dcrat | e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345

Analysis

max time kernel
119s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
17/12/2024, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
Size

1.7MB
MD5

d337a1cc8b6b0d9f1c16ec727b3197e2
SHA1

01dbeb18baa4efb70b3a30930e08d89e2e25c05a
SHA256

e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345
SHA512

d20493b21aceb61d5e8c49afa8cd0cdd14234b9b3d94d4f8af92f0b64cb4542fc154cd29339b1f56abae14c97b752f8f6b81d6e86e301c3576117fa510879285
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvV:eTHUxUoh1IF9gl2e

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2580	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2580	schtasks.exe	30

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2660-1-0x0000000000EC0000-0x0000000001080000-memory.dmp	dcrat
behavioral1/files/0x0005000000019d8e-27.dat	dcrat
behavioral1/files/0x00100000000122cf-110.dat	dcrat
behavioral1/memory/2796-315-0x0000000000FD0000-0x0000000001190000-memory.dmp	dcrat
behavioral1/memory/1392-360-0x00000000012F0000-0x00000000014B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2620	powershell.exe
2508	powershell.exe
1152	powershell.exe
584	powershell.exe
900	powershell.exe
1172	powershell.exe
876	powershell.exe
692	powershell.exe
348	powershell.exe
1328	powershell.exe
2540	powershell.exe
2252	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe

Executes dropped EXE 7 IoCs

pid	Process
2796	lsm.exe
1436	lsm.exe
2812	lsm.exe
2096	lsm.exe
1392	lsm.exe
2396	lsm.exe
2740	lsm.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\audiodg.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX37B6.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX4529.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files\Windows Media Player\56085415360792	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files\Windows Portable Devices\42af1c969fbb7b	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX37B5.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Windows Media Player\wininit.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX5550.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\RCX534B.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX5551.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files\Windows Media Player\wininit.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX5146.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX3A38.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\services.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\f3b6ecef712a24	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\b75386f1303e64	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files\Microsoft Games\Mahjong\c5b4cb5e9653cc	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\RCX534C.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\69ddcba757bf72	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\b75386f1303e64	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Windows Defender\es-ES\smss.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files\Microsoft Games\Mahjong\services.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\RCX3A37.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX3CAA.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX5147.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Windows Portable Devices\audiodg.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files\Windows Media Player\RCX452A.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\smss.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCX3CA9.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\dllhost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Windows\Performance\WinSAT\5940a34987c991	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\Performance\WinSAT\dllhost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\Logs\DISM\dllhost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Windows\Logs\DISM\dllhost.exe	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File created	C:\Windows\Logs\DISM\5940a34987c991	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\Performance\WinSAT\RCX4933.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\Performance\WinSAT\RCX4934.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\Logs\DISM\RCX4D3C.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
File opened for modification	C:\Windows\Logs\DISM\RCX4D3D.tmp	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3060	schtasks.exe
2992	schtasks.exe
1764	schtasks.exe
3032	schtasks.exe
1628	schtasks.exe
2316	schtasks.exe
2664	schtasks.exe
2584	schtasks.exe
2736	schtasks.exe
2396	schtasks.exe
2140	schtasks.exe
2504	schtasks.exe
2880	schtasks.exe
1176	schtasks.exe
1644	schtasks.exe
2524	schtasks.exe
2092	schtasks.exe
2892	schtasks.exe
2252	schtasks.exe
584	schtasks.exe
784	schtasks.exe
2248	schtasks.exe
2968	schtasks.exe
2056	schtasks.exe
2540	schtasks.exe
2024	schtasks.exe
2180	schtasks.exe
920	schtasks.exe
2552	schtasks.exe
1952	schtasks.exe
1060	schtasks.exe
696	schtasks.exe
2080	schtasks.exe
1672	schtasks.exe
556	schtasks.exe
2176	schtasks.exe
1740	schtasks.exe
2448	schtasks.exe
780	schtasks.exe
2020	schtasks.exe
1984	schtasks.exe
2464	schtasks.exe
2452	schtasks.exe
2384	schtasks.exe
1556	schtasks.exe
1092	schtasks.exe
2328	schtasks.exe
1256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
692	powershell.exe
1152	powershell.exe
1328	powershell.exe
2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
348	powershell.exe
2508	powershell.exe
1172	powershell.exe
2540	powershell.exe
900	powershell.exe
2252	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2796	lsm.exe
Token: SeDebugPrivilege	1436	lsm.exe
Token: SeDebugPrivilege	2812	lsm.exe
Token: SeDebugPrivilege	2096	lsm.exe
Token: SeDebugPrivilege	1392	lsm.exe
Token: SeDebugPrivilege	2396	lsm.exe
Token: SeDebugPrivilege	2740	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2252	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	79
PID 2660 wrote to memory of 2252	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	79
PID 2660 wrote to memory of 2252	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	79
PID 2660 wrote to memory of 1328	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	80
PID 2660 wrote to memory of 1328	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	80
PID 2660 wrote to memory of 1328	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	80
PID 2660 wrote to memory of 692	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	81
PID 2660 wrote to memory of 692	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	81
PID 2660 wrote to memory of 692	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	81
PID 2660 wrote to memory of 2620	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	82
PID 2660 wrote to memory of 2620	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	82
PID 2660 wrote to memory of 2620	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	82
PID 2660 wrote to memory of 2540	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	83
PID 2660 wrote to memory of 2540	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	83
PID 2660 wrote to memory of 2540	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	83
PID 2660 wrote to memory of 2508	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	84
PID 2660 wrote to memory of 2508	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	84
PID 2660 wrote to memory of 2508	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	84
PID 2660 wrote to memory of 1152	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	85
PID 2660 wrote to memory of 1152	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	85
PID 2660 wrote to memory of 1152	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	85
PID 2660 wrote to memory of 584	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	86
PID 2660 wrote to memory of 584	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	86
PID 2660 wrote to memory of 584	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	86
PID 2660 wrote to memory of 900	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	87
PID 2660 wrote to memory of 900	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	87
PID 2660 wrote to memory of 900	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	87
PID 2660 wrote to memory of 1172	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	88
PID 2660 wrote to memory of 1172	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	88
PID 2660 wrote to memory of 1172	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	88
PID 2660 wrote to memory of 876	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	89
PID 2660 wrote to memory of 876	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	89
PID 2660 wrote to memory of 876	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	89
PID 2660 wrote to memory of 348	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	90
PID 2660 wrote to memory of 348	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	90
PID 2660 wrote to memory of 348	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	90
PID 2660 wrote to memory of 2796	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	103
PID 2660 wrote to memory of 2796	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	103
PID 2660 wrote to memory of 2796	2660	e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe	103
PID 2796 wrote to memory of 2148	2796	lsm.exe	104
PID 2796 wrote to memory of 2148	2796	lsm.exe	104
PID 2796 wrote to memory of 2148	2796	lsm.exe	104
PID 2796 wrote to memory of 2388	2796	lsm.exe	105
PID 2796 wrote to memory of 2388	2796	lsm.exe	105
PID 2796 wrote to memory of 2388	2796	lsm.exe	105
PID 2148 wrote to memory of 1436	2148	WScript.exe	106
PID 2148 wrote to memory of 1436	2148	WScript.exe	106
PID 2148 wrote to memory of 1436	2148	WScript.exe	106
PID 1436 wrote to memory of 1284	1436	lsm.exe	107
PID 1436 wrote to memory of 1284	1436	lsm.exe	107
PID 1436 wrote to memory of 1284	1436	lsm.exe	107
PID 1436 wrote to memory of 1160	1436	lsm.exe	108
PID 1436 wrote to memory of 1160	1436	lsm.exe	108
PID 1436 wrote to memory of 1160	1436	lsm.exe	108
PID 1284 wrote to memory of 2812	1284	WScript.exe	109
PID 1284 wrote to memory of 2812	1284	WScript.exe	109
PID 1284 wrote to memory of 2812	1284	WScript.exe	109
PID 2812 wrote to memory of 1500	2812	lsm.exe	110
PID 2812 wrote to memory of 1500	2812	lsm.exe	110
PID 2812 wrote to memory of 1500	2812	lsm.exe	110
PID 2812 wrote to memory of 2176	2812	lsm.exe	111
PID 2812 wrote to memory of 2176	2812	lsm.exe	111
PID 2812 wrote to memory of 2176	2812	lsm.exe	111
PID 1500 wrote to memory of 2096	1500	WScript.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe
"C:\Users\Admin\AppData\Local\Temp\e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:348
- C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
  "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd529d93-7c54-426b-b581-607ca9ccff18.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
      C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f62843d3-b646-4871-a3d1-ef1d024d617f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\56d8aa88-b8d0-41a1-8d1b-8d8d67a1b63c.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f510d4eb-31d2-4870-bfe5-b4e105a1bd5e.vbs"
        9⤵
        
        PID:564
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90044795-1b94-4950-9b16-e3cf19805605.vbs"
        11⤵
        
        PID:2084
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\359cdb2d-132e-47d7-bb95-882f0e38d07c.vbs"
        13⤵
        
        PID:1084
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c89673d2-05fc-4e1c-8097-00d603b074da.vbs"
        15⤵
        
        PID:2184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\25fdc8f3-c358-4406-849d-adf2b43e8622.vbs"
        15⤵
        
        PID:1284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a81a8ad1-a36b-4b84-b6ef-fd3a87001b97.vbs"
        13⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f511b268-8dd7-487c-9363-1de40c342422.vbs"
        11⤵
        
        PID:2192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\459572d9-b2f4-4d91-8bdf-25d0b77c9d74.vbs"
        9⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\641e3df3-776d-4c16-b398-f1fd9de01d86.vbs"
        7⤵
        
        PID:2176
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcc261ac-9a41-4d77-aa35-ec3998b7ed79.vbs"
        5⤵
        
        PID:1160
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b057869b-7bf1-41ab-b3f7-3d44e9028990.vbs"
    3⤵
    PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Searches\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\DISM\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Logs\DISM\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\DISM\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Mahjong\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Mahjong\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Mahjong\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\359cdb2d-132e-47d7-bb95-882f0e38d07c.vbs

Filesize
732B

MD5
d6d13b03bdc22e72f6543773378523e0

SHA1
d2314650cc5f20644661efe90bf627631274ee0a

SHA256
8a12a39bc6bbfc5af64bc44861711845b72e177cda238d8ea7f44fe3ab57ab1a

SHA512
e21c4d12e086a240ddfaafd9e6d820838d70a37e6ff049bcecd8e03ef2509da08657bbb447ac14488b0b16fd6c2d2104704477613968a0e3e4f2af0d7864f7a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\56d8aa88-b8d0-41a1-8d1b-8d8d67a1b63c.vbs

Filesize
732B

MD5
d662ce16421261a2087cbb20c547adb0

SHA1
1c8a552f7035a884f9fa6ace8cf94c56183c77fd

SHA256
f479a4bbffad731b451e4afea95ce97133010376b5038511e371738e595fb2e7

SHA512
4f927c148e07b2b1222f525d19d87c10e0227321a066ebaff327db5131fab3f3806610cb8a4e221366b9ca04d5e242cc08f0e814de6c41928593eeda92001257

Download Submit
C:\Users\Admin\AppData\Local\Temp\90044795-1b94-4950-9b16-e3cf19805605.vbs

Filesize
732B

MD5
e5e163115bf125eac785ee5f90ab8103

SHA1
e664376f6d15bf4209467dd33eb9e9c55ac9bdbe

SHA256
115fcf1350e3b2aa334c0236f74ac0c7936e4faac30c1624c3fdf628e6184316

SHA512
fe13cd6cf74211d98317f6366540911e23aec79360dfddb7a52bc54b30700a6709ef1c260e3d2da5cdd72dd38624576ac8ce0bddc1bb351d0016984f3ba28790

Download Submit
C:\Users\Admin\AppData\Local\Temp\b057869b-7bf1-41ab-b3f7-3d44e9028990.vbs

Filesize
508B

MD5
f2c4616b931db56f2c6c480d7d667885

SHA1
bd6c8ea7bc38dcaea2508e3ed85a4cc6239da3b6

SHA256
af10679e1e6982689cc4a1318052ac0afefa09044185e18ce28bbb37fd541c12

SHA512
5342ab4286b08d16a45d4cdac6495c7608531210a41a615f6049deea44ffa2cb77a424cd5afabdbdc7a874e3ce44c9f74f33e64d6464ea3c8588b78b1e359fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c89673d2-05fc-4e1c-8097-00d603b074da.vbs

Filesize
732B

MD5
af1addf80c43a4169b3144e717bacc2c

SHA1
a1fb0a5f4de2c1e687b1bad3226fff5bd7cca111

SHA256
5f692a5860030d37475a35cadbd4d9190899e6997388a2e061fd4aada792a295

SHA512
219e147bc932a7e7b85b3ae9a69cc4ac10364b4b1c1d04eba88dc9808a3cd08d4503e4faa37c68136df3803f74bb0f036b5de20ca3bb932239cee69d79d87013

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd529d93-7c54-426b-b581-607ca9ccff18.vbs

Filesize
732B

MD5
81ef1abcb9e25b0e55b16495e8426805

SHA1
e2a20f171b221daf2281ea37c54e8c62b91c37a0

SHA256
c545cc5e9a642e3c9a2d7f9ae1ad62076a2bd8b269d81bea1f3ca03a716fd9d2

SHA512
96d46387db313c5c05a8185d7d3eb34ed0843e420ee50b2a7dc72716585f474477faeccdcaaf999c63ab2d9282c2718b4a096357ec812fcb585027d767c47a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\f510d4eb-31d2-4870-bfe5-b4e105a1bd5e.vbs

Filesize
732B

MD5
ea657151bf4ff7921b5da9ae1ce91bd2

SHA1
3cb0d67e519b62b63792a0f283fb1ce163fa19a2

SHA256
e63ebd9608ad3b974008efd0da1c01f74fc5542fac2ebd587b92418dce322a4e

SHA512
217500eff28d719107080a2a9239181f41168921b4f38ca981287abb12affd00d0bd08fe4298ccfdaf1e447ec31ed11f844e64c9ee6e81f0546ffb91828a42aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\f62843d3-b646-4871-a3d1-ef1d024d617f.vbs

Filesize
732B

MD5
41f609b0d02da656c61f4adaaa241f57

SHA1
4a119db47a181fc0998c6e3bf0d2b7ba13af26d7

SHA256
99caaf4f5c5d087b870af91cf24e2102b336d3924b363e935a490dea8f378fc3

SHA512
2a960ce344384bc0ce7e2a8f8d1d9896ea7a352617e1516495e648261bb7ddffd26743a954a2eee44adc08cfd90eae496edbe494b8bd7cebb174ddcb1d03e764

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a7e3dc3ea88526916920192004f90c94

SHA1
10b21c8c26628e5ccb8490d0d6cf81b421c7956f

SHA256
ccfa821804cd2e0ce327418093d26db6cb3a9bb254ecb21e82804de988706c62

SHA512
6873a256a92454b2cb91472b5efb5ffec65b370e1d647b327243bc02acbc8d71d1852e5ac29bc76672ecfd5de151ae485006f14bcc840a68c42531baa887816c

Download Submit
C:\Users\Admin\OSPPSVC.exe

Filesize
1.7MB

MD5
d337a1cc8b6b0d9f1c16ec727b3197e2

SHA1
01dbeb18baa4efb70b3a30930e08d89e2e25c05a

SHA256
e218369280704cdfefe3390d90b8f1918dd4c215879b6ad12f1fee1b40550345

SHA512
d20493b21aceb61d5e8c49afa8cd0cdd14234b9b3d94d4f8af92f0b64cb4542fc154cd29339b1f56abae14c97b752f8f6b81d6e86e301c3576117fa510879285

Download Submit
C:\Users\Admin\OSPPSVC.exe

Filesize
1.7MB

MD5
16faa2ae1ee1952873f1dd5b7a391ce3

SHA1
54cc44683da2fa4bcd7231399352a488e3ab75c4

SHA256
d1e6aa44cc43945e83a2aca9a70c7d97903269c5d0a9cd770ce0b19669521ff5

SHA512
e9fbbd06efd41461444f973741573fc2469348278c8c416b1239c229dac39b2467c6740462d73a4fe9055e333add9d9d3f7af6e803549ef153d5343d9b109443

Download Submit
memory/1152-282-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1152-284-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1392-360-0x00000000012F0000-0x00000000014B0000-memory.dmp

Filesize
1.8MB

Download
memory/2660-9-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2660-11-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/2660-17-0x0000000000EA0000-0x0000000000EAC000-memory.dmp

Filesize
48KB

Download
memory/2660-20-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-16-0x0000000000E90000-0x0000000000E9C000-memory.dmp

Filesize
48KB

Download
memory/2660-13-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/2660-197-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/2660-222-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-246-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-14-0x0000000000BD0000-0x0000000000BDE000-memory.dmp

Filesize
56KB

Download
memory/2660-12-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/2660-15-0x0000000000E80000-0x0000000000E88000-memory.dmp

Filesize
32KB

Download
memory/2660-1-0x0000000000EC0000-0x0000000001080000-memory.dmp

Filesize
1.8MB

Download
memory/2660-316-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2660-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/2660-8-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2660-6-0x00000000004B0000-0x00000000004C6000-memory.dmp

Filesize
88KB

Download
memory/2660-7-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/2660-5-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2660-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2660-3-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2660-2-0x000007FEF58A0000-0x000007FEF628C000-memory.dmp

Filesize
9.9MB

Download
memory/2796-315-0x0000000000FD0000-0x0000000001190000-memory.dmp

Filesize
1.8MB

Download