dcrat | 7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2

Analysis

max time kernel
59s
max time network
60s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/12/2024, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Size

1.7MB
MD5

89b97de873721b7f7c0e290f3009714a
SHA1

a497ecfd40010292888930dad8e90139555a53a1
SHA256

7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2
SHA512

48a4de3da13249137fac6c62df309a3be67c2123f689a0186fb48af00d2f60ab9faf1d2f7e865af9e3e3403f1d9abfee77386f92d7fb476a6717b10f2bc5d474
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvX:eTHUxUoh1IF9gl2o

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2280	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2280	schtasks.exe	30

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2684-1-0x0000000001080000-0x0000000001240000-memory.dmp	dcrat
behavioral1/files/0x000500000001961c-28.dat	dcrat
behavioral1/files/0x000a0000000175ae-75.dat	dcrat
behavioral1/files/0x000d0000000186ca-122.dat	dcrat
behavioral1/files/0x0009000000019605-134.dat	dcrat
behavioral1/files/0x00070000000196a1-145.dat	dcrat
behavioral1/memory/1984-305-0x00000000010D0000-0x0000000001290000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2212	powershell.exe
2084	powershell.exe
1208	powershell.exe
2252	powershell.exe
2176	powershell.exe
2440	powershell.exe
3064	powershell.exe
1964	powershell.exe
1972	powershell.exe
1132	powershell.exe
2436	powershell.exe
1248	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Executes dropped EXE 2 IoCs

pid	Process
1984	services.exe
2796	services.exe

Drops file in Program Files directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\winlogon.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files (x86)\Google\CrashReports\audiodg.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files (x86)\Google\CrashReports\42af1c969fbb7b	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\lsm.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\Windows NT\winlogon.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\RCXBB84.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXC405.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Windows NT\RCXCD8E.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Windows NT\RCXCD8F.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\RCXD7A6.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\Windows Journal\ja-JP\smss.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\56085415360792	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\101b941d020240	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\lsm.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\RCXBD89.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\RCXC609.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\RCXCB1C.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXD39D.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Idle.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\Microsoft Games\Solitaire\winlogon.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\Windows NT\cc11b995f2a76d	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\RCXBDF7.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\56085415360792	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\Windows Journal\ja-JP\69ddcba757bf72	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\RCXBB85.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\audiodg.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\RCXC678.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\RCXCF93.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\RCXCF94.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\Microsoft Games\Solitaire\cc11b995f2a76d	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Windows Journal\ja-JP\smss.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXD39E.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\RCXD7A7.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\6203df4a6bafc7	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Idle.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\6ccacd8608530f	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCXC406.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\RCXCB8A.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Program Files\Windows NT\winlogon.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\x86_netfx-wminet_utils_dll_b03f5f7f11d50a3a_6.1.7601.17514_none_478e55843710fde4\services.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\Vss\csrss.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File created	C:\Windows\Vss\886983d96e3d3e	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\Vss\RCXC200.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\Vss\RCXC201.tmp	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
File opened for modification	C:\Windows\Vss\csrss.exe	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2164	schtasks.exe
2980	schtasks.exe
1280	schtasks.exe
1924	schtasks.exe
1748	schtasks.exe
2884	schtasks.exe
828	schtasks.exe
2008	schtasks.exe
1700	schtasks.exe
936	schtasks.exe
2276	schtasks.exe
2568	schtasks.exe
1456	schtasks.exe
2272	schtasks.exe
1444	schtasks.exe
2912	schtasks.exe
2596	schtasks.exe
2652	schtasks.exe
2928	schtasks.exe
2076	schtasks.exe
1084	schtasks.exe
1528	schtasks.exe
932	schtasks.exe
1044	schtasks.exe
2140	schtasks.exe
1904	schtasks.exe
2380	schtasks.exe
648	schtasks.exe
2560	schtasks.exe
2136	schtasks.exe
2056	schtasks.exe
1132	schtasks.exe
264	schtasks.exe
1764	schtasks.exe
3064	schtasks.exe
2904	schtasks.exe
2444	schtasks.exe
1880	schtasks.exe
1800	schtasks.exe
564	schtasks.exe
824	schtasks.exe
3052	schtasks.exe
3060	schtasks.exe
1064	schtasks.exe
1628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
2084	powershell.exe
1208	powershell.exe
2176	powershell.exe
1248	powershell.exe
1132	powershell.exe
1964	powershell.exe
2440	powershell.exe
1972	powershell.exe
3064	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1984	services.exe
Token: SeDebugPrivilege	2796	services.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2084	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	76
PID 2684 wrote to memory of 2084	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	76
PID 2684 wrote to memory of 2084	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	76
PID 2684 wrote to memory of 1972	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	77
PID 2684 wrote to memory of 1972	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	77
PID 2684 wrote to memory of 1972	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	77
PID 2684 wrote to memory of 1208	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	78
PID 2684 wrote to memory of 1208	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	78
PID 2684 wrote to memory of 1208	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	78
PID 2684 wrote to memory of 2252	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	80
PID 2684 wrote to memory of 2252	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	80
PID 2684 wrote to memory of 2252	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	80
PID 2684 wrote to memory of 1132	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	81
PID 2684 wrote to memory of 1132	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	81
PID 2684 wrote to memory of 1132	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	81
PID 2684 wrote to memory of 2436	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	82
PID 2684 wrote to memory of 2436	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	82
PID 2684 wrote to memory of 2436	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	82
PID 2684 wrote to memory of 1248	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	83
PID 2684 wrote to memory of 1248	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	83
PID 2684 wrote to memory of 1248	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	83
PID 2684 wrote to memory of 2440	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	84
PID 2684 wrote to memory of 2440	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	84
PID 2684 wrote to memory of 2440	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	84
PID 2684 wrote to memory of 2176	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	85
PID 2684 wrote to memory of 2176	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	85
PID 2684 wrote to memory of 2176	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	85
PID 2684 wrote to memory of 3064	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	86
PID 2684 wrote to memory of 3064	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	86
PID 2684 wrote to memory of 3064	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	86
PID 2684 wrote to memory of 2212	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	87
PID 2684 wrote to memory of 2212	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	87
PID 2684 wrote to memory of 2212	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	87
PID 2684 wrote to memory of 1964	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	88
PID 2684 wrote to memory of 1964	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	88
PID 2684 wrote to memory of 1964	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	88
PID 2684 wrote to memory of 2964	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	100
PID 2684 wrote to memory of 2964	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	100
PID 2684 wrote to memory of 2964	2684	7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe	100
PID 2964 wrote to memory of 2444	2964	cmd.exe	102
PID 2964 wrote to memory of 2444	2964	cmd.exe	102
PID 2964 wrote to memory of 2444	2964	cmd.exe	102
PID 2964 wrote to memory of 1984	2964	cmd.exe	103
PID 2964 wrote to memory of 1984	2964	cmd.exe	103
PID 2964 wrote to memory of 1984	2964	cmd.exe	103
PID 1984 wrote to memory of 496	1984	services.exe	104
PID 1984 wrote to memory of 496	1984	services.exe	104
PID 1984 wrote to memory of 496	1984	services.exe	104
PID 1984 wrote to memory of 592	1984	services.exe	105
PID 1984 wrote to memory of 592	1984	services.exe	105
PID 1984 wrote to memory of 592	1984	services.exe	105
PID 496 wrote to memory of 2796	496	WScript.exe	106
PID 496 wrote to memory of 2796	496	WScript.exe	106
PID 496 wrote to memory of 2796	496	WScript.exe	106
PID 2796 wrote to memory of 2896	2796	services.exe	107
PID 2796 wrote to memory of 2896	2796	services.exe	107
PID 2796 wrote to memory of 2896	2796	services.exe	107
PID 2796 wrote to memory of 1216	2796	services.exe	108
PID 2796 wrote to memory of 1216	2796	services.exe	108
PID 2796 wrote to memory of 1216	2796	services.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe
"C:\Users\Admin\AppData\Local\Temp\7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QnaEvoMYEw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2444
- - C:\Users\Admin\Application Data\services.exe
    "C:\Users\Admin\Application Data\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ff8ff10b-d8a1-4e21-a186-65b97d9a6dba.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:496
    - - C:\Users\Admin\Application Data\services.exe
        
        "C:\Users\Admin\Application Data\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1036eec7-9f7d-45b7-b67e-a121325555ed.vbs"
        6⤵
        
        PID:2896
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\242a9ea8-4da3-4222-8303-d4bf38449799.vbs"
        6⤵
        
        PID:1216
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a623d57-7b33-464a-a16b-84923d3ecfdd.vbs"
      4⤵
      PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Solitaire\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Solitaire\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Vss\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Contacts\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Contacts\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\ja-JP\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Application Data\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Application Data\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\CrashReports\audiodg.exe

Filesize
1.7MB

MD5
89b97de873721b7f7c0e290f3009714a

SHA1
a497ecfd40010292888930dad8e90139555a53a1

SHA256
7e65ab5afee261bd117db1d0de4ab3bae1f5eb82c591b41bf66f011300d565d2

SHA512
48a4de3da13249137fac6c62df309a3be67c2123f689a0186fb48af00d2f60ab9faf1d2f7e865af9e3e3403f1d9abfee77386f92d7fb476a6717b10f2bc5d474

Download Submit
C:\Program Files (x86)\Microsoft Sync Framework\wininit.exe

Filesize
1.7MB

MD5
704435a0f37861546ad33cab6a411330

SHA1
616b4b1bb4cd9050d76395cbcc1ee6d6e6967c60

SHA256
7ea950bb0ab05a7dcd29d461d87f1f6f4f39b5cbb9f5652f40be1d7d25d00a59

SHA512
83c9ea7db7f22585ed0bcc15748f0b34e5b2e45715ae0a973665b91c78ef7f3910044b98a8ab06e1fe5d0a6556634616ab68740c7144afbb90e133d16e03b74a

Download Submit
C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\lsm.exe

Filesize
1.7MB

MD5
b8c785a49a3d70288a3466cd74b56bfa

SHA1
5034c156a12aeda26da24b3c88c6af2f7408a6b7

SHA256
d63b42aea5a8d28886b7cdf4cc8e09a921f53554a5f5024545aabfd306fa3bbc

SHA512
4ebf40e138456ba290ddd93b3f2840d01bcff123e462636372e895cbf60365bcae1fed97dd8dc34d4eaf96395e08471f82e2767f9c3a71ce9cd11d8d7bd5ad58

Download Submit
C:\Program Files\Microsoft Games\Solitaire\winlogon.exe

Filesize
1.7MB

MD5
42f51e4f387023f27a031b291cf8c1f3

SHA1
b043311b71497b34a2e198e23a68837f91229d8d

SHA256
6179e788d86a0b0161bf6e684bd59ec42f718e27bf4e4d9d2cb5775cfa80ede5

SHA512
e1e5ee6327e502b4fc70beae42466cd8069fd4e52408e2363280129d079be8947ea484f365c4e97ce59d6039c8c9430bba168ef1a29a002d59815acf8b80f3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\1036eec7-9f7d-45b7-b67e-a121325555ed.vbs

Filesize
720B

MD5
d481214f496ba8e3c7e2ec87ae88e3f4

SHA1
77a19f54b739a5bf2c2506cc67610ad799181523

SHA256
7c368e5f438d3e8d5d4e7a25e454fb8985ba1067b2c67cb54fc79c5a5e17b179

SHA512
3df7a5e96f4a4999aa0206af968a0966f18e44749471ef53e47c42e20ed0b67d26928411750b73b283d6130d3070443e811e65cad8aa8276c4b7b1c5e2221f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a623d57-7b33-464a-a16b-84923d3ecfdd.vbs

Filesize
496B

MD5
c22e28cfb4a64df9ffb199323ced1164

SHA1
fba8e4aa640a627d07ce27bfe43a30919fd805a3

SHA256
21644c7ae16a5505890a83e5bf37574c03fed1c4743e3cb2265f7323c5da2d60

SHA512
11307cc6b6b5b94ef6493590ece3e2ba512dc9ca26a478727e8cbd86154e2946c4ed8faf4f4bfdec06d12489ee16bacc5392c59601b06df62bff9809cb46b0ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\QnaEvoMYEw.bat

Filesize
209B

MD5
a899c60b87af142dd2068346b5baf959

SHA1
4813cb9b58560740bfe826c697b954d3440fa3ca

SHA256
49cb2a0838829ce92887cdcf4e051824ed0412f14f2379b38eb55a63d9e9e90b

SHA512
cea9405b3797c3fd34f8dc762c6655203a43a62e63ff8a127db169beb1b8d86ec6b2c86341fc453a03c94c9f0588ed54a353a8e7fba8701fa04559737ee0f152

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff8ff10b-d8a1-4e21-a186-65b97d9a6dba.vbs

Filesize
720B

MD5
7d98acacf188995be55fdcf1cb98b37a

SHA1
3dda67d6e81082ebb4e1184d0e7d18122da3b98d

SHA256
6a7af0f4faf589d7972fb7ef0f2cab903eb52b08d33f74068b55bcfe0563cf04

SHA512
41ea51d656c89b43ac9cd9b1893b159a445e21aa7d362b87c28aa6c5459d81ff69bf93727f793521a2f75d3a4408a4d54fd007e578bdacc1fb51a25281de8ede

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b4561e050db10ec248a3c02344ee0330

SHA1
70996fb69d9a98c17d0d173d69ed1c5ea44411ae

SHA256
773f04bfc4f3f3b55d25f57e64d99cffe1a730fa4405bbc834d0d3009d3a913a

SHA512
79388d3ad9e17c985d38dcb8e1b085f7bc4db6bc6842a16ce407a2e0ec3b190f5226f35a4c10c1316474d2e5cbfb4185a7d74450285ea48effb6f302e6ad3962

Download Submit
C:\Users\Admin\Contacts\taskhost.exe

Filesize
1.7MB

MD5
a9b32fb203e5a4190a77f604a7fd793a

SHA1
2a599ccf49f7f21c77c08095bb10e08950371b54

SHA256
1d7760b047fdd8295184f8393700889d28450c0c8cca1fdb8afce14fd176f546

SHA512
01f6d8f5eb74b631e0bf6e2b8a13be97139d725a23e0952012222811737f7ccb76148fbf6e947c53f6f8024f812268bd94e55015bfff3ee67f48430b783fc85e

Download Submit
memory/1208-252-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1984-305-0x00000000010D0000-0x0000000001290000-memory.dmp

Filesize
1.8MB

Download
memory/2084-253-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2684-21-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-9-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/2684-16-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/2684-17-0x0000000000DE0000-0x0000000000DEC000-memory.dmp

Filesize
48KB

Download
memory/2684-20-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-0-0x000007FEF63C3000-0x000007FEF63C4000-memory.dmp

Filesize
4KB

Download
memory/2684-13-0x0000000000AE0000-0x0000000000AEA000-memory.dmp

Filesize
40KB

Download
memory/2684-14-0x0000000000A50000-0x0000000000A5E000-memory.dmp

Filesize
56KB

Download
memory/2684-12-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/2684-125-0x000007FEF63C3000-0x000007FEF63C4000-memory.dmp

Filesize
4KB

Download
memory/2684-11-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/2684-15-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/2684-148-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-173-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-222-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-240-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-8-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2684-7-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2684-6-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/2684-4-0x00000000002F0000-0x00000000002F8000-memory.dmp

Filesize
32KB

Download
memory/2684-5-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2684-3-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2684-2-0x000007FEF63C0000-0x000007FEF6DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2684-1-0x0000000001080000-0x0000000001240000-memory.dmp

Filesize
1.8MB

Download