dcrat | ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17ace

Analysis

max time kernel
120s
max time network
116s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
Size

1.7MB
MD5

8f1577b59c8f8b144134030e7f0952d0
SHA1

6614cc712104223277965fdd29e5a47568fcaf56
SHA256

ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17ace
SHA512

2471c441cd26577427799248823851f93604a771911ba302a7c6757c5602f9007d2c68364a69f0ba2accd7c48b7e8626c5cb19338a2cec1e31d2d844e4abc06f
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2628	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2628	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/844-1-0x00000000008E0000-0x0000000000AA0000-memory.dmp	dcrat
behavioral1/files/0x000500000001a471-29.dat	dcrat
behavioral1/files/0x000700000001c858-95.dat	dcrat
behavioral1/files/0x000d0000000195bb-133.dat	dcrat
behavioral1/files/0x000700000001a47b-144.dat	dcrat
behavioral1/memory/1724-229-0x0000000000990000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/2076-290-0x0000000000350000-0x0000000000510000-memory.dmp	dcrat
behavioral1/memory/2412-302-0x0000000000300000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2668-314-0x0000000000EB0000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/2180-325-0x00000000003F0000-0x00000000005B0000-memory.dmp	dcrat
behavioral1/memory/2696-338-0x00000000011A0000-0x0000000001360000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe
2304	powershell.exe
1660	powershell.exe
1072	powershell.exe
1028	powershell.exe
2668	powershell.exe
2624	powershell.exe
524	powershell.exe
2932	powershell.exe
2116	powershell.exe
2576	powershell.exe
1216	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe

Executes dropped EXE 7 IoCs

pid	Process
1724	System.exe
2076	System.exe
2412	System.exe
2668	System.exe
2180	System.exe
2696	System.exe
2784	System.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\27d1bcfc3c54e0	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\RCX6AEA.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\RCX6AFA.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\56085415360792	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX5AC5.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Uninstall Information\taskhost.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Mozilla Firefox\886983d96e3d3e	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Uninstall Information\taskhost.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX569C.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files (x86)\Windows Sidebar\spoolsv.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Mozilla Firefox\csrss.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Windows Media Player\27d1bcfc3c54e0	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\RCX58C1.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\services.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Windows Photo Viewer\System.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\System.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Windows Photo Viewer\27d1bcfc3c54e0	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCX649E.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX68D5.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6D1E.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\spoolsv.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCX5B43.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCX6F32.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\wininit.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Windows Media Player\System.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Uninstall Information\b75386f1303e64	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCX5469.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX6D0E.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCX5479.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\RCX58C2.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCX6420.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Mozilla Firefox\csrss.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Media Player\System.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RCX6F42.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files (x86)\Windows Sidebar\f3b6ecef712a24	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\RCX56AD.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\services.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\Java\jre7\bin\dtplugin\c5b4cb5e9653cc	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\bc5104951f38d1	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\wininit.exe	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX68E6.tmp	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe
2944	schtasks.exe
1924	schtasks.exe
832	schtasks.exe
2068	schtasks.exe
2820	schtasks.exe
2420	schtasks.exe
2400	schtasks.exe
2052	schtasks.exe
388	schtasks.exe
828	schtasks.exe
2492	schtasks.exe
2880	schtasks.exe
2624	schtasks.exe
2780	schtasks.exe
1968	schtasks.exe
1384	schtasks.exe
2328	schtasks.exe
2940	schtasks.exe
2680	schtasks.exe
616	schtasks.exe
280	schtasks.exe
1764	schtasks.exe
2468	schtasks.exe
1548	schtasks.exe
2712	schtasks.exe
576	schtasks.exe
1660	schtasks.exe
2948	schtasks.exe
2228	schtasks.exe
2576	schtasks.exe
588	schtasks.exe
1732	schtasks.exe
1600	schtasks.exe
2692	schtasks.exe
2144	schtasks.exe
332	schtasks.exe
2424	schtasks.exe
1468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
2304	powershell.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
2932	powershell.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
2576	powershell.exe
2624	powershell.exe
844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1724	System.exe
Token: SeDebugPrivilege	2076	System.exe
Token: SeDebugPrivilege	2412	System.exe
Token: SeDebugPrivilege	2668	System.exe
Token: SeDebugPrivilege	2180	System.exe
Token: SeDebugPrivilege	2696	System.exe
Token: SeDebugPrivilege	2784	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 844 wrote to memory of 2932	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	70
PID 844 wrote to memory of 2932	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	70
PID 844 wrote to memory of 2932	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	70
PID 844 wrote to memory of 1660	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	71
PID 844 wrote to memory of 1660	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	71
PID 844 wrote to memory of 1660	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	71
PID 844 wrote to memory of 2304	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	72
PID 844 wrote to memory of 2304	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	72
PID 844 wrote to memory of 2304	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	72
PID 844 wrote to memory of 2340	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	73
PID 844 wrote to memory of 2340	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	73
PID 844 wrote to memory of 2340	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	73
PID 844 wrote to memory of 524	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	76
PID 844 wrote to memory of 524	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	76
PID 844 wrote to memory of 524	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	76
PID 844 wrote to memory of 2668	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	77
PID 844 wrote to memory of 2668	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	77
PID 844 wrote to memory of 2668	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	77
PID 844 wrote to memory of 2624	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	78
PID 844 wrote to memory of 2624	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	78
PID 844 wrote to memory of 2624	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	78
PID 844 wrote to memory of 1028	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	80
PID 844 wrote to memory of 1028	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	80
PID 844 wrote to memory of 1028	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	80
PID 844 wrote to memory of 1216	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	82
PID 844 wrote to memory of 1216	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	82
PID 844 wrote to memory of 1216	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	82
PID 844 wrote to memory of 1072	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	83
PID 844 wrote to memory of 1072	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	83
PID 844 wrote to memory of 1072	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	83
PID 844 wrote to memory of 2576	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	84
PID 844 wrote to memory of 2576	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	84
PID 844 wrote to memory of 2576	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	84
PID 844 wrote to memory of 2116	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	85
PID 844 wrote to memory of 2116	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	85
PID 844 wrote to memory of 2116	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	85
PID 844 wrote to memory of 1724	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	94
PID 844 wrote to memory of 1724	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	94
PID 844 wrote to memory of 1724	844	ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe	94
PID 1724 wrote to memory of 648	1724	System.exe	95
PID 1724 wrote to memory of 648	1724	System.exe	95
PID 1724 wrote to memory of 648	1724	System.exe	95
PID 1724 wrote to memory of 2240	1724	System.exe	96
PID 1724 wrote to memory of 2240	1724	System.exe	96
PID 1724 wrote to memory of 2240	1724	System.exe	96
PID 648 wrote to memory of 2076	648	WScript.exe	97
PID 648 wrote to memory of 2076	648	WScript.exe	97
PID 648 wrote to memory of 2076	648	WScript.exe	97
PID 2076 wrote to memory of 2968	2076	System.exe	98
PID 2076 wrote to memory of 2968	2076	System.exe	98
PID 2076 wrote to memory of 2968	2076	System.exe	98
PID 2076 wrote to memory of 3032	2076	System.exe	99
PID 2076 wrote to memory of 3032	2076	System.exe	99
PID 2076 wrote to memory of 3032	2076	System.exe	99
PID 2968 wrote to memory of 2412	2968	WScript.exe	100
PID 2968 wrote to memory of 2412	2968	WScript.exe	100
PID 2968 wrote to memory of 2412	2968	WScript.exe	100
PID 2412 wrote to memory of 2332	2412	System.exe	101
PID 2412 wrote to memory of 2332	2412	System.exe	101
PID 2412 wrote to memory of 2332	2412	System.exe	101
PID 2412 wrote to memory of 2808	2412	System.exe	102
PID 2412 wrote to memory of 2808	2412	System.exe	102
PID 2412 wrote to memory of 2808	2412	System.exe	102
PID 2332 wrote to memory of 2668	2332	WScript.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe
"C:\Users\Admin\AppData\Local\Temp\ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2340
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Program Files\Windows Media Player\System.exe
  "C:\Program Files\Windows Media Player\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\317e6680-3f74-4947-8b4e-7b4bcb996b46.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Program Files\Windows Media Player\System.exe
      "C:\Program Files\Windows Media Player\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1c9cb69-9f77-4287-a6e3-68af3384edb6.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Program Files\Windows Media Player\System.exe
        
        "C:\Program Files\Windows Media Player\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08e01699-7d20-4623-b0d1-4abff4a948f2.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Program Files\Windows Media Player\System.exe
        
        "C:\Program Files\Windows Media Player\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1556f3a-85bd-4609-8407-7feaba8b7af6.vbs"
        9⤵
        
        PID:2264
        
        C:\Program Files\Windows Media Player\System.exe
        
        "C:\Program Files\Windows Media Player\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9648af41-5766-4e20-8f21-81483fc3eece.vbs"
        11⤵
        
        PID:2260
        
        C:\Program Files\Windows Media Player\System.exe
        
        "C:\Program Files\Windows Media Player\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\52c7ad92-16db-452c-8536-27b451059208.vbs"
        13⤵
        
        PID:1332
        
        C:\Program Files\Windows Media Player\System.exe
        
        "C:\Program Files\Windows Media Player\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\06ec8487-98cb-4024-86db-916f0ad077e5.vbs"
        15⤵
        
        PID:1608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\79a875d6-fe1c-4340-b36d-85e1bdb1e5f5.vbs"
        15⤵
        
        PID:2420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3879d25-6a56-4fbd-a239-d812f5164a4d.vbs"
        13⤵
        
        PID:2892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b287ceb6-883f-4555-a2b2-0e42fa050d9d.vbs"
        11⤵
        
        PID:2948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9d62fe4-d081-4b2a-9e07-fa69fd65a93a.vbs"
        9⤵
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb7869a4-bda7-41fd-98c7-330b071d6840.vbs"
        7⤵
        
        PID:2808
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed8d8f0b-5a79-4cfd-9456-629329c90421.vbs"
        5⤵
        
        PID:3032
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b243052a-396a-407e-8b8f-9dcb2949d58c.vbs"
    3⤵
    PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dtplugin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\dtplugin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceNa" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceNa" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\WmiPrvSE.exe

Filesize
1.7MB

MD5
8f1577b59c8f8b144134030e7f0952d0

SHA1
6614cc712104223277965fdd29e5a47568fcaf56

SHA256
ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17ace

SHA512
2471c441cd26577427799248823851f93604a771911ba302a7c6757c5602f9007d2c68364a69f0ba2accd7c48b7e8626c5cb19338a2cec1e31d2d844e4abc06f

Download Submit
C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Idle.exe

Filesize
1.7MB

MD5
6adc9a0c170a01031f4746bd071ccb2c

SHA1
05d46ced44985b38ef9327eb5b8b3c006ab26717

SHA256
16224939e85a47d7690e9a4d76225077ac95e6e5c9ea9120b87a4bd07c50bdc5

SHA512
5082b1cb766a936ddcea8b5b331e907a16e0a3a76c0cf2f5640dc04d3e36f59d7c57d61a6d090bdaaad81e21763cb24da0c74ac4bd8528ba53a01a5e7fc11422

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\ac032868836a24978e6da27b418e45a1be8415fe6a6e96970c7aeb4845c17aceN.exe

Filesize
1.7MB

MD5
745f8546dca325996d8a7d8b9126157c

SHA1
f9373b6452edc3a0a47125d3fb0c0918c52c2e1e

SHA256
904a791d2694bab00e3be839070b35154ae7801899b2eaaa1ba370eda7d5b56f

SHA512
3df45c3d407038151af36f8988cd49209a0f465cc9aa393df532a0c890d0ca302c654f7a6aa9f8f5b90ff142ca9239a8782618c9d841b0e3006b81d1a8519615

Download Submit
C:\Program Files\Mozilla Firefox\csrss.exe

Filesize
1.7MB

MD5
817e7dcc671bfefcd37a96e4bae6fa92

SHA1
aec6cda49ae3b1a20b38bbcf44829b7e7c92a96d

SHA256
b269891343da9ede35e117921a1e6a703ece2187dac41ecc5888c8338d8915e6

SHA512
53026b402854a4a5b57fc8c54909a0e0f5fb524e353c45e28d4df48e2563d11649e44e7059b3f24369d604ef89336a44050f7b07fa19a8882855271f8bc8b9c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\06ec8487-98cb-4024-86db-916f0ad077e5.vbs

Filesize
724B

MD5
c959899bf930870a171637600691826f

SHA1
8aad88930a71e2514d0383277fadd696ecce782d

SHA256
9f65481e80c39f1839c56a9520ff2934e3d9f293fb886c7289226a15491ebaa5

SHA512
5fe8323a893d91b0e0926f70c79bcb2c2e88368590785ac2a5fa0ad687fda226291135138b4cd7ba9988b496c22478408680597794ddafb19065f25084dbebb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\08e01699-7d20-4623-b0d1-4abff4a948f2.vbs

Filesize
724B

MD5
316c4d424821d2c99b846db60f0e900f

SHA1
5a29341f64d7bf97185ba6c994967d4e27169d1f

SHA256
13f55d602ad7b00f2d39a1d19b79156787dfd529213f6487da551b0276882f06

SHA512
4ba9533d6033e60242a7f1cbd3bceab6e446185d138f06c58b7281aeee5357caf239364568be4c0c89973fcef7f1924f0beeafbbcc9a4c3c9026e140961fe5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\317e6680-3f74-4947-8b4e-7b4bcb996b46.vbs

Filesize
724B

MD5
8dac1453f114f275ab236f1e18dc7bb8

SHA1
b81ffc15e66f6dcd14580b10f0d466c01ebc4679

SHA256
ac532745b4bceccd0523078093674fe765b880bb81bdaab972927bacc0dba1ce

SHA512
6dda7a3cff1d7fbf15cac8e08173012b0b67ff0ce5980b9853cb2ff3d71f675f78a6c43efda0004f606ebf38809d5c24dd554c9c4c20c220b17c77a4269fb023

Download Submit
C:\Users\Admin\AppData\Local\Temp\52c7ad92-16db-452c-8536-27b451059208.vbs

Filesize
724B

MD5
24c87fb4d112a441adb1bb8aee557b65

SHA1
899c1dea348b7255ac16697db40afea589c7327a

SHA256
b19b2b8ab585f27f6b55bf88ea155c0d306144ae1a15a593b1383b697b029cfb

SHA512
f431854a32b61bcde95ed132f45f53e38740b914ce7ad7f38e5da0edef6efe4b7a12f194b34d0c456a9fb29897edb36a461b522519ab429babab5eaff337e99e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9648af41-5766-4e20-8f21-81483fc3eece.vbs

Filesize
724B

MD5
58ea4025ef8187116c17923dc7efecca

SHA1
63e72b6824dcc37f3be617c9ce3a8dcd7ea5aa4e

SHA256
fb8b512249df262aafb758cdd1b92db4088d85fd873cb960377f822039c8784b

SHA512
a2480fc9266448c5376ef391a74162d6459601db2bfea821a1b1ebbe522e9c387a7d105f38fe8e8e5030b8dc58ea7c82bf9fad4414f87353752a0c6d1b4a986d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b243052a-396a-407e-8b8f-9dcb2949d58c.vbs

Filesize
500B

MD5
7eca24b5cb706f80a829b088081af968

SHA1
a35ac7dcff247b07480bbc1d0b3c02e7a6974d24

SHA256
2b5383a5a912180eecb1afa50678c5b8fb07381f8ae9a630b1ca65bc2ed319d2

SHA512
6e905a3dee5061272185d41fba04be8fa6e5b77f76853c81fe9d395b896138df2b464f7d47a6cc98cc2fec0d2417484f126da8e7b6209024b1b092954c94b9de

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1c9cb69-9f77-4287-a6e3-68af3384edb6.vbs

Filesize
724B

MD5
24640ca6ce225819ce65fbc9320b76e6

SHA1
5f99eae2cf281cdea01c082a7ca6520a3cc07287

SHA256
8143555123454d857e9acc265b54d41816b0794b094d0dc4971ce77b8b40f470

SHA512
8d3e90d09ed3ada701d43fec7ff475f86d11924400893d76679d106cab1f715aac8e33d33db45ba510f6112face235dbc87278cda59facf4446c0415a999a2c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9e48b062eea7bd2d127b5d42c25c21b4

SHA1
7c8ae66d4c63767430cdce96ea690f35ef55496e

SHA256
8d6fcd97c2d372a7a68b3c017bac644f71a7ca42f19659f97781bb3986e381aa

SHA512
91d83a6f3c6f9467ec9782338e268bd6e1245c796bee8adc960b43897344c3ecd3dcc46047059c03b4caa831d78d6d21fb8a62c3582b35fd255da03b5f4fe5c9

Download Submit
memory/844-12-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/844-228-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-15-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/844-16-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/844-17-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/844-19-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-23-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-26-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-13-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/844-76-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/844-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/844-124-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-11-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/844-9-0x0000000000510000-0x0000000000518000-memory.dmp

Filesize
32KB

Download
memory/844-171-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-196-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-1-0x00000000008E0000-0x0000000000AA0000-memory.dmp

Filesize
1.8MB

Download
memory/844-14-0x0000000000890000-0x000000000089E000-memory.dmp

Filesize
56KB

Download
memory/844-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-3-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/844-8-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/844-279-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/844-7-0x00000000004F0000-0x0000000000500000-memory.dmp

Filesize
64KB

Download
memory/844-6-0x00000000004D0000-0x00000000004E6000-memory.dmp

Filesize
88KB

Download
memory/844-4-0x0000000000460000-0x0000000000468000-memory.dmp

Filesize
32KB

Download
memory/844-5-0x00000000004C0000-0x00000000004D0000-memory.dmp

Filesize
64KB

Download
memory/1724-229-0x0000000000990000-0x0000000000B50000-memory.dmp

Filesize
1.8MB

Download
memory/2076-290-0x0000000000350000-0x0000000000510000-memory.dmp

Filesize
1.8MB

Download
memory/2180-325-0x00000000003F0000-0x00000000005B0000-memory.dmp

Filesize
1.8MB

Download
memory/2180-326-0x0000000002010000-0x0000000002022000-memory.dmp

Filesize
72KB

Download
memory/2304-226-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2304-227-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/2412-302-0x0000000000300000-0x00000000004C0000-memory.dmp

Filesize
1.8MB

Download
memory/2668-314-0x0000000000EB0000-0x0000000001070000-memory.dmp

Filesize
1.8MB

Download
memory/2696-338-0x00000000011A0000-0x0000000001360000-memory.dmp

Filesize
1.8MB

Download