dcrat | e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386

Analysis

max time kernel
35s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
Size

1.7MB
MD5

a55ec0151237a920dfd1fbce1dacca26
SHA1

b3abf9945fc79c6a57c16dd519de7027d4ebd4b3
SHA256

e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386
SHA512

c064443dc5f5759f4f36cdf230e13486a6a2af673e4f59bb02ae6e21f60b0fff115d580cf69eaeed17d5c5ec40e127c4a1c02a9beccd3243e00b7ad5d973d617
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJC:NgwuuEpdDLNwVMeXDL0fdSzAGL

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2888	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2888	schtasks.exe	29

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1820-1-0x0000000000DE0000-0x0000000000F96000-memory.dmp	dcrat
behavioral1/files/0x00050000000195c3-29.dat	dcrat
behavioral1/files/0x00060000000195bb-97.dat	dcrat
behavioral1/files/0x00060000000195c1-108.dat	dcrat
behavioral1/files/0x00090000000195c3-144.dat	dcrat
behavioral1/files/0x000b00000001975a-176.dat	dcrat
behavioral1/files/0x000a000000019bf5-217.dat	dcrat
behavioral1/memory/2840-290-0x0000000001340000-0x00000000014F6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2248	powershell.exe
2112	powershell.exe
2164	powershell.exe
1920	powershell.exe
2276	powershell.exe
2640	powershell.exe
2184	powershell.exe
2604	powershell.exe
2104	powershell.exe
2208	powershell.exe
2152	powershell.exe
1240	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe

Executes dropped EXE 1 IoCs

pid	Process
2840	services.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\RCX1087.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\RCX1309.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\f3b6ecef712a24	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\1610b97d3ab4a7	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files\Windows Journal\dwm.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files\Windows Journal\6cb0b6c459d5d3	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files\Uninstall Information\RCX1058.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX1FAF.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files\Windows Journal\RCX2698.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files\Uninstall Information\services.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX1FEF.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files\Windows Journal\RCX26B8.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cc	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\101b941d020240	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX1AEA.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX1B68.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files\Uninstall Information\services.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\RCX12CA.tmp	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
File opened for modification	C:\Program Files\Windows Journal\dwm.exe	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2840	schtasks.exe
1748	schtasks.exe
1264	schtasks.exe
1792	schtasks.exe
616	schtasks.exe
828	schtasks.exe
2384	schtasks.exe
2064	schtasks.exe
2108	schtasks.exe
1660	schtasks.exe
2500	schtasks.exe
1648	schtasks.exe
1140	schtasks.exe
1360	schtasks.exe
2740	schtasks.exe
2704	schtasks.exe
824	schtasks.exe
2620	schtasks.exe
2076	schtasks.exe
2684	schtasks.exe
2296	schtasks.exe
1652	schtasks.exe
2572	schtasks.exe
2604	schtasks.exe
2636	schtasks.exe
2352	schtasks.exe
2136	schtasks.exe
2608	schtasks.exe
2172	schtasks.exe
1912	schtasks.exe
2768	schtasks.exe
2668	schtasks.exe
1824	schtasks.exe
2024	schtasks.exe
2204	schtasks.exe
2120	schtasks.exe
1980	schtasks.exe
896	schtasks.exe
2248	schtasks.exe
840	schtasks.exe
3068	schtasks.exe
1832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
1920	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2840	services.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1920	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	72
PID 1820 wrote to memory of 1920	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	72
PID 1820 wrote to memory of 1920	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	72
PID 1820 wrote to memory of 2276	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	73
PID 1820 wrote to memory of 2276	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	73
PID 1820 wrote to memory of 2276	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	73
PID 1820 wrote to memory of 2184	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	74
PID 1820 wrote to memory of 2184	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	74
PID 1820 wrote to memory of 2184	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	74
PID 1820 wrote to memory of 2640	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	75
PID 1820 wrote to memory of 2640	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	75
PID 1820 wrote to memory of 2640	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	75
PID 1820 wrote to memory of 2208	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	76
PID 1820 wrote to memory of 2208	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	76
PID 1820 wrote to memory of 2208	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	76
PID 1820 wrote to memory of 2104	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	77
PID 1820 wrote to memory of 2104	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	77
PID 1820 wrote to memory of 2104	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	77
PID 1820 wrote to memory of 2604	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	79
PID 1820 wrote to memory of 2604	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	79
PID 1820 wrote to memory of 2604	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	79
PID 1820 wrote to memory of 2164	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	80
PID 1820 wrote to memory of 2164	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	80
PID 1820 wrote to memory of 2164	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	80
PID 1820 wrote to memory of 1240	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	82
PID 1820 wrote to memory of 1240	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	82
PID 1820 wrote to memory of 1240	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	82
PID 1820 wrote to memory of 2112	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	83
PID 1820 wrote to memory of 2112	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	83
PID 1820 wrote to memory of 2112	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	83
PID 1820 wrote to memory of 2248	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	86
PID 1820 wrote to memory of 2248	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	86
PID 1820 wrote to memory of 2248	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	86
PID 1820 wrote to memory of 2152	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	93
PID 1820 wrote to memory of 2152	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	93
PID 1820 wrote to memory of 2152	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	93
PID 1820 wrote to memory of 2120	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	95
PID 1820 wrote to memory of 2120	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	95
PID 1820 wrote to memory of 2120	1820	e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe	95
PID 2120 wrote to memory of 2072	2120	cmd.exe	98
PID 2120 wrote to memory of 2072	2120	cmd.exe	98
PID 2120 wrote to memory of 2072	2120	cmd.exe	98
PID 2120 wrote to memory of 2840	2120	cmd.exe	99
PID 2120 wrote to memory of 2840	2120	cmd.exe	99
PID 2120 wrote to memory of 2840	2120	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe
"C:\Users\Admin\AppData\Local\Temp\e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EGxcg3vTGU.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2072
- - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
    "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386e" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386e" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Application Data\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RCX185A.tmp

Filesize
1.7MB

MD5
283a5669d3b2f3937b38293c34c7e05a

SHA1
cbc742876b90557abc3b2e7f8804df6d9542e5a9

SHA256
be353c74d98fac14662f7fa78d1589920680bc95f35844471b9aa068c6497739

SHA512
5c28ccb1a9b3c56c2bfe6e3dfdd6c221d68b285f35f3fa90312598c3fb9f41c61e088dfe6a12b4aaacefe1017e0220087b3f470f48761aa15ab5cb269eee46f4

Download Submit
C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe

Filesize
1.7MB

MD5
588ea3e49e66f6365ec2a8fb9548e191

SHA1
5babbc52072611cfdcd72415e7fb9ac5d38d6bb7

SHA256
ec39ddc152d51c671824944cb159f6ffde1c3f1ee0528a00edf175019c3f7873

SHA512
b9a90a139d3a7385048dec1c73fac568e4e4c8d6b48baaad8e7a7f57f3711d196087d58061fee759ba900e36a771bffa01d947ba7c37386f6d2aba1036ed2161

Download Submit
C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\spoolsv.exe

Filesize
1.7MB

MD5
55ac12bf6b792b1ae74c66b2a23764d6

SHA1
dd9bfea6e4917306ab89d8c34765b9343075b39b

SHA256
530cad720375a1d97f1671c307121031123993bc975f477ec7e9c06df47e4669

SHA512
c06e2993f1d8a5297d51b3ca07fbc244935bcdad7ddc265d1f3e9663462c7beba12aaa0b4383d39b9838e328047f71ce0fec69cbc76bd81e00358137b7c280f7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe

Filesize
1.7MB

MD5
a55ec0151237a920dfd1fbce1dacca26

SHA1
b3abf9945fc79c6a57c16dd519de7027d4ebd4b3

SHA256
e3f2d6b51dc02501bc0b54a9dc277d8e90e471a0a61e81b11ab1acbafa6f9386

SHA512
c064443dc5f5759f4f36cdf230e13486a6a2af673e4f59bb02ae6e21f60b0fff115d580cf69eaeed17d5c5ec40e127c4a1c02a9beccd3243e00b7ad5d973d617

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe

Filesize
1.7MB

MD5
b5173020686f5144a958d73ae733e328

SHA1
929798b9e298125a58720d3eae7b414ccba00169

SHA256
4399dfa1cecc33aaa860c46c2ced046352da224090d402f291784ed0173a5e81

SHA512
4de9dbf2939691da04078122ea5d3a179ac29bcb78ac3aff9b549cb8a4ee1dcd5888b50952d9ccab2c90af204c2f85f7b02dfd37eccec973f226b62fe3d61a6f

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\RCX291A.tmp

Filesize
1.7MB

MD5
58d737b6195765f8d8a3ab4232ae4a53

SHA1
f9e50f7cb4ba9d8167181f46b96ab8a2ef51bcfd

SHA256
6415ce12d3e0b25ea13f7e419648568c43099aa4874d2cab533b3c7d59e18117

SHA512
413c6ae1abe0cf09854ebf2a34e556c1e125d15e40f1b86c5158108abe960f2a9a36e6bd20a755302ddbf0a7e4a9a4ceb97773b1074ffbf6cd83455f74919da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EGxcg3vTGU.bat

Filesize
240B

MD5
28d9fd984126c2a3fef9489233753a25

SHA1
b01d38f889597cf9041c87c90d4351ac74d59383

SHA256
6b21cd2f5b2e94ba7be5b23bec98e6515afa9e6f2b43eb68ba795935498585fb

SHA512
50ae593e262b352028fac9db406de442bb065421bb82a3a842712850c33bad93e8c5e4723653151abfb789283a937ba6633958a4b319dd7843fe179561ccbf33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
650378cacf0a422a52cb64d2633e6066

SHA1
8d7f4eecd622bcaef385188eb981f717ade1d5e0

SHA256
6feefbbdbec775bf64cb6d1d7903c81725158fb1a182bf61775a7568137f22e4

SHA512
5433cb730a0edfdd06ce2729d19bb909cb51ef0fc2b77d2d4ac9905d67aa03646d97eb73305bc0937688ebef3e08f4df0a66b689b14d86507a6744dd10b82d6f

Download Submit
memory/1820-21-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-111-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-12-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/1820-13-0x0000000000B30000-0x0000000000B3C000-memory.dmp

Filesize
48KB

Download
memory/1820-14-0x0000000000CD0000-0x0000000000CDA000-memory.dmp

Filesize
40KB

Download
memory/1820-16-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/1820-15-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/1820-17-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/1820-19-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-0-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

Filesize
4KB

Download
memory/1820-24-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-9-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/1820-89-0x000007FEF66E3000-0x000007FEF66E4000-memory.dmp

Filesize
4KB

Download
memory/1820-8-0x0000000000A00000-0x0000000000A10000-memory.dmp

Filesize
64KB

Download
memory/1820-7-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/1820-10-0x0000000000B10000-0x0000000000B18000-memory.dmp

Filesize
32KB

Download
memory/1820-6-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/1820-147-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-172-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-5-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/1820-196-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-4-0x0000000000280000-0x0000000000288000-memory.dmp

Filesize
32KB

Download
memory/1820-3-0x0000000000260000-0x000000000027C000-memory.dmp

Filesize
112KB

Download
memory/1820-291-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/1820-1-0x0000000000DE0000-0x0000000000F96000-memory.dmp

Filesize
1.7MB

Download
memory/1820-2-0x000007FEF66E0000-0x000007FEF70CC000-memory.dmp

Filesize
9.9MB

Download
memory/1920-246-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2208-244-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download
memory/2840-290-0x0000000001340000-0x00000000014F6000-memory.dmp

Filesize
1.7MB

Download