dcrat | 5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 06:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
Size

1.7MB
MD5

75ce4f3a70e6599ce055bca35feed7f0
SHA1

6520f50d5d1c3b26e42cf761d1df884e1ce7b1bb
SHA256

5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925
SHA512

78ef4b4a59b0a21c7daacc3711e4bd323b5f318d90d7f106f46238ed55c40f92267c8a0edf68084fbe5daa30287e59f01f9a9d502524c678bc68051fa2b0abdb
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2900	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2900	schtasks.exe	31

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2280-1-0x0000000001080000-0x0000000001240000-memory.dmp	dcrat
behavioral1/files/0x00050000000194eb-28.dat	dcrat
behavioral1/files/0x0009000000016ce9-104.dat	dcrat
behavioral1/files/0x000c0000000195b3-189.dat	dcrat
behavioral1/memory/2044-248-0x0000000001090000-0x0000000001250000-memory.dmp	dcrat
behavioral1/memory/2224-271-0x0000000000290000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2860-283-0x00000000011A0000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/2248-317-0x00000000001F0000-0x00000000003B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2752	powershell.exe
1464	powershell.exe
2656	powershell.exe
3040	powershell.exe
2476	powershell.exe
2792	powershell.exe
1948	powershell.exe
1712	powershell.exe
2840	powershell.exe
1884	powershell.exe
2600	powershell.exe
2968	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe

Executes dropped EXE 6 IoCs

pid	Process
2044	lsm.exe
2224	lsm.exe
2860	lsm.exe
2052	lsm.exe
2636	lsm.exe
2248	lsm.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\RCX538.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXEEF.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXCCB.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXCDC.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\taskhost.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\csrss.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files (x86)\Google\Temp\csrss.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files (x86)\Google\Temp\886983d96e3d3e	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Windows Portable Devices\taskhost.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\wininit.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\csrss.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXEF0.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\wininit.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Internet Explorer\ja-JP\56085415360792	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Program Files\Windows Portable Devices\b75386f1303e64	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\RCX537.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\System.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Windows\Downloaded Program Files\27d1bcfc3c54e0	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\debug\WIA\RCX1319.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX17AF.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Downloaded Program Files\System.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Windows\debug\WIA\sppsvc.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\debug\WIA\RCX1308.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\debug\WIA\sppsvc.exe	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File opened for modification	C:\Windows\Downloaded Program Files\RCX1741.tmp	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
File created	C:\Windows\debug\WIA\0a1fd5f707cd16	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
656	schtasks.exe
2800	schtasks.exe
1332	schtasks.exe
2400	schtasks.exe
3040	schtasks.exe
1972	schtasks.exe
432	schtasks.exe
928	schtasks.exe
2648	schtasks.exe
2104	schtasks.exe
560	schtasks.exe
2796	schtasks.exe
1892	schtasks.exe
936	schtasks.exe
1016	schtasks.exe
2052	schtasks.exe
2364	schtasks.exe
528	schtasks.exe
1872	schtasks.exe
1980	schtasks.exe
840	schtasks.exe
1352	schtasks.exe
1704	schtasks.exe
2752	schtasks.exe
2732	schtasks.exe
2640	schtasks.exe
2944	schtasks.exe
688	schtasks.exe
2692	schtasks.exe
2604	schtasks.exe
2572	schtasks.exe
2028	schtasks.exe
2912	schtasks.exe
832	schtasks.exe
2720	schtasks.exe
2120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2968	powershell.exe
3040	powershell.exe
2840	powershell.exe
1464	powershell.exe
1948	powershell.exe
2752	powershell.exe
2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
2792	powershell.exe
2476	powershell.exe
2600	powershell.exe
2656	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2044	lsm.exe
Token: SeDebugPrivilege	2224	lsm.exe
Token: SeDebugPrivilege	2860	lsm.exe
Token: SeDebugPrivilege	2052	lsm.exe
Token: SeDebugPrivilege	2636	lsm.exe
Token: SeDebugPrivilege	2248	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2752	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	68
PID 2280 wrote to memory of 2752	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	68
PID 2280 wrote to memory of 2752	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	68
PID 2280 wrote to memory of 2840	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	69
PID 2280 wrote to memory of 2840	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	69
PID 2280 wrote to memory of 2840	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	69
PID 2280 wrote to memory of 2968	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	70
PID 2280 wrote to memory of 2968	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	70
PID 2280 wrote to memory of 2968	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	70
PID 2280 wrote to memory of 1712	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	71
PID 2280 wrote to memory of 1712	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	71
PID 2280 wrote to memory of 1712	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	71
PID 2280 wrote to memory of 1948	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	72
PID 2280 wrote to memory of 1948	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	72
PID 2280 wrote to memory of 1948	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	72
PID 2280 wrote to memory of 2656	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	73
PID 2280 wrote to memory of 2656	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	73
PID 2280 wrote to memory of 2656	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	73
PID 2280 wrote to memory of 3040	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	74
PID 2280 wrote to memory of 3040	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	74
PID 2280 wrote to memory of 3040	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	74
PID 2280 wrote to memory of 1464	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	76
PID 2280 wrote to memory of 1464	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	76
PID 2280 wrote to memory of 1464	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	76
PID 2280 wrote to memory of 2600	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	77
PID 2280 wrote to memory of 2600	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	77
PID 2280 wrote to memory of 2600	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	77
PID 2280 wrote to memory of 1884	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	78
PID 2280 wrote to memory of 1884	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	78
PID 2280 wrote to memory of 1884	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	78
PID 2280 wrote to memory of 2792	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	80
PID 2280 wrote to memory of 2792	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	80
PID 2280 wrote to memory of 2792	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	80
PID 2280 wrote to memory of 2476	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	82
PID 2280 wrote to memory of 2476	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	82
PID 2280 wrote to memory of 2476	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	82
PID 2280 wrote to memory of 2044	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	92
PID 2280 wrote to memory of 2044	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	92
PID 2280 wrote to memory of 2044	2280	5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe	92
PID 2044 wrote to memory of 2924	2044	lsm.exe	93
PID 2044 wrote to memory of 2924	2044	lsm.exe	93
PID 2044 wrote to memory of 2924	2044	lsm.exe	93
PID 2044 wrote to memory of 3000	2044	lsm.exe	94
PID 2044 wrote to memory of 3000	2044	lsm.exe	94
PID 2044 wrote to memory of 3000	2044	lsm.exe	94
PID 2924 wrote to memory of 2224	2924	WScript.exe	95
PID 2924 wrote to memory of 2224	2924	WScript.exe	95
PID 2924 wrote to memory of 2224	2924	WScript.exe	95
PID 2224 wrote to memory of 672	2224	lsm.exe	96
PID 2224 wrote to memory of 672	2224	lsm.exe	96
PID 2224 wrote to memory of 672	2224	lsm.exe	96
PID 2224 wrote to memory of 2252	2224	lsm.exe	97
PID 2224 wrote to memory of 2252	2224	lsm.exe	97
PID 2224 wrote to memory of 2252	2224	lsm.exe	97
PID 672 wrote to memory of 2860	672	WScript.exe	98
PID 672 wrote to memory of 2860	672	WScript.exe	98
PID 672 wrote to memory of 2860	672	WScript.exe	98
PID 2860 wrote to memory of 2748	2860	lsm.exe	99
PID 2860 wrote to memory of 2748	2860	lsm.exe	99
PID 2860 wrote to memory of 2748	2860	lsm.exe	99
PID 2860 wrote to memory of 1332	2860	lsm.exe	100
PID 2860 wrote to memory of 1332	2860	lsm.exe	100
PID 2860 wrote to memory of 1332	2860	lsm.exe	100
PID 2748 wrote to memory of 2052	2748	WScript.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe
"C:\Users\Admin\AppData\Local\Temp\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe
  "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09ed54ae-3a16-4faa-a3ab-0787fd1cbcc2.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe
      "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2224
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43f1fd78-51b4-48da-837c-ac077d43b987.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:672
      - C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9400f4cc-aecb-42e7-8ebc-5a19ab90e32f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8df722d-e001-43f0-b73d-793b4f0e7442.vbs"
        9⤵
        
        PID:1116
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b09919e-e265-4ad2-8e6f-45995692a952.vbs"
        11⤵
        
        PID:2648
        
        C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5227714a-eae2-408e-a018-a67339c3c77b.vbs"
        13⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa84e57d-6701-495f-b5ab-9d182d46c892.vbs"
        13⤵
        
        PID:940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08704942-0c75-404c-8b2c-28a3d2136f69.vbs"
        11⤵
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fbea0ec7-e67f-474a-baa8-0bef7d107762.vbs"
        9⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5ea51e9d-57f1-4053-83f1-b43455f21c3d.vbs"
        7⤵
        
        PID:1332
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b39443a7-0c58-4bf5-a9b0-242de541dfce.vbs"
        5⤵
        
        PID:2252
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59ffd7a3-d6ac-479a-a650-314066e542a2.vbs"
    3⤵
    PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N5" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N" /sc ONLOGON /tr "'C:\MSOCache\All Users\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N5" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\ja-JP\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Internet Explorer\ja-JP\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N5" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N5" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\WIA\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Default\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Downloaded Program Files\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe

Filesize
1.7MB

MD5
75ce4f3a70e6599ce055bca35feed7f0

SHA1
6520f50d5d1c3b26e42cf761d1df884e1ce7b1bb

SHA256
5583a5c44c0062c4bf750bed5f62ed12ccafc68c94e7f3aa2b12bcff0c88b925

SHA512
78ef4b4a59b0a21c7daacc3711e4bd323b5f318d90d7f106f46238ed55c40f92267c8a0edf68084fbe5daa30287e59f01f9a9d502524c678bc68051fa2b0abdb

Download Submit
C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe

Filesize
1.7MB

MD5
5dbad63685cdd69dc08319cf0da76c13

SHA1
b792a833c609a82048b7d33dfef107a55bbab6dc

SHA256
c80abfe60a0a702715a58184c1ac8e95aafc15d59a85c7b61b7c8d68da392fba

SHA512
b726bf120e723aae035f052843534c1fe6657313ad8f384e61ea6bae84fa1f09ecfa19da33e00c94b6ba16128ff17f798e3d2c34c3443349dbb8ce439550ca6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\09ed54ae-3a16-4faa-a3ab-0787fd1cbcc2.vbs

Filesize
759B

MD5
898a9efe800270380b29bcb2b47a7bd0

SHA1
5b84320eb21103aa6fc8834e191bb56280959812

SHA256
2569d5af1e8b0a377a9b2122b07c2cd5fb6ce6a3e61c48321216e974afda8ae5

SHA512
20f9946921e44eb7ed08ee163de2c422d2512c1937f71e3e505dea18cee0c11e5c15a0a0cf594bff008805ddc278084794d6c92739a29d306269d2d7d7729c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\43f1fd78-51b4-48da-837c-ac077d43b987.vbs

Filesize
759B

MD5
27fc09c77529690cdb47ab914ef84630

SHA1
a61db9fbe7ec64c9a37a87eabc3fdf248e4f63a5

SHA256
30ddbf6fe92c42d2bd8b56c61bd9dafefc6ce945f18c404c0a635bf93dc57192

SHA512
e40dddeb78dadcffdd22ffe7be81caa2290a6572d89afd58803d8ced9826e62b57448d20b589e3807dbc4f952b97d5bab4c8f5a3889bda63e5f2c716c047bfbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\5227714a-eae2-408e-a018-a67339c3c77b.vbs

Filesize
759B

MD5
5da4edfaf5e9e59ecf11f5bf5be53f05

SHA1
95824c902c10c04b0d638c790f4ad9f6a96d2943

SHA256
177eb8220221dbab7835ae8917db0187d47aeee0cdc903fe293f1e666ae87a8a

SHA512
ab73e16aaca2b0fb4562819609c0034744bc3614fb90307b25b867433f178939cead2a563544efeec10580b9072504f5adbbb16e499037d6784e198eaedf1aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\59ffd7a3-d6ac-479a-a650-314066e542a2.vbs

Filesize
535B

MD5
9f4998c5b02f5fc023a8919b73378cb5

SHA1
5cae3a20731f68446eec6dec2dc772591bfca0cc

SHA256
f591f0687b3aedfa9c3e354e6d75e14ec6faf6a192b86020c92af56a2a88935d

SHA512
be8efc0bcaf1d801f785eb46e8521d69241b262b56866dac932a07cffa3de57f99a32cbde81afcae03973e5a1d1d88e84a39b457fbc926f3f05c5b3084d26033

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b09919e-e265-4ad2-8e6f-45995692a952.vbs

Filesize
759B

MD5
2e4fbcdda97cd5f648e7c35c6bb476f1

SHA1
8154780d4eb5aa53a8b95cf8c8e3c09d13e23feb

SHA256
db1d5d88263ea7f4dcc23f40d8e64145af08b02d7400ee721bd013c2fc1f1e2e

SHA512
5272cd9ab58097a1b4d0e99bf12c091f0cccc980fc8a07b32d8559fbbcc7308b061213db823e3dc5de7d10a9b5f0c6474aaaf3b4b4a84b1c0e7c9e13680f34a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9400f4cc-aecb-42e7-8ebc-5a19ab90e32f.vbs

Filesize
759B

MD5
c7b54857680846a8884f3545ea8dcfe6

SHA1
4b21accd6630ce8e6388249ab62d28f85ce629c4

SHA256
4c90fbbd5caeedc5f93b542c83e7532109f975c5afec78f95f99ed3f5b970edd

SHA512
f08cc03690ca4af67a6b866d529d695170b85161c3bb65b6e59b16d385d82420dd2f71f692074edd9b184fff4a61e147cf9c5bec2cca22eccbf36c46c59734c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8df722d-e001-43f0-b73d-793b4f0e7442.vbs

Filesize
759B

MD5
42be5cf3f0337b5af93623a988f97364

SHA1
8201ced93c732d5d3da89f348068cb6e9e198913

SHA256
cbdfc24037c1b0462d8bc6da3823d773bfda70370bb747a175485cc5ee0b35c5

SHA512
fe64a82ad7499f1c95e52c6edcfcb5afdd3a06af7d12720871d2fa457fd6e9378f6656dac23972a70b95074128d5cfc44d5467ec6b8f052fe7a9a1aecbed1767

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
38a9b30f420dfb3d3fde245f092f0d79

SHA1
68bd95e1f8309b76b18b813a9ac820313d425311

SHA256
b31209af2afdcc5a0cfc4ecb80ce759487c42575286a51188e593e2024873741

SHA512
adb6f03a95ef213dc6b125b3bd7a982a7ae98800411bd0af59b2ad441124c81723fec14dd9daaa45e9592cb095877425bbae38b4a0d8f1c260e60e50930896f3

Download Submit
C:\Windows\Downloaded Program Files\RCX17AF.tmp

Filesize
1.7MB

MD5
34689cb74f0d0f6c1635e454d7de42b5

SHA1
1eb6e5b0d60ef20f6d2864a4cf4cdea913374993

SHA256
25aded85cdd750d0221c0144741d2b3607777ba4ebc0f55967875d815b012beb

SHA512
b94afc57e9da38da07064ce3aa8d283809bfa54de386ef0ed0be9476b7f819076f566efc085cb749b0e847b4e6597fde8b3171402533f382437aab0438d1209a

Download Submit
memory/1712-231-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2044-248-0x0000000001090000-0x0000000001250000-memory.dmp

Filesize
1.8MB

Download
memory/2224-271-0x0000000000290000-0x0000000000450000-memory.dmp

Filesize
1.8MB

Download
memory/2248-317-0x00000000001F0000-0x00000000003B0000-memory.dmp

Filesize
1.8MB

Download
memory/2248-318-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/2280-11-0x000000001A660000-0x000000001A672000-memory.dmp

Filesize
72KB

Download
memory/2280-12-0x000000001A690000-0x000000001A69C000-memory.dmp

Filesize
48KB

Download
memory/2280-21-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-17-0x000000001AD00000-0x000000001AD0C000-memory.dmp

Filesize
48KB

Download
memory/2280-15-0x000000001A7C0000-0x000000001A7C8000-memory.dmp

Filesize
32KB

Download
memory/2280-118-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2280-143-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-16-0x000000001A7D0000-0x000000001A7DC000-memory.dmp

Filesize
48KB

Download
memory/2280-191-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-14-0x000000001A7B0000-0x000000001A7BE000-memory.dmp

Filesize
56KB

Download
memory/2280-13-0x000000001A7A0000-0x000000001A7AA000-memory.dmp

Filesize
40KB

Download
memory/2280-1-0x0000000001080000-0x0000000001240000-memory.dmp

Filesize
1.8MB

Download
memory/2280-254-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-18-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-260-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2280-9-0x000000001A650000-0x000000001A658000-memory.dmp

Filesize
32KB

Download
memory/2280-8-0x000000001A640000-0x000000001A64C000-memory.dmp

Filesize
48KB

Download
memory/2280-6-0x0000000001050000-0x0000000001066000-memory.dmp

Filesize
88KB

Download
memory/2280-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2280-7-0x0000000001070000-0x0000000001080000-memory.dmp

Filesize
64KB

Download
memory/2280-5-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2280-4-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2280-3-0x0000000000AA0000-0x0000000000ABC000-memory.dmp

Filesize
112KB

Download
memory/2860-283-0x00000000011A0000-0x0000000001360000-memory.dmp

Filesize
1.8MB

Download
memory/2968-249-0x00000000026F0000-0x00000000026F8000-memory.dmp

Filesize
32KB

Download