dcrat | 894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
Size

1.7MB
MD5

73714a883d186fc2d6443e3b7cc5983c
SHA1

7cd4a62912e86ef72ebba7d649d6f90b4ebe4709
SHA256

894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263
SHA512

b249387218345b11e10923a107cf9ff01b81a4c1e30dd72e91cf7ac210829cd00445db3a80d2f4280a7b0d03aba2f30eadbcaf3a33de7fb5d282e622d7f2108a
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv0:+THUxUoh1IF9gl2b

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2160	schtasks.exe	28
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2160	schtasks.exe	28

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2904-1-0x00000000013D0000-0x0000000001590000-memory.dmp	dcrat
behavioral1/files/0x0008000000016dbe-27.dat	dcrat
behavioral1/files/0x0006000000019244-76.dat	dcrat
behavioral1/files/0x0009000000016d3e-89.dat	dcrat
behavioral1/files/0x000d000000016dbe-135.dat	dcrat
behavioral1/memory/3056-243-0x0000000000DA0000-0x0000000000F60000-memory.dmp	dcrat
behavioral1/memory/492-255-0x0000000000200000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/2244-267-0x0000000000D50000-0x0000000000F10000-memory.dmp	dcrat
behavioral1/memory/1264-279-0x0000000000EF0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/1272-291-0x0000000001310000-0x00000000014D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1692	powershell.exe
2448	powershell.exe
2376	powershell.exe
2792	powershell.exe
2768	powershell.exe
2072	powershell.exe
2796	powershell.exe
1688	powershell.exe
2000	powershell.exe
2032	powershell.exe
2432	powershell.exe
2564	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe

Executes dropped EXE 5 IoCs

pid	Process
3056	Idle.exe
492	Idle.exe
2244	Idle.exe
1264	Idle.exe
1272	Idle.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\886983d96e3d3e	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCX92C7.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\csrss.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files\Windows Mail\en-US\42af1c969fbb7b	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\886983d96e3d3e	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\audiodg.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCX8DE3.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX973E.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCX9259.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCX973D.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files\Windows Mail\en-US\audiodg.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Program Files (x86)\Windows Mail\csrss.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\RCX8DE2.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Globalization\Sorting\RCX9BB4.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\Globalization\Sorting\Idle.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Windows\Globalization\Sorting\6ccacd8608530f	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\Globalization\Sorting\RCX9B46.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\RCX9DB9.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Windows\TAPI\audiodg.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Windows\Globalization\Sorting\Idle.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\Idle.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\TAPI\RCX94CB.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\TAPI\audiodg.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\RCX9DB8.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\Idle.exe	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Windows\TAPI\42af1c969fbb7b	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File opened for modification	C:\Windows\TAPI\RCX94CC.tmp	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\6ccacd8608530f	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1696	schtasks.exe
2308	schtasks.exe
2776	schtasks.exe
2640	schtasks.exe
2620	schtasks.exe
2740	schtasks.exe
1932	schtasks.exe
2304	schtasks.exe
2772	schtasks.exe
2588	schtasks.exe
660	schtasks.exe
1776	schtasks.exe
2556	schtasks.exe
2892	schtasks.exe
2496	schtasks.exe
2384	schtasks.exe
1708	schtasks.exe
1852	schtasks.exe
2624	schtasks.exe
2696	schtasks.exe
2044	schtasks.exe
2744	schtasks.exe
2748	schtasks.exe
2004	schtasks.exe
2080	schtasks.exe
2112	schtasks.exe
2720	schtasks.exe
2024	schtasks.exe
1288	schtasks.exe
1640	schtasks.exe
2644	schtasks.exe
836	schtasks.exe
1788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
2796	powershell.exe
2432	powershell.exe
2072	powershell.exe
2564	powershell.exe
2448	powershell.exe
1692	powershell.exe
2768	powershell.exe
2376	powershell.exe
2032	powershell.exe
1688	powershell.exe
2792	powershell.exe
2000	powershell.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe
3056	Idle.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	3056	Idle.exe
Token: SeDebugPrivilege	492	Idle.exe
Token: SeDebugPrivilege	2244	Idle.exe
Token: SeDebugPrivilege	1264	Idle.exe
Token: SeDebugPrivilege	1272	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1688	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	62
PID 2904 wrote to memory of 1688	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	62
PID 2904 wrote to memory of 1688	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	62
PID 2904 wrote to memory of 1692	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	63
PID 2904 wrote to memory of 1692	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	63
PID 2904 wrote to memory of 1692	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	63
PID 2904 wrote to memory of 2000	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	64
PID 2904 wrote to memory of 2000	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	64
PID 2904 wrote to memory of 2000	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	64
PID 2904 wrote to memory of 2448	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	65
PID 2904 wrote to memory of 2448	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	65
PID 2904 wrote to memory of 2448	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	65
PID 2904 wrote to memory of 2032	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	66
PID 2904 wrote to memory of 2032	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	66
PID 2904 wrote to memory of 2032	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	66
PID 2904 wrote to memory of 2432	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	67
PID 2904 wrote to memory of 2432	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	67
PID 2904 wrote to memory of 2432	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	67
PID 2904 wrote to memory of 2376	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	68
PID 2904 wrote to memory of 2376	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	68
PID 2904 wrote to memory of 2376	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	68
PID 2904 wrote to memory of 2564	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	69
PID 2904 wrote to memory of 2564	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	69
PID 2904 wrote to memory of 2564	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	69
PID 2904 wrote to memory of 2792	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	70
PID 2904 wrote to memory of 2792	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	70
PID 2904 wrote to memory of 2792	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	70
PID 2904 wrote to memory of 2768	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	71
PID 2904 wrote to memory of 2768	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	71
PID 2904 wrote to memory of 2768	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	71
PID 2904 wrote to memory of 2072	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	72
PID 2904 wrote to memory of 2072	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	72
PID 2904 wrote to memory of 2072	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	72
PID 2904 wrote to memory of 2796	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	73
PID 2904 wrote to memory of 2796	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	73
PID 2904 wrote to memory of 2796	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	73
PID 2904 wrote to memory of 2440	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	82
PID 2904 wrote to memory of 2440	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	82
PID 2904 wrote to memory of 2440	2904	894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe	82
PID 2440 wrote to memory of 2500	2440	cmd.exe	88
PID 2440 wrote to memory of 2500	2440	cmd.exe	88
PID 2440 wrote to memory of 2500	2440	cmd.exe	88
PID 2440 wrote to memory of 3056	2440	cmd.exe	89
PID 2440 wrote to memory of 3056	2440	cmd.exe	89
PID 2440 wrote to memory of 3056	2440	cmd.exe	89
PID 3056 wrote to memory of 1600	3056	Idle.exe	90
PID 3056 wrote to memory of 1600	3056	Idle.exe	90
PID 3056 wrote to memory of 1600	3056	Idle.exe	90
PID 3056 wrote to memory of 3040	3056	Idle.exe	91
PID 3056 wrote to memory of 3040	3056	Idle.exe	91
PID 3056 wrote to memory of 3040	3056	Idle.exe	91
PID 1600 wrote to memory of 492	1600	WScript.exe	94
PID 1600 wrote to memory of 492	1600	WScript.exe	94
PID 1600 wrote to memory of 492	1600	WScript.exe	94
PID 492 wrote to memory of 292	492	Idle.exe	95
PID 492 wrote to memory of 292	492	Idle.exe	95
PID 492 wrote to memory of 292	492	Idle.exe	95
PID 492 wrote to memory of 1640	492	Idle.exe	96
PID 492 wrote to memory of 1640	492	Idle.exe	96
PID 492 wrote to memory of 1640	492	Idle.exe	96
PID 292 wrote to memory of 2244	292	WScript.exe	97
PID 292 wrote to memory of 2244	292	WScript.exe	97
PID 292 wrote to memory of 2244	292	WScript.exe	97
PID 2244 wrote to memory of 2004	2244	Idle.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe
"C:\Users\Admin\AppData\Local\Temp\894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9NEQIAZgOA.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2500
- - C:\Windows\Globalization\Sorting\Idle.exe
    "C:\Windows\Globalization\Sorting\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a279477-1fcf-4ef6-b6d7-68ae2789a40c.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Windows\Globalization\Sorting\Idle.exe
        
        C:\Windows\Globalization\Sorting\Idle.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:492
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8435f8fb-7363-4376-8943-12c22c4713bc.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\Globalization\Sorting\Idle.exe
        
        C:\Windows\Globalization\Sorting\Idle.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f623a3be-dc53-4cee-b7ed-175ac0529314.vbs"
        8⤵
        
        PID:2004
        
        C:\Windows\Globalization\Sorting\Idle.exe
        
        C:\Windows\Globalization\Sorting\Idle.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6aafe34-1178-4e58-8e15-3b52d565d7f2.vbs"
        10⤵
        
        PID:1724
        
        C:\Windows\Globalization\Sorting\Idle.exe
        
        C:\Windows\Globalization\Sorting\Idle.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7f318ea-f321-4474-9eac-6d949232e40e.vbs"
        12⤵
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fb84ac3-3a67-4e7b-a722-7332d069e797.vbs"
        12⤵
        
        PID:2536
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a5e6aeb-35a8-4a6a-9609-aa1ad7deaac9.vbs"
        10⤵
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b37d89c-2806-4341-a173-9d38d77da187.vbs"
        8⤵
        
        PID:1028
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22dc3768-c485-4d80-8e07-fe5a5199f17e.vbs"
        6⤵
        
        PID:1640
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0355409f-c159-43aa-93a8-2a63e87fde89.vbs"
      4⤵
      PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Cookies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Cookies\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\TAPI\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\TAPI\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\Sorting\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\Sorting\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\Network Sharing\csrss.exe

Filesize
1.7MB

MD5
cc45336efc03a56d032f17b2c9665a6e

SHA1
8e54b04d780b21a48b5d6af783bdd60e1da1d997

SHA256
18e1d89b292e6dc9b6f77901dc03dcdcc68e3c9eb4775b56e94369ddf623ebf4

SHA512
7280ebd3e374a39808ddb00b431a99e548389537aa94143fd060ca9ad33701f380a140a659813cf49f0ee8adee2ef4ed75f03a9961c092f960a42031b43c74b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0355409f-c159-43aa-93a8-2a63e87fde89.vbs

Filesize
493B

MD5
e5ce571273af7beb0f9084c1fd0f1753

SHA1
e0d2a345c7c83d1695a9efd7d24435a902f6ce43

SHA256
95a1ea6b8c00dfab68b55259f85e67bda76f9ad161023899a898549dbef856ff

SHA512
cbd687f2c905625cf932aff906cf94e68cc84e1f93353e176c5c5af4eafb34983c05b2636f53c560c089bbfb9103b8c236b345c1f44fb2f9d4fafab2dd01dd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a279477-1fcf-4ef6-b6d7-68ae2789a40c.vbs

Filesize
717B

MD5
c3f9d5db9f81242382fa366687145659

SHA1
29c334a0052b1914606b89e25bff379a7dd62e06

SHA256
27c2182b475063433b9e5fe507e0d99b0eef86e88c9eb0261abdffbfe324f028

SHA512
37485310edf886ba0f113f0fd575bf99d883a15d4a7769c35e96d37d27406099170dcf2fd73375214e4765c0f082cc289ed9249ecc1f87271ee24f8612e6c9f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8435f8fb-7363-4376-8943-12c22c4713bc.vbs

Filesize
716B

MD5
5b249a676980f99ca1276a24f3b670b3

SHA1
242082a7a43a0722c819c3dfbac02729030aae8f

SHA256
de56c4ca3c7b8c1c4947f66361e4559dd7bb5785ed77b9005bff8051ceef0d06

SHA512
b73492203c06c247ce329c31f4d418254e8f7cf55b7e5b278044c919a785739b533eec31a4f08a6b252a81363478f4d99d0a29795ea30efaf8e3806600e19b00

Download Submit
C:\Users\Admin\AppData\Local\Temp\9NEQIAZgOA.bat

Filesize
206B

MD5
f87f6128ba0ff992940bc679ac064238

SHA1
d2f15f780e8bf301dddf6b37a8add2e3284cc0eb

SHA256
39f1d645562bafd0767743d59f3d44b122b07bee6700ec7cdf929448fd9b4942

SHA512
7c421cfa98c622a4afcd0de0060ca1fa57a00b946e34b844d9250b9c938f739f56fc2977e108ac01c75f3817881162511f4cc0b1418c03f1fde06086ec972a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7f318ea-f321-4474-9eac-6d949232e40e.vbs

Filesize
717B

MD5
dc151bf7404601d7a8c0452a6e4b3533

SHA1
549bc0b495a58c13298ee4abcfa8e58e14988391

SHA256
1969a3d4ebc175d314d4ca5c753f022b3874c57ee511dfe32aea8f5c82a62a06

SHA512
492564ad0c51836dac397b11ea4f45ddc6c52cd48d440933d26be7da3ebbcab9dffa250bc5228820f95295ea75061615e6ac54b5571cf958a82799816055c72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d6aafe34-1178-4e58-8e15-3b52d565d7f2.vbs

Filesize
717B

MD5
34879d2f1baaec070e4bc516681cc4ad

SHA1
07678b49c38c3829db997a0d1499c335ed608e1b

SHA256
32271ef84603f7d5eeb004d5c056f8955d84516194d97c225c3805148af2df13

SHA512
ff6c74b58964d02d1171f32eeabce314eb36a606144494bd7cf0d3c53432d1f64be22efb67ff4fc26a509cfa4c79c649373ae8a69c1dd74a01e206bdb150604e

Download Submit
C:\Users\Admin\AppData\Local\Temp\f623a3be-dc53-4cee-b7ed-175ac0529314.vbs

Filesize
717B

MD5
3c2e59c4e856b584b38f3dd5d261263b

SHA1
1331b9ed0c61a2f5673afb35409605c3a33c1b9d

SHA256
b022ea0e512d3544ba1e927e831b4dfac1b4b5705539b3ca3589244628191305

SHA512
98d7a1ddec901df9bda51f36496fe03679ab9907c9760f017805eb0cb788509f4ab4fe884f5b7fcc266442b2f0bd4e1e9f26ed57c0798a01e2d629c5e1be4679

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
121a7bf7d4b1c2d09aab71f91fe78a02

SHA1
c765a66ceebf3db7a07b673b687354bf79d1cbb1

SHA256
fd32c52ebd512f8c57776c67ddb232b0422ccb61fdec6ebfee584fb6a7d6e35a

SHA512
691e2311f1ce9425f79814d3d068d4be4af7acc9b83ed6a55cd6978332ddd386f81ef2e8ea9eae70115918f8c3f5f694b214db815e22787ee528f5ef432af493

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies\winlogon.exe

Filesize
1.7MB

MD5
ce20429c7acde13b6dcf2380b0084ebb

SHA1
345c52705db5d5b5a714d6a04c811eeed81b24f6

SHA256
3abac666aaaaad4a5c30b30a115a1b239389e4d10b286432ee442692989d0071

SHA512
8ecf65c2c0bbc44d36a2dd64ac25669f0f650f2706cea23643fa36df9686528a765622459261fe534525ceb92f09dc293e3ff0fe94604df40112240bf8cc6a01

Download Submit
C:\Windows\Globalization\Sorting\Idle.exe

Filesize
1.7MB

MD5
8cc2fd45bfbc96ed67db1fa791e3e868

SHA1
643c6b1accc62caaed960ad1decd73396fce5a04

SHA256
c2c5e27a94790dcfd7cd0f7a77ef9fbfbf7ed09532727f1fa07120352b116e1e

SHA512
a7404572eb453a51b26eab917edaaeeb66fc5aaaaa4615471ae2835c160fffc1a237da1cd61ed26e09e69afb68f4bacba730eafae8e48a5a910075ac68480171

Download Submit
C:\Windows\TAPI\audiodg.exe

Filesize
1.7MB

MD5
73714a883d186fc2d6443e3b7cc5983c

SHA1
7cd4a62912e86ef72ebba7d649d6f90b4ebe4709

SHA256
894dc07a3705238c0ffa6d2b9313c97555ac3720f0bbf434099d8c414bae5263

SHA512
b249387218345b11e10923a107cf9ff01b81a4c1e30dd72e91cf7ac210829cd00445db3a80d2f4280a7b0d03aba2f30eadbcaf3a33de7fb5d282e622d7f2108a

Download Submit
memory/492-255-0x0000000000200000-0x00000000003C0000-memory.dmp

Filesize
1.8MB

Download
memory/1264-279-0x0000000000EF0000-0x00000000010B0000-memory.dmp

Filesize
1.8MB

Download
memory/1272-291-0x0000000001310000-0x00000000014D0000-memory.dmp

Filesize
1.8MB

Download
memory/2072-201-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2244-267-0x0000000000D50000-0x0000000000F10000-memory.dmp

Filesize
1.8MB

Download
memory/2796-199-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2904-9-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2904-11-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/2904-17-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/2904-16-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2904-178-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-15-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/2904-13-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/2904-14-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/2904-12-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2904-1-0x00000000013D0000-0x0000000001590000-memory.dmp

Filesize
1.8MB

Download
memory/2904-2-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-18-0x000007FEF56D0000-0x000007FEF60BC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-0-0x000007FEF56D3000-0x000007FEF56D4000-memory.dmp

Filesize
4KB

Download
memory/2904-8-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2904-6-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/2904-7-0x0000000000390000-0x00000000003A0000-memory.dmp

Filesize
64KB

Download
memory/2904-4-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2904-5-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2904-3-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/3056-244-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/3056-243-0x0000000000DA0000-0x0000000000F60000-memory.dmp

Filesize
1.8MB

Download