a4fb1c98d9be026e3ba569bb173b457df4ebea1d2606a94e2c0356f03

SHA512
f0a0229f3a70f44788a427a8764dfba55a206e0f06ea622c6ad684fb653c9511626a74197e6ef82cfee5acac332c84af8da4c259f69c6b1135a44bf5116c2160

Download Submit
C:\Users\Admin\AppData\Local\Temp\326415c1-8681-494d-87df-75f9d0f2235a.vbs

Filesize
512B

MD5
c27be71e5a879f98068f5839d0522b95

SHA1
82a27092e6ebd285ad9b1ecc16f3c73d47eb891c

SHA256
b9a9a156c2bf42a2f2965996ca8f2ee2d2f66ee9f8164a334d49dd25b1bb94d4

SHA512
d3d44a67eb756d39862c22643e3ce96e1d841a7f28ce9252673bc9c8273313143867375f9db18d388e79e7c636c3df97805659f2df59e7b75781ddd7099eaeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5e3d9c51-71de-42ee-ad68-4ce8298e90fe.vbs

Filesize
736B

MD5
125e7ec06b9a1f45f6af94d0484a5659

SHA1
9bf4b1ad78ded37df84bdd1feec7a7a85b363939

SHA256
7ecb4eae2bc0b191f5c3afee646946a7abf2cd0150288f3057132916df7f7680

SHA512
928b9c7c4793c7aa41a01daf069e3afeab332e34d3ceb2c456fd6774b079697a3739f548008c07387672749a1250afd7e68e84f55dcce91324e91150e4b0c1c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6e559e2-d6e5-4fac-bdb6-a331d7eb0bd0.vbs

Filesize
736B

MD5
123c332bb614d026cea95792531fa099

SHA1
f9339fc0158e002b8628433f0756d8a807c01896

SHA256
70387e63e1bec017d7c811294da41d8d1a5414064a410ac1d2a7aafd31a9a68e

SHA512
8b91190f76c6593528bc82d2a230dff4756b1f2de26a8c7d1b16f98948300416d1e21947c974d8fbe4cde890105b6b6e80512d26f1d86190f301b0f6d2282aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d5ec1ae5-5f5f-4369-862b-0dae31116c92.vbs

Filesize
736B

MD5
2e57769b45486f11965dd2c96c1897ac

SHA1
470e29a271c6455792927e226390e6a9902d9886

SHA256
2f2452d5b238840039ddab79e35d79bbf3f9eff1b0c9188c155109ff972e8ee0

SHA512
59ff058d3228e3389033ae6578bd62d570a5af851d45d578e95cd84f765be056ef545287f40d5516d117235aedee1e3244833e0f865a82d4cf6f49fca2d68d41

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2f95708-416c-412f-a0fb-bde77152a055.vbs

Filesize
736B

MD5
48e752d1e1afa1204d203e577c3c52e3

SHA1
2cce80373b425640218d08b910d96d63438c88c5

SHA256
03bae2a0743a3a15b6f5fdf74078c998658746170b9c923daf58ee7b7bf2c8cd

SHA512
4da60c69a0559ee12ed9e6f0cbe4c3e2ed2ede60129f1115719ac88969b7e9b08d9cb1d73fbd2db42faafee7ec2b46145f37615ef440167232895d1e117f9334

Download Submit
C:\Users\Admin\AppData\Local\Temp\ef0821ae-7a64-467e-a74f-4c4519569808.vbs

Filesize
736B

MD5
753fd4c1eb9dacfd0906a1384e1219c9

SHA1
944a6a4ad1350c5ed127794f79f97e070eba9fbf

SHA256
7cd0f1d2d5752bec25e5a74e51adf779c4c5e9c3065baf02e85f52ff5dadc842

SHA512
22fb34b81a65097eaa0fdef03bf9ca4c058995c744ce9e59e229486b78f0673ea1d4e5c6217c647899ba12c8d4f512b3458ef1704804a6d6ea9ed350d7852190

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6eac2a6-92d9-4f5c-9e33-7b8dc72c89a3.vbs

Filesize
736B

MD5
9fce8b718ead9a373195c1367e83d3b8

SHA1
9c16b327521259319408f715da947e0b918b4ab6

SHA256
975a2ae8aab9c1721440e4c18a61f3a3abd5376da28bd010a4f089875a0c1b4d

SHA512
5a60949f07ce12790cd5b26ff913308238b019105aedc845835ef17a85f73380adfb18a1885e91fb220a8e125aeecbc94e2958a66102e1b7a8c04b59a8f79af0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hK16ZrMtBk.bat

Filesize
225B

MD5
ea0b544ecd3341eff889c9335843f28e

SHA1
d0f6eb80b72162661fe0a5f65a3623a4c74c3797

SHA256
2a6df49751b224bda18529d985cbd6d43cf532ce694ec87cf70368a342001aa4

SHA512
a9b39840fb53e424ba55637389bc8379a7830009238a5fa0b0a62cafc4e9d294e4a0196e7decf4b8c8adc8775544c0f722727e20f9c1fbfdb6d4ea039de1246c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\92JW5OZV9W3MWVJZNTHE.temp

Filesize
7KB

MD5
220efefe32af3483d214d460e04ff09e

SHA1
473f00abeaf93c38c058653f60ceb03213880e64

SHA256
7972ed7825799a53c5110b7b631d3336f000a6bc00c2119d71724bbbaca5d44b

SHA512
f81e49d3c95ebab1d55c88cbae71fa61e123e4c7d961e2a55e67cbc7013b54363fde43f6089b0a0d4716fc9b123b94e40a2885f5cd8dbee22de941715517827d

Download Submit
C:\Windows\LiveKernelReports\services.exe

Filesize
1.7MB

MD5
38d404723f2d262ba6c123f0ab1a87ad

SHA1
85a269a3379a2bafc20ba17bc8b159f13c271d4b

SHA256
cc0d3b4a23700ad70dfbaa63efe458af87410a99e1e542f49a9c93542d82c170

SHA512
ad8b82d52d4c651b3ba7c836440b72022d57eea5c7b2c0fe200f2daf5d4b2debc4f97f6ea7ec2ae5df70cb3cb9ff732609a86e7aa05f89a27713957025c3a571

Download Submit
memory/1056-185-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1056-184-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/1516-277-0x0000000000210000-0x00000000003D0000-memory.dmp

Filesize
1.8MB

Download
memory/1696-265-0x0000000000D60000-0x0000000000F20000-memory.dmp

Filesize
1.8MB

Download
memory/2380-230-0x00000000010B0000-0x0000000001270000-memory.dmp

Filesize
1.8MB

Download
memory/2660-301-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/2756-253-0x0000000000850000-0x0000000000A10000-memory.dmp

Filesize
1.8MB

Download
memory/2976-12-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/2976-9-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/2976-19-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-177-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-17-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2976-16-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2976-15-0x0000000000AD0000-0x0000000000AD8000-memory.dmp

Filesize
32KB

Download
memory/2976-14-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/2976-13-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/2976-0-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2976-1-0x00000000013D0000-0x0000000001590000-memory.dmp

Filesize
1.8MB

Download
memory/2976-162-0x000007FEF57E3000-0x000007FEF57E4000-memory.dmp

Filesize
4KB

Download
memory/2976-11-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/2976-8-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/2976-7-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/2976-6-0x0000000000580000-0x0000000000596000-memory.dmp

Filesize
88KB

Download
memory/2976-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2976-4-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2976-2-0x000007FEF57E0000-0x000007FEF61CC000-memory.dmp

Filesize
9.9MB

Download
memory/2976-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/3048-241-0x0000000000090000-0x0000000000250000-memory.dmp

Filesize
1.8MB

Download
memory/3060-289-0x0000000001130000-0x00000000012F0000-memory.dmp

Filesize
1.8MB

Download