dcrat | 916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Size

1.7MB
MD5

7a6337d1705c5b4e696b224c29fc5233
SHA1

5631625b8754ac8e02f9b441a47b229ac37a6cbc
SHA256

916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9
SHA512

7727e5546724c46ac6c481989860e93f7b0e4537a0fc8a1d8595657181c985213f794390f0198a4a69f7b19f999b4bfef5d044f2a6fd2ecc51be119207753efe
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	536	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	536	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2032-1-0x0000000000D40000-0x0000000000EF6000-memory.dmp	dcrat
behavioral1/files/0x00050000000194e2-27.dat	dcrat
behavioral1/files/0x000b00000001948d-124.dat	dcrat
behavioral1/files/0x00060000000195ce-146.dat	dcrat
behavioral1/files/0x0007000000019bf2-196.dat	dcrat
behavioral1/files/0x000600000001a2fc-220.dat	dcrat
behavioral1/memory/108-317-0x00000000001C0000-0x0000000000376000-memory.dmp	dcrat
behavioral1/memory/2916-329-0x0000000000F40000-0x00000000010F6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2560	powershell.exe
2428	powershell.exe
2524	powershell.exe
1728	powershell.exe
1640	powershell.exe
2284	powershell.exe
872	powershell.exe
2468	powershell.exe
1780	powershell.exe
2368	powershell.exe
2956	powershell.exe
1316	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Executes dropped EXE 2 IoCs

pid	Process
108	taskhost.exe
2916	taskhost.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\69ddcba757bf72	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXBD98.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\RCXC5AB.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXE012.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\RCXE011.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsm.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\24dbde2999530e	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\RCXC5AA.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXDD9F.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\RCXDE0D.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsm.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\101b941d020240	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\WmiPrvSE.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\5940a34987c991	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\WmiPrvSE.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RCXBD87.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\6ccacd8608530f	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\RCXC1A0.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\AppPatch\es-ES\services.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\PCHEALTH\ERRORREP\Idle.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\AppPatch\es-ES\services.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\AppPatch\es-ES\c5b4cb5e9653cc	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\RCXC1A1.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\PCHEALTH\ERRORREP\Idle.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\AppPatch\es-ES\RCXD177.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\AppPatch\es-ES\RCXD178.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
788	schtasks.exe
1364	schtasks.exe
1360	schtasks.exe
2816	schtasks.exe
2136	schtasks.exe
2980	schtasks.exe
1408	schtasks.exe
1812	schtasks.exe
1488	schtasks.exe
2664	schtasks.exe
1640	schtasks.exe
1224	schtasks.exe
1724	schtasks.exe
1396	schtasks.exe
916	schtasks.exe
1876	schtasks.exe
1164	schtasks.exe
2328	schtasks.exe
872	schtasks.exe
2852	schtasks.exe
1688	schtasks.exe
1660	schtasks.exe
2356	schtasks.exe
2600	schtasks.exe
2428	schtasks.exe
2668	schtasks.exe
2540	schtasks.exe
2176	schtasks.exe
2756	schtasks.exe
1484	schtasks.exe
1944	schtasks.exe
2924	schtasks.exe
2004	schtasks.exe
2796	schtasks.exe
592	schtasks.exe
2332	schtasks.exe
1136	schtasks.exe
2660	schtasks.exe
2864	schtasks.exe
2476	schtasks.exe
1064	schtasks.exe
688	schtasks.exe
1536	schtasks.exe
1648	schtasks.exe
2716	schtasks.exe
2832	schtasks.exe
2884	schtasks.exe
2656	schtasks.exe
1996	schtasks.exe
2152	schtasks.exe
1680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
1728	powershell.exe
2956	powershell.exe
2468	powershell.exe
1780	powershell.exe
1316	powershell.exe
2560	powershell.exe
2368	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	108	taskhost.exe
Token: SeDebugPrivilege	2916	taskhost.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2468	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	85
PID 2032 wrote to memory of 2468	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	85
PID 2032 wrote to memory of 2468	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	85
PID 2032 wrote to memory of 2560	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	86
PID 2032 wrote to memory of 2560	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	86
PID 2032 wrote to memory of 2560	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	86
PID 2032 wrote to memory of 2428	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	87
PID 2032 wrote to memory of 2428	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	87
PID 2032 wrote to memory of 2428	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	87
PID 2032 wrote to memory of 1780	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	88
PID 2032 wrote to memory of 1780	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	88
PID 2032 wrote to memory of 1780	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	88
PID 2032 wrote to memory of 2368	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	89
PID 2032 wrote to memory of 2368	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	89
PID 2032 wrote to memory of 2368	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	89
PID 2032 wrote to memory of 2956	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	90
PID 2032 wrote to memory of 2956	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	90
PID 2032 wrote to memory of 2956	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	90
PID 2032 wrote to memory of 2524	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	91
PID 2032 wrote to memory of 2524	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	91
PID 2032 wrote to memory of 2524	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	91
PID 2032 wrote to memory of 1316	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	92
PID 2032 wrote to memory of 1316	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	92
PID 2032 wrote to memory of 1316	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	92
PID 2032 wrote to memory of 872	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	93
PID 2032 wrote to memory of 872	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	93
PID 2032 wrote to memory of 872	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	93
PID 2032 wrote to memory of 2284	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	94
PID 2032 wrote to memory of 2284	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	94
PID 2032 wrote to memory of 2284	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	94
PID 2032 wrote to memory of 1728	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	95
PID 2032 wrote to memory of 1728	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	95
PID 2032 wrote to memory of 1728	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	95
PID 2032 wrote to memory of 1640	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	97
PID 2032 wrote to memory of 1640	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	97
PID 2032 wrote to memory of 1640	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	97
PID 2032 wrote to memory of 2528	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	109
PID 2032 wrote to memory of 2528	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	109
PID 2032 wrote to memory of 2528	2032	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	109
PID 2528 wrote to memory of 2632	2528	cmd.exe	111
PID 2528 wrote to memory of 2632	2528	cmd.exe	111
PID 2528 wrote to memory of 2632	2528	cmd.exe	111
PID 2528 wrote to memory of 108	2528	cmd.exe	112
PID 2528 wrote to memory of 108	2528	cmd.exe	112
PID 2528 wrote to memory of 108	2528	cmd.exe	112
PID 108 wrote to memory of 1020	108	taskhost.exe	113
PID 108 wrote to memory of 1020	108	taskhost.exe	113
PID 108 wrote to memory of 1020	108	taskhost.exe	113
PID 108 wrote to memory of 1644	108	taskhost.exe	114
PID 108 wrote to memory of 1644	108	taskhost.exe	114
PID 108 wrote to memory of 1644	108	taskhost.exe	114
PID 1020 wrote to memory of 2916	1020	WScript.exe	115
PID 1020 wrote to memory of 2916	1020	WScript.exe	115
PID 1020 wrote to memory of 2916	1020	WScript.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
"C:\Users\Admin\AppData\Local\Temp\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2428
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\35gbisF1f8.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2632
- - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe
    "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:108
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9f709024-fb8f-4b87-b711-55d75ce7ac7d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb96d379-8198-44a3-9db8-5252bafde079.vbs"
      4⤵
      PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\ERRORREP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\PCHEALTH\ERRORREP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb99" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb99" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\AppPatch\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\AppPatch\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Public\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\lsm.exe

Filesize
1.7MB

MD5
0e54706392494cb778de91e5b7315a38

SHA1
499e561fa4ad09fd71201c01a41d969e42624021

SHA256
d4cf5d97711d2ea1d459948fe59b3bc8480b9b0f7530579e98d99b4e637c7f3d

SHA512
d4820044d7d9e2c72676e6ac09fb9f32ab1f74796a0836d0101fd145d487e5ad1665b392482c0734678eb366329a960a1f049f503ecfb2eeaa80cf7254e76c6a

Download Submit
C:\Program Files (x86)\Microsoft Sync Framework\v1.0\dllhost.exe

Filesize
1.7MB

MD5
7a6337d1705c5b4e696b224c29fc5233

SHA1
5631625b8754ac8e02f9b441a47b229ac37a6cbc

SHA256
916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9

SHA512
7727e5546724c46ac6c481989860e93f7b0e4537a0fc8a1d8595657181c985213f794390f0198a4a69f7b19f999b4bfef5d044f2a6fd2ecc51be119207753efe

Download Submit
C:\ProgramData\services.exe

Filesize
1.7MB

MD5
2674a0ab3dc0232784a3a5c2fe7577b7

SHA1
9831504260160553042cb4a2f3c2060f78c5cc75

SHA256
d4d38b246b78b032ee8970a2a54212a21727e6de05054a680d5d6eababbf6114

SHA512
b7bfbd1d2e92669d1df70182806959bfa54a6c7cbe4a568b5458f2cb5743c6d20fb9c11449174d5250dfd29b9ee31a30e1f60d2d6046be94105fe5cb5a11c2c0

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe

Filesize
1.7MB

MD5
52c58083958fb028fdb543462f7bd196

SHA1
17b4a5c86bb64127f1d9bc0f3ec19a99cc405094

SHA256
e1beb0e2169cf8b38b65073864b37ed139abb8fd6d4116e9b6d8f70e1215c77b

SHA512
700e4d1da6492044cad16edcc10fb9904c88f94b8097fe43a7c124136cb2a4749637bf7cd0d1972395955968e938dfcddb2393d5f9b1737b5719675a34f7b52a

Download Submit
C:\Users\Admin\AppData\Local\Temp\35gbisF1f8.bat

Filesize
226B

MD5
48f8f5c1fa8fdd482e549c7f8a117d13

SHA1
c05cf31aa450ce604df3e1aca9a15a158944ca8e

SHA256
f6a0e13b513bd6f886d0ce2a0a8a02778e3897516eff22c41cc2c9f21424440f

SHA512
7ecde2570784e983cedc169b84324d867592ac1adc299a6730368423d1eeff9c15ef501337413f99609d5823ef8ca24220fac89355c0a4f883d48b1797280528

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f709024-fb8f-4b87-b711-55d75ce7ac7d.vbs

Filesize
736B

MD5
808934450756210bd55c0d741a116840

SHA1
105bceb41f2d64c012c9caccfcae9a6c09245a73

SHA256
5ace2d2f9d03f8569dae8e4169f3a518e0200fc0bd91e7d50d692a9f6acc205b

SHA512
365fab65c54a43deb14da196886bf9c4fc74510213d3c068eb5ab0dcce60af8224ea738f85e57066b7b196c5dd319ab04630bf35d47adea4845fa529cc0cb301

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb96d379-8198-44a3-9db8-5252bafde079.vbs

Filesize
513B

MD5
b7096c23789dcdb39cbd38f1df808333

SHA1
d2947a2d8db22ea8a4cf4b8c93a49b3bcf34145b

SHA256
3c8c29ecaecfbe57b869557f5124a35f941baaf743cbc9beaae891cc7bfe8010

SHA512
f6989e98d9982194518c5817604527259740f293e0fb30bb0caa46de0a9a8d677d459be21a5c146cf8649fab8fb501752e8f31dfcf9de68c06de63237f4132c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fc24e7700214bc3e40fd83dd667c09a8

SHA1
08507f88b31b66a5f3a6b9b04f451941305e1b16

SHA256
3b5182bcff307a9abaef5680dc03b8159c66c2e44220c6d61933210df77a6f0f

SHA512
0f5627141cae6db9854d7abd3aacaef2bb1e67b8569f849d188b45a349ed64ddbf32ab291b7858a48ebfb242c3fd699b35ee89175a124e8132ccdaf47cb7f6f6

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.7MB

MD5
95ba8310b0e9bd04d0728a8b1ed69564

SHA1
ec17501dcba568dc902ddbff7f30adf22ffa9221

SHA256
5f7fce614d1f7ace3b17aef3afb0614d77c71da049278134a48643265bd2b1ea

SHA512
5771a0683442cc2c1234177e2c95bbdb666b413f55d6b3b37d7688f014b9f91c9815705d2c34b20d3d2e75c2bb0c003d259b4d1f16b4e203f98675dc497d7eec

Download Submit
memory/108-318-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/108-317-0x00000000001C0000-0x0000000000376000-memory.dmp

Filesize
1.7MB

Download
memory/1728-277-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1728-278-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2032-9-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/2032-217-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-14-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2032-17-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download
memory/2032-20-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-16-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/2032-13-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/2032-12-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2032-175-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2032-10-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download
memory/2032-199-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-15-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/2032-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/2032-8-0x0000000000AA0000-0x0000000000AB0000-memory.dmp

Filesize
64KB

Download
memory/2032-266-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-6-0x0000000000B30000-0x0000000000B46000-memory.dmp

Filesize
88KB

Download
memory/2032-7-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2032-4-0x00000000002E0000-0x00000000002E8000-memory.dmp

Filesize
32KB

Download
memory/2032-5-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2032-3-0x00000000002C0000-0x00000000002DC000-memory.dmp

Filesize
112KB

Download
memory/2032-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/2032-1-0x0000000000D40000-0x0000000000EF6000-memory.dmp

Filesize
1.7MB

Download
memory/2916-329-0x0000000000F40000-0x00000000010F6000-memory.dmp

Filesize
1.7MB

Download
memory/2916-330-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download