dcrat | 3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d

Analysis

max time kernel
119s
max time network
113s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
Size

1.7MB
MD5

a556bf4a925150c916fde2eb12612af8
SHA1

9b104cc1d99689e09b14ccff6a7d58b6a425131a
SHA256

3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d
SHA512

c98deed1cdc21771fa39a8ba842ed6f284f3cb371ebbeeb04652fc6ad436a20b9e3fdcc9b7e0a4c29ac8ae8b45196268107c3db27db2e9343e7c9b537bc76161
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvl:+THUxUoh1IF9gl2M

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2364	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2364	schtasks.exe	31

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2432-1-0x0000000000F80000-0x0000000001140000-memory.dmp	dcrat
behavioral1/files/0x000a0000000122ea-29.dat	dcrat
behavioral1/files/0x00060000000187a2-36.dat	dcrat
behavioral1/memory/2268-222-0x0000000000060000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/1068-233-0x0000000000B30000-0x0000000000CF0000-memory.dmp	dcrat
behavioral1/memory/1000-245-0x0000000000E30000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/2640-257-0x0000000000150000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2932-269-0x0000000000250000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2360-282-0x0000000000300000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2656-294-0x0000000000F90000-0x0000000001150000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2508	powershell.exe
880	powershell.exe
908	powershell.exe
3012	powershell.exe
2760	powershell.exe
1432	powershell.exe
2716	powershell.exe
2952	powershell.exe
900	powershell.exe
1608	powershell.exe
572	powershell.exe
1928	powershell.exe
1996	powershell.exe
2592	powershell.exe
1676	powershell.exe
1700	powershell.exe
2752	powershell.exe
1152	powershell.exe
2032	powershell.exe
2460	powershell.exe
1520	powershell.exe
1980	powershell.exe
2020	powershell.exe
2008	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe

Executes dropped EXE 8 IoCs

pid	Process
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2268	taskhost.exe
1068	taskhost.exe
1000	taskhost.exe
2640	taskhost.exe
2932	taskhost.exe
2360	taskhost.exe
2656	taskhost.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Skins\WmiPrvSE.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\24dbde2999530e	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Program Files (x86)\Uninstall Information\5940a34987c991	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\WmiPrvSE.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\dllhost.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\7a0fd90576e088	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Program Files (x86)\Uninstall Information\dllhost.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Help\Windows\WMIADAP.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File created	C:\Windows\Help\Windows\75a57c1bdf437c	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Windows\Help\Windows\RCXF117.tmp	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Windows\Help\Windows\RCXF118.tmp	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
File opened for modification	C:\Windows\Help\Windows\WMIADAP.exe	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
480	schtasks.exe
2076	schtasks.exe
740	schtasks.exe
1860	schtasks.exe
2656	schtasks.exe
2648	schtasks.exe
2104	schtasks.exe
2772	schtasks.exe
2828	schtasks.exe
1720	schtasks.exe
2212	schtasks.exe
2740	schtasks.exe
1396	schtasks.exe
2844	schtasks.exe
2864	schtasks.exe
2884	schtasks.exe
2532	schtasks.exe
2548	schtasks.exe
2800	schtasks.exe
1628	schtasks.exe
2664	schtasks.exe
1964	schtasks.exe
2780	schtasks.exe
2100	schtasks.exe
2584	schtasks.exe
2140	schtasks.exe
548	schtasks.exe
2872	schtasks.exe
2180	schtasks.exe
2720	schtasks.exe
2044	schtasks.exe
2152	schtasks.exe
1684	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
3012	powershell.exe
900	powershell.exe
2752	powershell.exe
2020	powershell.exe
1608	powershell.exe
1700	powershell.exe
1152	powershell.exe
2008	powershell.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1928	powershell.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1432	powershell.exe
572	powershell.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
2760	powershell.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2268	taskhost.exe
Token: SeDebugPrivilege	1068	taskhost.exe
Token: SeDebugPrivilege	1000	taskhost.exe
Token: SeDebugPrivilege	2640	taskhost.exe
Token: SeDebugPrivilege	2932	taskhost.exe
Token: SeDebugPrivilege	2360	taskhost.exe
Token: SeDebugPrivilege	2656	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2020	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	38
PID 2432 wrote to memory of 2020	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	38
PID 2432 wrote to memory of 2020	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	38
PID 2432 wrote to memory of 3012	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	39
PID 2432 wrote to memory of 3012	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	39
PID 2432 wrote to memory of 3012	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	39
PID 2432 wrote to memory of 900	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	41
PID 2432 wrote to memory of 900	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	41
PID 2432 wrote to memory of 900	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	41
PID 2432 wrote to memory of 1608	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	42
PID 2432 wrote to memory of 1608	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	42
PID 2432 wrote to memory of 1608	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	42
PID 2432 wrote to memory of 2008	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	44
PID 2432 wrote to memory of 2008	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	44
PID 2432 wrote to memory of 2008	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	44
PID 2432 wrote to memory of 1700	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	45
PID 2432 wrote to memory of 1700	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	45
PID 2432 wrote to memory of 1700	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	45
PID 2432 wrote to memory of 2752	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	46
PID 2432 wrote to memory of 2752	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	46
PID 2432 wrote to memory of 2752	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	46
PID 2432 wrote to memory of 2760	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	48
PID 2432 wrote to memory of 2760	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	48
PID 2432 wrote to memory of 2760	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	48
PID 2432 wrote to memory of 1432	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	50
PID 2432 wrote to memory of 1432	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	50
PID 2432 wrote to memory of 1432	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	50
PID 2432 wrote to memory of 1152	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	51
PID 2432 wrote to memory of 1152	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	51
PID 2432 wrote to memory of 1152	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	51
PID 2432 wrote to memory of 1928	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	52
PID 2432 wrote to memory of 1928	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	52
PID 2432 wrote to memory of 1928	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	52
PID 2432 wrote to memory of 572	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	54
PID 2432 wrote to memory of 572	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	54
PID 2432 wrote to memory of 572	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	54
PID 2432 wrote to memory of 1596	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	62
PID 2432 wrote to memory of 1596	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	62
PID 2432 wrote to memory of 1596	2432	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	62
PID 1596 wrote to memory of 2508	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	91
PID 1596 wrote to memory of 2508	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	91
PID 1596 wrote to memory of 2508	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	91
PID 1596 wrote to memory of 1996	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	92
PID 1596 wrote to memory of 1996	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	92
PID 1596 wrote to memory of 1996	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	92
PID 1596 wrote to memory of 1676	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	93
PID 1596 wrote to memory of 1676	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	93
PID 1596 wrote to memory of 1676	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	93
PID 1596 wrote to memory of 908	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	95
PID 1596 wrote to memory of 908	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	95
PID 1596 wrote to memory of 908	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	95
PID 1596 wrote to memory of 2716	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	96
PID 1596 wrote to memory of 2716	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	96
PID 1596 wrote to memory of 2716	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	96
PID 1596 wrote to memory of 2032	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	97
PID 1596 wrote to memory of 2032	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	97
PID 1596 wrote to memory of 2032	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	97
PID 1596 wrote to memory of 1980	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	99
PID 1596 wrote to memory of 1980	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	99
PID 1596 wrote to memory of 1980	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	99
PID 1596 wrote to memory of 1520	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	101
PID 1596 wrote to memory of 1520	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	101
PID 1596 wrote to memory of 1520	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	101
PID 1596 wrote to memory of 880	1596	3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
"C:\Users\Admin\AppData\Local\Temp\3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Users\Admin\AppData\Local\Temp\3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe
  "C:\Users\Admin\AppData\Local\Temp\3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:880
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmrlOhE6lA.bat"
    3⤵
    PID:2824
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1392
  - - C:\Users\Default User\taskhost.exe
      "C:\Users\Default User\taskhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2268
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\26bfaf97-788e-4657-a97c-1d025cb6a737.vbs"
        5⤵
        
        PID:404
      - C:\Users\Default User\taskhost.exe
        
        "C:\Users\Default User\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3b34f8a9-22de-45ec-a80b-6088d6742b44.vbs"
        7⤵
        
        PID:3000
        
        C:\Users\Default User\taskhost.exe
        
        "C:\Users\Default User\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c4a82b1-6378-4596-b62d-8d3fcbd03754.vbs"
        9⤵
        
        PID:2644
        
        C:\Users\Default User\taskhost.exe
        
        "C:\Users\Default User\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\85372fb5-7096-4cc6-b061-bb1a04d82b95.vbs"
        11⤵
        
        PID:376
        
        C:\Users\Default User\taskhost.exe
        
        "C:\Users\Default User\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4aef4334-9f40-4868-994d-840d86f2b7d3.vbs"
        13⤵
        
        PID:2600
        
        C:\Users\Default User\taskhost.exe
        
        "C:\Users\Default User\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a2c18f1-e8be-4db7-9e3d-eb3032009116.vbs"
        15⤵
        
        PID:2624
        
        C:\Users\Default User\taskhost.exe
        
        "C:\Users\Default User\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96f1bce6-8095-4c08-afe3-4c70cb2e3399.vbs"
        17⤵
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f40790da-3dd5-4461-bd0f-63b899df6ebe.vbs"
        17⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd04bbef-367e-40e4-a1f5-4e8ffec33e04.vbs"
        15⤵
        
        PID:2668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\708b91b7-fb55-48a7-8a15-15fba8c29ad7.vbs"
        13⤵
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a51cd8d0-d40e-42e3-b45a-d32aa63eb0e4.vbs"
        11⤵
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0264fece-58e1-461d-abb7-d54a9ee2a942.vbs"
        9⤵
        
        PID:2920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\955802a4-cfa4-4fc1-8dba-b3e594248f42.vbs"
        7⤵
        
        PID:2368
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a41c2331-6da2-4648-887f-bae13afd50fa.vbs"
        5⤵
        
        PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Windows\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Help\Windows\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Windows\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Public\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Desktop\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Desktop\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe

Filesize
1.7MB

MD5
0e632597e36b832db14066d2aac0b237

SHA1
83e572274ef0f53a48f91200bd0fb6674f36f748

SHA256
6f3cd43f19bfbf0587ced6b1fe3b1e68f186cff9223b987f239965da891f4468

SHA512
657465f82d454ebb59d0a405efdad222f7c46b7d4a635203039652fc042c28d3fafa45f4fb9c6f0596f6e710b1a102ddf97babcf2fc43cb758d73278601e08f5

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe

Filesize
1.7MB

MD5
a556bf4a925150c916fde2eb12612af8

SHA1
9b104cc1d99689e09b14ccff6a7d58b6a425131a

SHA256
3cc1119336bd3ffb21665cc3b66e7f9d4646f85da0da13a7c144235444a2447d

SHA512
c98deed1cdc21771fa39a8ba842ed6f284f3cb371ebbeeb04652fc6ad436a20b9e3fdcc9b7e0a4c29ac8ae8b45196268107c3db27db2e9343e7c9b537bc76161

Download Submit
C:\Users\Admin\AppData\Local\Temp\26bfaf97-788e-4657-a97c-1d025cb6a737.vbs

Filesize
710B

MD5
f9330f5618978b57edd4de2b4c24ca42

SHA1
90591104e0844b297d53983c8606b1c34c4313c4

SHA256
237b930c5d9138d0e3b16c856b663598bfdcdfc04089817feecf2be6d37f12c9

SHA512
3ade27c00bed6317104cf8948b8b3cc91efb635761bcb6c450e1123639e59671bddf086e9ad3587496f1d300cd6f3b898dca8b1645082c92e31d0be065fa8524

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a2c18f1-e8be-4db7-9e3d-eb3032009116.vbs

Filesize
710B

MD5
061babbbe380225aaa6b1771d093b88b

SHA1
176f836d52bb95887470bd9b716449a9a0eafd32

SHA256
662bb38d9d385394afff4e323e54f2513a7144cb17bd4387c9f8a664fcc43aae

SHA512
85ebf336b2e17d3726177cd48d63d279bfb6258f44006c509ad163ce14c53d1823a23ec367054da4e26a3af89ca6ed8964c8f29ebc9e5b38b67b0ad9b1d25d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\3b34f8a9-22de-45ec-a80b-6088d6742b44.vbs

Filesize
710B

MD5
0127015149d950ed13e3e5a55f5ac74b

SHA1
e418662b2c4d9c9f2868621f5f877722c650c4ed

SHA256
25cbff977ebc0fc0fb314897629e860320cf13731bce6bb1cffc750799f2afe9

SHA512
e3eb656c282c476dd0fcb03f818848096ce03412d963e70c3644507e10b41eab387b6d9f05a2457c4348775fa73ffa3de90246fcb643b525ad05cb53d4d24980

Download Submit
C:\Users\Admin\AppData\Local\Temp\4aef4334-9f40-4868-994d-840d86f2b7d3.vbs

Filesize
710B

MD5
487342a810608cbba415832251af99f1

SHA1
e0ba4389f7e2b6de6f497d93ce1b36434cc1afb1

SHA256
b131713a1c999e3da62ac1947b6ee208e72f3161f39c910673962271b184d706

SHA512
c4d3747bb7a1e4a32bf8fd6225458728820e823a36df4e95a1a28d054dbe750dc47cab84adf0e060718847deb4d2c2db8f32830f80563bc9c489a9b1f6f36107

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c4a82b1-6378-4596-b62d-8d3fcbd03754.vbs

Filesize
710B

MD5
152e80bbf0414aba5303de4d1d455393

SHA1
f2ebcb231f397ff910ef1add2cce5b47939076c5

SHA256
49ab22d3ddce4c35f908eae617abff4e31725692375a503cc9951eb2f454ce5e

SHA512
32f633b58a835bf95184c18f929e60f4ecae24fff7918d7a7f439f9a3da372b0a1adf76b49f9f2c027fa68aef11f824f7a37b15a55446e2729f4f08e041488eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\85372fb5-7096-4cc6-b061-bb1a04d82b95.vbs

Filesize
710B

MD5
6acd1783dc3402d0282d55fe9df6d7a1

SHA1
817de9bb92aff4cb04bed9728cdbfa9cf23a0a66

SHA256
88adf3d68e63695389c44fcc0bdd75c7ff9e0e4b57d170fdc166d1a401ce3859

SHA512
74c13c26aec0251180d3b13bae6fd33388d2ef51675aa92fec39b4c3ea03f6680178f01ad08e4e3fac6dc61e1b6bc6a5656ef4ce283044f09c78ec83c9779530

Download Submit
C:\Users\Admin\AppData\Local\Temp\96f1bce6-8095-4c08-afe3-4c70cb2e3399.vbs

Filesize
710B

MD5
de5be48a14f10f0774ae41de62759266

SHA1
bd5a608b21f5398443090725f710e6b5788f6b4d

SHA256
df1c15680d32ab94d76f3410f39782fc5b9fd2ca01859d9a75b82df0e02990f5

SHA512
1b04a33fca0ff23bf24629027624f5b4ac1949d496e9f4a6af5f44a44350eec33ac53a29ff6c413f2841aa01f38333ba960e60397fa92198ebdb5995ca0127f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmrlOhE6lA.bat

Filesize
199B

MD5
24e032fd4c04652c84fd0547cabfb2de

SHA1
bceb76b20c091263edf3832c9f46246d2792897b

SHA256
28e14ee6074fe0466ac1e83df5aafa385f38e255b78201466d0abb0d963f372f

SHA512
758abe43c38a2c67919ecb414dc50a1df6f527cdcb5033eea62f9c77892e1ce58829a3c32fa626b66554e05e3c67d57187c22f41908db90b88c04d13fb12ec66

Download Submit
C:\Users\Admin\AppData\Local\Temp\a41c2331-6da2-4648-887f-bae13afd50fa.vbs

Filesize
486B

MD5
d7e182d5145ac915b4b21d6b472a2046

SHA1
31b05a4970ef0b3d39c20478e2ff874bbf5b9281

SHA256
ff3e44d7da2ab3dd27393308c5da9a84e0c13773097a2886be4453579892971e

SHA512
c9261660bc50a5822a80aa6cfedf14c680094f82da897da4099ba8d8c444b3a11f1c475c01502eccff8d4fb0f2cb52967a3d62da152b1663a41ddfad786080ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4d4b49e19f331babff66a7b69512689a

SHA1
4994e81793b5b89c452452406eae04d831b042a3

SHA256
4333166151126811d552e8585592551c41afa263361af2917c422653b1d635b3

SHA512
6022b686df5667c1f8cb505a134211cb779daef7aebe8665c0bae1c1c19c3132e5b39497047b8d7e70c2e8a9fb1030d4961899a1e5e7661dfbfe984ea5201e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c22f106b144317410400e9ec5110b4dd

SHA1
2ecf6751f2801097ac0eb5e86d3d6b786b56ca59

SHA256
749035527f2ae916258f66125759f151738fda5c25d7449044c1de442ede8121

SHA512
741f45638357143ebc82e00a242014bdbe0c6385b27cb061db78804996791f2ef5700a0672d682474461ca89e79e7a416c576d4f12cf6509641890c1d2ac7e59

Download Submit
memory/1000-245-0x0000000000E30000-0x0000000000FF0000-memory.dmp

Filesize
1.8MB

Download
memory/1068-233-0x0000000000B30000-0x0000000000CF0000-memory.dmp

Filesize
1.8MB

Download
memory/2268-222-0x0000000000060000-0x0000000000220000-memory.dmp

Filesize
1.8MB

Download
memory/2360-282-0x0000000000300000-0x00000000004C0000-memory.dmp

Filesize
1.8MB

Download
memory/2432-12-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2432-11-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/2432-1-0x0000000000F80000-0x0000000001140000-memory.dmp

Filesize
1.8MB

Download
memory/2432-17-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/2432-2-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-83-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-16-0x0000000000E00000-0x0000000000E0C000-memory.dmp

Filesize
48KB

Download
memory/2432-15-0x0000000000C50000-0x0000000000C58000-memory.dmp

Filesize
32KB

Download
memory/2432-3-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2432-4-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/2432-13-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/2432-14-0x0000000000C40000-0x0000000000C4E000-memory.dmp

Filesize
56KB

Download
memory/2432-0-0x000007FEF53C3000-0x000007FEF53C4000-memory.dmp

Filesize
4KB

Download
memory/2432-20-0x000007FEF53C0000-0x000007FEF5DAC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-9-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/2432-8-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2432-7-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2432-6-0x0000000000290000-0x00000000002A6000-memory.dmp

Filesize
88KB

Download
memory/2432-5-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2592-159-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2592-161-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2640-257-0x0000000000150000-0x0000000000310000-memory.dmp

Filesize
1.8MB

Download
memory/2656-294-0x0000000000F90000-0x0000000001150000-memory.dmp

Filesize
1.8MB

Download
memory/2932-269-0x0000000000250000-0x0000000000410000-memory.dmp

Filesize
1.8MB

Download
memory/2932-270-0x0000000000810000-0x0000000000822000-memory.dmp

Filesize
72KB

Download
memory/3012-63-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/3012-62-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download