dcrat | 4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-12-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
Size

1.7MB
MD5

9fe8f36d8984b0c20ab3c05e692239d7
SHA1

fb06e1b686d106f94da0b7715b665d91022d57ba
SHA256

4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8
SHA512

f7ded57cf10048307be5f8824eadc58c7bb8574173050cecac82d68ea41899facc444f561f554fd22a239263eb81949da138f67ffb57a888f0c987493ccefd7d
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvQ:OTHUxUoh1IF9gl25

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2424	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2424	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2088-1-0x0000000000320000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/files/0x0005000000019f6e-27.dat	dcrat
behavioral1/files/0x000600000001a4f4-64.dat	dcrat
behavioral1/files/0x000700000001a443-154.dat	dcrat
behavioral1/memory/2520-198-0x0000000000FA0000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/1080-260-0x0000000000350000-0x0000000000510000-memory.dmp	dcrat
behavioral1/memory/1484-272-0x0000000000C80000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/2196-284-0x00000000000C0000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1140-296-0x00000000002B0000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2408-308-0x0000000000C70000-0x0000000000E30000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1572	powershell.exe
2116	powershell.exe
1736	powershell.exe
2472	powershell.exe
2524	powershell.exe
1596	powershell.exe
1856	powershell.exe
2476	powershell.exe
2540	powershell.exe
2248	powershell.exe
1592	powershell.exe
2148	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe

Executes dropped EXE 8 IoCs

pid	Process
2520	dwm.exe
2516	dwm.exe
1728	dwm.exe
1080	dwm.exe
1484	dwm.exe
2196	dwm.exe
1140	dwm.exe
2408	dwm.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\c5b4cb5e9653cc	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXE1A6.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\RCXE1A7.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\TAPI\RCXD8B9.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\TAPI\RCXD8BA.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\TAPI\lsass.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\en-US\RCXDABE.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\diagnostics\scheduled\Maintenance\WmiPrvSE.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\TAPI\lsass.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\en-US\769247b9434fd0	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\en-US\RCXDABD.tmp	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File opened for modification	C:\Windows\en-US\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\TAPI\6203df4a6bafc7	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
File created	C:\Windows\en-US\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2672	schtasks.exe
1156	schtasks.exe
2132	schtasks.exe
2920	schtasks.exe
568	schtasks.exe
2808	schtasks.exe
2620	schtasks.exe
2704	schtasks.exe
668	schtasks.exe
1208	schtasks.exe
1620	schtasks.exe
2100	schtasks.exe
2328	schtasks.exe
1708	schtasks.exe
1080	schtasks.exe
2636	schtasks.exe
3028	schtasks.exe
2360	schtasks.exe
2732	schtasks.exe
1984	schtasks.exe
2932	schtasks.exe
2940	schtasks.exe
2972	schtasks.exe
2608	schtasks.exe
2748	schtasks.exe
2368	schtasks.exe
2820	schtasks.exe
2844	schtasks.exe
2868	schtasks.exe
2084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
2540	powershell.exe
2472	powershell.exe
1736	powershell.exe
1572	powershell.exe
2524	powershell.exe
2116	powershell.exe
2476	powershell.exe
2148	powershell.exe
1592	powershell.exe
1856	powershell.exe
2520	dwm.exe
2520	dwm.exe
2248	powershell.exe
2520	dwm.exe
1596	powershell.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe
2520	dwm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2520	dwm.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2516	dwm.exe
Token: SeDebugPrivilege	1728	dwm.exe
Token: SeDebugPrivilege	1080	dwm.exe
Token: SeDebugPrivilege	1484	dwm.exe
Token: SeDebugPrivilege	2196	dwm.exe
Token: SeDebugPrivilege	1140	dwm.exe
Token: SeDebugPrivilege	2408	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 1736	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	62
PID 2088 wrote to memory of 1736	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	62
PID 2088 wrote to memory of 1736	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	62
PID 2088 wrote to memory of 2476	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	63
PID 2088 wrote to memory of 2476	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	63
PID 2088 wrote to memory of 2476	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	63
PID 2088 wrote to memory of 2540	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	64
PID 2088 wrote to memory of 2540	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	64
PID 2088 wrote to memory of 2540	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	64
PID 2088 wrote to memory of 2472	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	65
PID 2088 wrote to memory of 2472	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	65
PID 2088 wrote to memory of 2472	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	65
PID 2088 wrote to memory of 2248	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	66
PID 2088 wrote to memory of 2248	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	66
PID 2088 wrote to memory of 2248	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	66
PID 2088 wrote to memory of 2524	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	67
PID 2088 wrote to memory of 2524	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	67
PID 2088 wrote to memory of 2524	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	67
PID 2088 wrote to memory of 1592	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	68
PID 2088 wrote to memory of 1592	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	68
PID 2088 wrote to memory of 1592	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	68
PID 2088 wrote to memory of 1596	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	69
PID 2088 wrote to memory of 1596	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	69
PID 2088 wrote to memory of 1596	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	69
PID 2088 wrote to memory of 1856	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	70
PID 2088 wrote to memory of 1856	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	70
PID 2088 wrote to memory of 1856	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	70
PID 2088 wrote to memory of 1572	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	71
PID 2088 wrote to memory of 1572	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	71
PID 2088 wrote to memory of 1572	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	71
PID 2088 wrote to memory of 2148	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	72
PID 2088 wrote to memory of 2148	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	72
PID 2088 wrote to memory of 2148	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	72
PID 2088 wrote to memory of 2116	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	73
PID 2088 wrote to memory of 2116	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	73
PID 2088 wrote to memory of 2116	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	73
PID 2088 wrote to memory of 2520	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	86
PID 2088 wrote to memory of 2520	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	86
PID 2088 wrote to memory of 2520	2088	4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe	86
PID 2520 wrote to memory of 2276	2520	dwm.exe	87
PID 2520 wrote to memory of 2276	2520	dwm.exe	87
PID 2520 wrote to memory of 2276	2520	dwm.exe	87
PID 2520 wrote to memory of 2436	2520	dwm.exe	88
PID 2520 wrote to memory of 2436	2520	dwm.exe	88
PID 2520 wrote to memory of 2436	2520	dwm.exe	88
PID 2276 wrote to memory of 2516	2276	WScript.exe	89
PID 2276 wrote to memory of 2516	2276	WScript.exe	89
PID 2276 wrote to memory of 2516	2276	WScript.exe	89
PID 2516 wrote to memory of 2956	2516	dwm.exe	90
PID 2516 wrote to memory of 2956	2516	dwm.exe	90
PID 2516 wrote to memory of 2956	2516	dwm.exe	90
PID 2516 wrote to memory of 2208	2516	dwm.exe	91
PID 2516 wrote to memory of 2208	2516	dwm.exe	91
PID 2516 wrote to memory of 2208	2516	dwm.exe	91
PID 2956 wrote to memory of 1728	2956	WScript.exe	92
PID 2956 wrote to memory of 1728	2956	WScript.exe	92
PID 2956 wrote to memory of 1728	2956	WScript.exe	92
PID 1728 wrote to memory of 2024	1728	dwm.exe	93
PID 1728 wrote to memory of 2024	1728	dwm.exe	93
PID 1728 wrote to memory of 2024	1728	dwm.exe	93
PID 1728 wrote to memory of 2460	1728	dwm.exe	94
PID 1728 wrote to memory of 2460	1728	dwm.exe	94
PID 1728 wrote to memory of 2460	1728	dwm.exe	94
PID 2024 wrote to memory of 1080	2024	WScript.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe
"C:\Users\Admin\AppData\Local\Temp\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
  "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a5bc482-933a-4d88-b311-37585dd6efe0.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
      C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44e33383-5dc4-4803-8084-d42582973b6b.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
      - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30488e4b-874c-4fb5-87a0-21bde7cfee66.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11a660a5-e1f5-4216-b5fc-8c079136065e.vbs"
        9⤵
        
        PID:1556
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\473e400c-f7e3-4aa0-b5f9-b48ff8bf37b3.vbs"
        11⤵
        
        PID:2804
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dced9ee7-679a-4ca2-b02b-a02b3d6060a8.vbs"
        13⤵
        
        PID:1072
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cec728d9-8006-4486-bdd7-a91b248a21e9.vbs"
        15⤵
        
        PID:1360
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bf68e05-587f-4409-9b98-32e1edf2e8db.vbs"
        17⤵
        
        PID:2948
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe
        18⤵
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\170e0267-4b59-4574-bd71-829e41862bb2.vbs"
        17⤵
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02e2dc1c-6e80-4c68-9e2c-58a3a5b3cd33.vbs"
        15⤵
        
        PID:2476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6d3aaca-9e50-4633-99d3-cdf242424cd1.vbs"
        13⤵
        
        PID:3012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ed7c39a-8de1-4e9f-a397-87d16727e533.vbs"
        11⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67d07b6d-9cf2-4a28-9688-6b06ab59820c.vbs"
        9⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a0bf5e5-7fcb-4708-8cf7-e36b91be234e.vbs"
        7⤵
        
        PID:2460
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\264bc3dd-e4d8-4982-9c94-133fb725bec2.vbs"
        5⤵
        
        PID:2208
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab75212f-f49b-47d6-8e1d-ceda6f1fb21e.vbs"
    3⤵
    PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\TAPI\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe84" /sc MINUTE /mo 14 /tr "'C:\Windows\en-US\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8" /sc ONLOGON /tr "'C:\Windows\en-US\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe84" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\services.exe

Filesize
1.7MB

MD5
a34abc82a6438d2a8e3ca162bbfffa7e

SHA1
9bc69a53d08240eefe07e05c5c64a7143ef6058d

SHA256
61397a0a2f2f34b9d8e858540780a2bc47373888a6ba275f2d23135dd3586d02

SHA512
956862c2952198c20d1dbe02182730cba59c1d491c74dd79e92dbbcc12b646d053f1d34a5f4d4624cf5333f738ecc8fd35aec5bd4c84e304e9c662636380b2f5

Download Submit
C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe

Filesize
1.7MB

MD5
8c947e1f3bb62f8dfb75b615339c7004

SHA1
8bcc2d77b44540cefaa3ddf8b54b640695970f98

SHA256
271e11d23bd276cdd63297456c01aadcd215c033d321c39f231a43e62e6c37ba

SHA512
b72b9392dd362244c184389eeca72a0425987bf4c2d51a95c7d5fdf6a426d49040ada98ee3a9cbe5b52624283dcd00c50be0632319ff06e00b8a55208567317f

Download Submit
C:\Users\Admin\AppData\Local\Temp\11a660a5-e1f5-4216-b5fc-8c079136065e.vbs

Filesize
732B

MD5
ddf9c1d4554bf3f85b433beb94344bcc

SHA1
29dff18355baf38af9a0632f4f3a3660a5fbe332

SHA256
8323e2679d97a166212559cbcbfd40145b9dd088581cc8d4abc2dc8d240ecddc

SHA512
8ac4571a6a3f11557187de4554e0588a3b7f74dbee6f9edb8e8f1b67bf18856d072bc48f61a47087970beb604fb3dfa94b26945fc4cd9b43630b238924fbaa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\30488e4b-874c-4fb5-87a0-21bde7cfee66.vbs

Filesize
732B

MD5
9219cc31255ef2894548b7fa06b82bda

SHA1
8ddaff115b591b98185ec2fba27c2f3115e7c055

SHA256
b197d6ed5a9a9787b3051531a5f7ee563856e2c2098007c79e1b86fd2047b082

SHA512
c7e87e867bcbe139b582550a92bae1b68199e2912c7930c4a5d568457f3c53d5a16e23916441658f964155d2865e8c35feb0c501fcc241173c7199cf7f44436e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a5bc482-933a-4d88-b311-37585dd6efe0.vbs

Filesize
732B

MD5
0d1ef59fe205aa1a862e772b9d71576f

SHA1
2b99df1243c935ab48d30f241262ad8112bd5ad8

SHA256
bc4b616aa6af5ffc8a4ff3bbe62c15fdbc41bd28c707cc8f6fabb668ccb46e30

SHA512
a789de99f17aae1946706921fe7d7902c477eab5815437a6a5f003ac22dc04469981bcb7927d6e18824231f78619c3ec7c9fef46483f0974d86a1deefc695e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\44e33383-5dc4-4803-8084-d42582973b6b.vbs

Filesize
732B

MD5
d5723f1ecff3b593f6faa1abb4c8abcf

SHA1
91f6447442329009addb1536d4dc9f0899d923a7

SHA256
33c17f68ef5a22022ebc54ad7f29f56b4c277674841c49d6feeb007d91ad33a8

SHA512
f5ca4c2aae1d93e344f439458cab63285310e2133f166af3403172f8d723b729190d38f8007aa24e9976bd0015e11c95364dee6b2aadf75da5a3113a6c38565d

Download Submit
C:\Users\Admin\AppData\Local\Temp\473e400c-f7e3-4aa0-b5f9-b48ff8bf37b3.vbs

Filesize
732B

MD5
0f84fdbd3ca2a6ebd63310b1ea185b82

SHA1
c6e37b43adb1fce2d91a0f07e7b6f80ae44fde30

SHA256
3113c4ff30841a9af9202cdf6e355e763aae847e15e259c9a80605c4309139ca

SHA512
215cd10b4b4a16d4340ea906f3ef2fa83ae74013936e660f523faaef4e486dad11945ade24f11d7698b9ea94d665ec5afad40566dc03c2c7617bd8a8d8b1778e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bf68e05-587f-4409-9b98-32e1edf2e8db.vbs

Filesize
732B

MD5
e81050455134003210d5a5fa0c94f3c1

SHA1
2d0fd577a9a9817beaeba793e8648ae9d689c571

SHA256
a2a28af24671ff636d84df7c533978328deb0a1490be96205dd3206a8c94f35b

SHA512
d8b11622ac00a0f413bd80f3253fdb240299ce134b2a460223c33095f6269e99a1e903437339f083aad4111b29e4bbdb274deed12ce0be64577a178d906ba9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab75212f-f49b-47d6-8e1d-ceda6f1fb21e.vbs

Filesize
508B

MD5
cb63531770f1cd43f0e86442305445fe

SHA1
b348f24d5ae1c0ea4d380ce7b0097a6b6cc603c7

SHA256
3f8efebbd790b30d9c18465c3785485d6e93305ac9815452974583134e473c06

SHA512
d4039184bc663998f261101f9b407a82ffe996690b8b2a1e2d6cc42ac86f648164f89062b45ad3077d252438a9098c3cd750907581da4622e47704fd4ca46522

Download Submit
C:\Users\Admin\AppData\Local\Temp\cec728d9-8006-4486-bdd7-a91b248a21e9.vbs

Filesize
732B

MD5
7075c457d85f8eeffd7a8a7a527cb839

SHA1
7267ffc679ab7c634aa24cb4ff81380dcab40cb0

SHA256
2e42f692ae347bda93d91d3e12911d62d09aa56be8355fa3a305c59f65276453

SHA512
d407f211374b316f0b5d7ec59d66dfc8c9a61c9d08f00609a8f51206725eafcdfb53069990f3c1415649a022720d7bf439c2e348a067ef5c005f3ea6d445b1f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dced9ee7-679a-4ca2-b02b-a02b3d6060a8.vbs

Filesize
732B

MD5
18e1b694b068b03201a1654132d76223

SHA1
1cec0a9ba7f62dbf7ab10c52ecad04c675c65b4f

SHA256
c1f8f5342120eaf611b64d50039d9707f5d5cdf1cd583bc71f3bff2cbb3a56c4

SHA512
888942cccc116a0f4d6b276e0b0145bbcf32fa897bb29e1f38df7b7be2a5b9480854fa75319c8a0a36f4fbc97b5d5dc6b6f38b1037f482a5910ff9c90f5c4b70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b680f7e104531b6df23e2a7388282f45

SHA1
1b53a77f7f942b5d6773d14d662f0ab8b9ac0bbf

SHA256
69cd77cfc4717665df9163b1cdece5122c5778ea31acbb3ca5137c4c23046e85

SHA512
8520b88ef43eb4a5ae46e3d6c173e6d4c67333e10afaeb31c6c148260a8945e73cfe7189f642397f20fea2932092da8e7274050585f707c32b36066c1a722af5

Download Submit
C:\Users\Public\Recorded TV\Sample Media\OSPPSVC.exe

Filesize
1.7MB

MD5
9fe8f36d8984b0c20ab3c05e692239d7

SHA1
fb06e1b686d106f94da0b7715b665d91022d57ba

SHA256
4030f9a21683644ad51e2d6c6fcc121d2f0413ed5047a144adfee61b1668afe8

SHA512
f7ded57cf10048307be5f8824eadc58c7bb8574173050cecac82d68ea41899facc444f561f554fd22a239263eb81949da138f67ffb57a888f0c987493ccefd7d

Download Submit
memory/1080-260-0x0000000000350000-0x0000000000510000-memory.dmp

Filesize
1.8MB

Download
memory/1140-296-0x00000000002B0000-0x0000000000470000-memory.dmp

Filesize
1.8MB

Download
memory/1484-272-0x0000000000C80000-0x0000000000E40000-memory.dmp

Filesize
1.8MB

Download
memory/2088-12-0x0000000002180000-0x000000000218C000-memory.dmp

Filesize
48KB

Download
memory/2088-6-0x0000000000650000-0x0000000000666000-memory.dmp

Filesize
88KB

Download
memory/2088-17-0x00000000021D0000-0x00000000021DC000-memory.dmp

Filesize
48KB

Download
memory/2088-15-0x00000000021B0000-0x00000000021B8000-memory.dmp

Filesize
32KB

Download
memory/2088-16-0x00000000021C0000-0x00000000021CC000-memory.dmp

Filesize
48KB

Download
memory/2088-13-0x00000000021A0000-0x00000000021AA000-memory.dmp

Filesize
40KB

Download
memory/2088-1-0x0000000000320000-0x00000000004E0000-memory.dmp

Filesize
1.8MB

Download
memory/2088-2-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2088-3-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/2088-204-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2088-206-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2088-5-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2088-14-0x0000000002190000-0x000000000219E000-memory.dmp

Filesize
56KB

Download
memory/2088-0-0x000007FEF5DC3000-0x000007FEF5DC4000-memory.dmp

Filesize
4KB

Download
memory/2088-4-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/2088-11-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/2088-9-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/2088-8-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2088-7-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/2088-20-0x000007FEF5DC0000-0x000007FEF67AC000-memory.dmp

Filesize
9.9MB

Download
memory/2196-284-0x00000000000C0000-0x0000000000280000-memory.dmp

Filesize
1.8MB

Download
memory/2408-308-0x0000000000C70000-0x0000000000E30000-memory.dmp

Filesize
1.8MB

Download
memory/2408-309-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2472-195-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2516-237-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download
memory/2520-217-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/2520-198-0x0000000000FA0000-0x0000000001160000-memory.dmp

Filesize
1.8MB

Download
memory/2540-196-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download