dcrat | 6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21

Analysis

max time kernel
119s
max time network
114s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 01:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
Size

1.7MB
MD5

5611f9a13bc9f94fe959951ca0fa6d30
SHA1

e0e1ba6f5f96bd4e1230df5b6e59b4f0cf87721e
SHA256

6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21
SHA512

0c070c5e9de3f93a95b1fa27c57c009b526c3143f6051078830ae01fc414fd1083a1d2d3cbe5ef42b717221715d2b7785b722aa8194af3b62078d09e332233c4
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2600	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2600	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2192-1-0x0000000000CA0000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/files/0x0005000000019650-27.dat	dcrat
behavioral1/files/0x000500000001a4cc-48.dat	dcrat
behavioral1/files/0x0011000000012280-83.dat	dcrat
behavioral1/files/0x000e0000000194d5-130.dat	dcrat
behavioral1/memory/2840-279-0x00000000003A0000-0x0000000000560000-memory.dmp	dcrat
behavioral1/memory/2936-290-0x0000000000070000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1508-302-0x0000000000A10000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/2228-314-0x0000000001220000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/1420-326-0x0000000000240000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1048-338-0x0000000000D30000-0x0000000000EF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2716	powershell.exe
2924	powershell.exe
2368	powershell.exe
2976	powershell.exe
2972	powershell.exe
1652	powershell.exe
2140	powershell.exe
1644	powershell.exe
608	powershell.exe
1500	powershell.exe
2868	powershell.exe
1936	powershell.exe
1804	powershell.exe
2780	powershell.exe
1808	powershell.exe
2916	powershell.exe
876	powershell.exe
1888	powershell.exe
1248	powershell.exe
960	powershell.exe
1364	powershell.exe
2292	powershell.exe
2592	powershell.exe
1656	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe

Executes dropped EXE 7 IoCs

pid	Process
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2840	services.exe
2936	services.exe
1508	services.exe
2228	services.exe
1420	services.exe
1048	services.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\dllhost.exe	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCX8480.tmp	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX8F44.tmp	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\e978f868350d50	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\powershell.exe	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6203df4a6bafc7	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX8F43.tmp	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File opened for modification	C:\Program Files\Uninstall Information\dllhost.exe	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\powershell.exe	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File created	C:\Program Files\Uninstall Information\5940a34987c991	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\RCX847F.tmp	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\addins\lsass.exe	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File created	C:\Windows\addins\lsass.exe	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File created	C:\Windows\addins\6203df4a6bafc7	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File opened for modification	C:\Windows\addins\RCX8B39.tmp	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
File opened for modification	C:\Windows\addins\RCX8B3A.tmp	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe
1744	schtasks.exe
1548	schtasks.exe
1560	schtasks.exe
2464	schtasks.exe
2820	schtasks.exe
2340	schtasks.exe
852	schtasks.exe
2476	schtasks.exe
2452	schtasks.exe
2768	schtasks.exe
2560	schtasks.exe
1880	schtasks.exe
2440	schtasks.exe
2180	schtasks.exe
304	schtasks.exe
576	schtasks.exe
2204	schtasks.exe
2072	schtasks.exe
2824	schtasks.exe
1964	schtasks.exe
1620	schtasks.exe
2584	schtasks.exe
2696	schtasks.exe
696	schtasks.exe
2468	schtasks.exe
1232	schtasks.exe
1452	schtasks.exe
1796	schtasks.exe
2616	schtasks.exe
2164	schtasks.exe
1860	schtasks.exe
372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
960	powershell.exe
608	powershell.exe
2972	powershell.exe
1248	powershell.exe
1364	powershell.exe
2140	powershell.exe
1644	powershell.exe
2368	powershell.exe
2976	powershell.exe
2924	powershell.exe
1652	powershell.exe
1936	powershell.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
1888	powershell.exe
1656	powershell.exe
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2840	services.exe
Token: SeDebugPrivilege	2936	services.exe
Token: SeDebugPrivilege	1508	services.exe
Token: SeDebugPrivilege	2228	services.exe
Token: SeDebugPrivilege	1420	services.exe
Token: SeDebugPrivilege	1048	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 2140	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	55
PID 2192 wrote to memory of 2140	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	55
PID 2192 wrote to memory of 2140	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	55
PID 2192 wrote to memory of 1644	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	56
PID 2192 wrote to memory of 1644	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	56
PID 2192 wrote to memory of 1644	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	56
PID 2192 wrote to memory of 1652	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	57
PID 2192 wrote to memory of 1652	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	57
PID 2192 wrote to memory of 1652	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	57
PID 2192 wrote to memory of 1364	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	59
PID 2192 wrote to memory of 1364	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	59
PID 2192 wrote to memory of 1364	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	59
PID 2192 wrote to memory of 1936	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	61
PID 2192 wrote to memory of 1936	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	61
PID 2192 wrote to memory of 1936	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	61
PID 2192 wrote to memory of 608	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	62
PID 2192 wrote to memory of 608	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	62
PID 2192 wrote to memory of 608	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	62
PID 2192 wrote to memory of 960	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	63
PID 2192 wrote to memory of 960	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	63
PID 2192 wrote to memory of 960	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	63
PID 2192 wrote to memory of 2972	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	64
PID 2192 wrote to memory of 2972	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	64
PID 2192 wrote to memory of 2972	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	64
PID 2192 wrote to memory of 2976	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	65
PID 2192 wrote to memory of 2976	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	65
PID 2192 wrote to memory of 2976	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	65
PID 2192 wrote to memory of 2368	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	66
PID 2192 wrote to memory of 2368	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	66
PID 2192 wrote to memory of 2368	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	66
PID 2192 wrote to memory of 1248	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	67
PID 2192 wrote to memory of 1248	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	67
PID 2192 wrote to memory of 1248	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	67
PID 2192 wrote to memory of 2924	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	68
PID 2192 wrote to memory of 2924	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	68
PID 2192 wrote to memory of 2924	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	68
PID 2192 wrote to memory of 1528	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	79
PID 2192 wrote to memory of 1528	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	79
PID 2192 wrote to memory of 1528	2192	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	79
PID 1528 wrote to memory of 1500	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	89
PID 1528 wrote to memory of 1500	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	89
PID 1528 wrote to memory of 1500	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	89
PID 1528 wrote to memory of 1656	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	91
PID 1528 wrote to memory of 1656	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	91
PID 1528 wrote to memory of 1656	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	91
PID 1528 wrote to memory of 1888	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	92
PID 1528 wrote to memory of 1888	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	92
PID 1528 wrote to memory of 1888	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	92
PID 1528 wrote to memory of 876	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	93
PID 1528 wrote to memory of 876	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	93
PID 1528 wrote to memory of 876	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	93
PID 1528 wrote to memory of 2292	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	95
PID 1528 wrote to memory of 2292	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	95
PID 1528 wrote to memory of 2292	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	95
PID 1528 wrote to memory of 1808	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	96
PID 1528 wrote to memory of 1808	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	96
PID 1528 wrote to memory of 1808	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	96
PID 1528 wrote to memory of 2780	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	99
PID 1528 wrote to memory of 2780	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	99
PID 1528 wrote to memory of 2780	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	99
PID 1528 wrote to memory of 1804	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	100
PID 1528 wrote to memory of 1804	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	100
PID 1528 wrote to memory of 1804	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	100
PID 1528 wrote to memory of 2868	1528	6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
"C:\Users\Admin\AppData\Local\Temp\6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe
  "C:\Users\Admin\AppData\Local\Temp\6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21N.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1888
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2780
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Qe3hbrb0B7.bat"
    3⤵
    PID:2876
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2676
  - - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe
      "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2840
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb3be622-1fd6-4179-937a-9c840a9b1f33.vbs"
        5⤵
        
        PID:3068
      - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c1a0813-94c4-4b39-a374-605a53a59ba1.vbs"
        7⤵
        
        PID:3052
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa9bc34b-a8ae-4fd4-b1cb-f9f1fe6a2405.vbs"
        9⤵
        
        PID:376
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a5c306c-5cea-4fa9-be94-dbc1fc16b630.vbs"
        11⤵
        
        PID:1056
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b7cb713-026f-4205-8841-8259e45629d8.vbs"
        13⤵
        
        PID:2168
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f56eeca6-6b73-4be9-820a-62f0f2ca777d.vbs"
        15⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86bb59e7-af82-494f-9d5f-1f63d57d83ba.vbs"
        15⤵
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\961eaa9d-0e1b-49eb-ae76-49ad812946ee.vbs"
        13⤵
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\781b62d4-c37b-4dde-9bd1-04b861df8c69.vbs"
        11⤵
        
        PID:336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0c6950f-57c6-479e-9e1e-3270726693cd.vbs"
        9⤵
        
        PID:1412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43c2a402-f44d-4132-acf3-fba5d92a865c.vbs"
        7⤵
        
        PID:2232
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\98cc8803-db98-4a2a-a6f4-1b8b3a767705.vbs"
        5⤵
        
        PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\addins\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\addins\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\lsm.exe

Filesize
1.7MB

MD5
d43471f8685b77530b04ba8935ceeeee

SHA1
f9b8be899442fb7d79b71dadfd73e27a5f6eb1ae

SHA256
828275a1e9c1b1cc2055d5da5933128d0d7e844ea3585d74bc28553cfb3166f2

SHA512
c0978fec03ffb34d792e22eb237c3ac96d81430a4dd5be42632de1edb0ec729b39fd61d6332262e31a7cd77adb132fdd6cc5853970c7a77ff89c115afe0182a3

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
1.7MB

MD5
682018680c8d3c8c626e61fe171ebdef

SHA1
7fdf18138e40705516dac0091f4ff934f5f59f86

SHA256
8753601d73b5fde9ef2b27b6e85fb39639f7c569726c6e4166eb827da00394a4

SHA512
2b6ecc373ac2e567cd7b0820961304a0517890a402464f24fe363c3c69e675c3e48470be0a7b6b4fc5de3cfd62c3417eaa74db0bc121501762495aaffaa8ca44

Download Submit
C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe

Filesize
1.7MB

MD5
716a991c0ea98509d76fe7b54ddc77a3

SHA1
07680fc89a8b0dbb24f68178a3cf2630116b5743

SHA256
120e0654941ccdbee9f04eec4af6a22f8575c55dd0c871325e464589aebe86e3

SHA512
a9d29b4a5aecbaa009a59fd75515e426fa123c53efcf1abbfe1d6698ece123a723eb4e2aa843eb98abcb347e7da08f895f909e3146d93ea453e2296359b63c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1c1a0813-94c4-4b39-a374-605a53a59ba1.vbs

Filesize
737B

MD5
abb575fde6ef5ed2231094c3fac2c920

SHA1
0ce3cc2df2aed72cd8552c49a77e29ec8d26327a

SHA256
046b082f077eee6976c799471b57b006e59f99e0e301dadbef8ec4d7ef83bdda

SHA512
5ec2e24b9f2da2826450189bcb1b1ef2b71c51d717c2a4c59ad56c65bec2ad6d2d246b46691ea43f5108a3e76eefb83d68fe2334706ca5230ff1763beec2bc7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b7cb713-026f-4205-8841-8259e45629d8.vbs

Filesize
737B

MD5
f5a54ebc2563d3cadcdfdf52befdf814

SHA1
d6b18d1790e4c7506999eda87e2452859421de2e

SHA256
84e6e66c6cd2ba3553c6d7d1a277cc161cde335b00d959071d9dfd214802d2a8

SHA512
6060d62210d9635142adb4b5c014ebbfa8fde16240426141a43f6bf699be95e8040cb23fe755f2bad0d90906a3f41028870f411cbd4e09e4cd7d887891ad4785

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a5c306c-5cea-4fa9-be94-dbc1fc16b630.vbs

Filesize
737B

MD5
52f2397715feb2b997ebdc75a5ca004a

SHA1
65bca2db705e8eeac4a91d7a1662da43b993acbf

SHA256
14c8ba1eed6e7bd16b7367d3d76f2b18193ec515e7503816c54131d965ed8655

SHA512
350d3c48b52c3c5ee9402bcb675995b48bc60b2cbd8a9d077ca5368233f8e79874217f852c6c72fb49b8b44174edfda7b455041d7671cc345d914c7d1947c45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\98cc8803-db98-4a2a-a6f4-1b8b3a767705.vbs

Filesize
513B

MD5
7310c41eb56a3e4fda8a3fb5d19797e1

SHA1
d9bf12833e90c19ec5715fd8b540dd308716ee4c

SHA256
5facac392268f793c0cd8f3bfdeb53c289917fe84480b7c02b400a4024a0cce9

SHA512
ae5644902575c56e412ee59d8e0f58974bba50707ef5f7144c1b5e81c1d47e67539c4d0ff0f1bbbb72c4c8a6288641c1c2e3598f7ba9d72a4f72167fddd49ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qe3hbrb0B7.bat

Filesize
226B

MD5
819e5bbd15857ec9d3f03422ee473570

SHA1
1ed3537a5101d7d380ea40f6445538bf272b7941

SHA256
65fea475b7ccdcbdbd9fbcd8a6d3321d9713f10c11d2e9aa25df2a931c59b139

SHA512
69f3952e1f25d0b114dbf8930a73b598b043ae6dfd11a8c7d46f75fd42c628cae6a21e5f34a28142ed4e7a7046896f3c2a3be49dbb368f6b9df596e9370f517d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aa9bc34b-a8ae-4fd4-b1cb-f9f1fe6a2405.vbs

Filesize
737B

MD5
66a23efd5cf8c22eea3bd4ac5e4d865a

SHA1
f077e1e75cccc73a0ad2a102dea9c2269a454175

SHA256
58c3120eb9d4626df22c2331d250f75d509449b156d10e7469eb7f7894a1428a

SHA512
65d760cf5f67634db4223a342db703411e427e0aa1b59cd8e7ddc4bbdd8ffb37251624815e06e10bb1f84e3ec2934768a4192197a0c4d5be9982c348593ef01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb3be622-1fd6-4179-937a-9c840a9b1f33.vbs

Filesize
737B

MD5
c2dc1e1d7ae190242c281a006c5cbf00

SHA1
8d19bc89b049cc050b7eeba0cd53391cafa50ecd

SHA256
723cc8879b90a5cfb57dce2b092ce1326c424089bf4f9bb3d59afd869d30bc84

SHA512
c4b9e1d37ab7031ae9d4881d40131e5d38b25101d1fe71f948f5537875e4daa5e163d6afeb662dc4dfeeb71fbff4460f04c5df84702e9d0c38703512ac4b1074

Download Submit
C:\Users\Admin\AppData\Local\Temp\f56eeca6-6b73-4be9-820a-62f0f2ca777d.vbs

Filesize
737B

MD5
76fa46c487f11c88445e0fa62d17d4a3

SHA1
555673e2a152573be2457ba7e46172adf7707ae8

SHA256
73307f18bd20a0f8cb4b95c43f20d5c22451a95a40af59c2add7ab59860f7c49

SHA512
9a2b6f3bebc51bff758bb35c6d45ec09df55cebc0d86d58f9729c8ee16eb9b98de7b53f2bd5fec0e971bf392de21685ee23dcf7b5656135942bbe61b85ba7bad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e370a501dc66a84a29d58b46de3e5890

SHA1
c406c71624920e4362e5e4843e3fd165483a2d02

SHA256
a248095dae8471f1c3f5563bcb92398edeac238f7c1b92fe9b9d8168612a5232

SHA512
2da6c41a82915323d45887e6282e439275f5115dfcbc8bb659928b3dd7c07fc3d5833b9baa995aca563aae33a779d9df44236db48ece9a67dc17d3117f36a708

Download Submit
C:\Windows\addins\lsass.exe

Filesize
1.7MB

MD5
5611f9a13bc9f94fe959951ca0fa6d30

SHA1
e0e1ba6f5f96bd4e1230df5b6e59b4f0cf87721e

SHA256
6c68a85a8c40681af20a383263b805dbde6fc1b4929ff56cf3f76127505c1f21

SHA512
0c070c5e9de3f93a95b1fa27c57c009b526c3143f6051078830ae01fc414fd1083a1d2d3cbe5ef42b717221715d2b7785b722aa8194af3b62078d09e332233c4

Download Submit
memory/608-145-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/960-146-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1048-338-0x0000000000D30000-0x0000000000EF0000-memory.dmp

Filesize
1.8MB

Download
memory/1048-339-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1420-326-0x0000000000240000-0x0000000000400000-memory.dmp

Filesize
1.8MB

Download
memory/1508-302-0x0000000000A10000-0x0000000000BD0000-memory.dmp

Filesize
1.8MB

Download
memory/1528-197-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/1888-220-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1888-234-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/2192-144-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2192-6-0x0000000000560000-0x0000000000576000-memory.dmp

Filesize
88KB

Download
memory/2192-20-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2192-17-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2192-16-0x00000000007A0000-0x00000000007AC000-memory.dmp

Filesize
48KB

Download
memory/2192-15-0x0000000000790000-0x0000000000798000-memory.dmp

Filesize
32KB

Download
memory/2192-14-0x0000000000780000-0x000000000078E000-memory.dmp

Filesize
56KB

Download
memory/2192-13-0x0000000000770000-0x000000000077A000-memory.dmp

Filesize
40KB

Download
memory/2192-1-0x0000000000CA0000-0x0000000000E60000-memory.dmp

Filesize
1.8MB

Download
memory/2192-12-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2192-11-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2192-2-0x000007FEF6340000-0x000007FEF6D2C000-memory.dmp

Filesize
9.9MB

Download
memory/2192-9-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2192-8-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2192-7-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2192-3-0x0000000000520000-0x000000000053C000-memory.dmp

Filesize
112KB

Download
memory/2192-0-0x000007FEF6343000-0x000007FEF6344000-memory.dmp

Filesize
4KB

Download
memory/2192-5-0x0000000000550000-0x0000000000560000-memory.dmp

Filesize
64KB

Download
memory/2192-4-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2228-314-0x0000000001220000-0x00000000013E0000-memory.dmp

Filesize
1.8MB

Download
memory/2840-279-0x00000000003A0000-0x0000000000560000-memory.dmp

Filesize
1.8MB

Download
memory/2936-290-0x0000000000070000-0x0000000000230000-memory.dmp

Filesize
1.8MB

Download