dcrat | 916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 02:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Size

1.7MB
MD5

7a6337d1705c5b4e696b224c29fc5233
SHA1

5631625b8754ac8e02f9b441a47b229ac37a6cbc
SHA256

916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9
SHA512

7727e5546724c46ac6c481989860e93f7b0e4537a0fc8a1d8595657181c985213f794390f0198a4a69f7b19f999b4bfef5d044f2a6fd2ecc51be119207753efe
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2724	schtasks.exe	30

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2104-1-0x0000000000F90000-0x0000000001146000-memory.dmp	dcrat
behavioral1/files/0x0006000000016d47-27.dat	dcrat
behavioral1/files/0x0006000000019627-74.dat	dcrat
behavioral1/files/0x0009000000015e48-85.dat	dcrat
behavioral1/files/0x000a000000015f71-108.dat	dcrat
behavioral1/files/0x0008000000016d47-119.dat	dcrat
behavioral1/memory/1828-300-0x0000000000D50000-0x0000000000F06000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2024	powershell.exe
2796	powershell.exe
1284	powershell.exe
1956	powershell.exe
1344	powershell.exe
3068	powershell.exe
2068	powershell.exe
1692	powershell.exe
2416	powershell.exe
696	powershell.exe
1504	powershell.exe
2060	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Executes dropped EXE 2 IoCs

pid	Process
1828	OSPPSVC.exe
408	OSPPSVC.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MSBuild\csrss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\explorer.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\Idle.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXC686.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCXC6F4.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\Idle.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\RCXC210.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\7a0fd90576e088	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCXBB18.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\RCXC20F.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXCB0D.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXCB0E.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\6ccacd8608530f	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\MSBuild\csrss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\explorer.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\RCXCFF1.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\RCXCFF2.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\Idle.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\6ccacd8608530f	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCXBB17.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\Idle.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\2cbf77912deacd	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Program Files (x86)\MSBuild\886983d96e3d3e	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\IME\es-ES\7a0fd90576e088	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\TAPI\RCXC909.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\IME\es-ES\RCXCD7F.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\IME\es-ES\explorer.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\TAPI\WmiPrvSE.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\TAPI\24dbde2999530e	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\ShellNew\RCXD3FB.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\AppCompat\RCXDA09.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\AppCompat\csrss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\ShellNew\audiodg.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\TAPI\RCXC908.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\ShellNew\RCXD3FA.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\AppCompat\RCXDA0A.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\AppCompat\886983d96e3d3e	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\IME\es-ES\RCXCD80.tmp	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\ShellNew\42af1c969fbb7b	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\AppCompat\csrss.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\TAPI\WmiPrvSE.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File opened for modification	C:\Windows\ShellNew\audiodg.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\schemas\TSWorkSpace\OSPPSVC.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
File created	C:\Windows\IME\es-ES\explorer.exe	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2436	schtasks.exe
1496	schtasks.exe
2260	schtasks.exe
2252	schtasks.exe
2112	schtasks.exe
1492	schtasks.exe
2064	schtasks.exe
2712	schtasks.exe
2604	schtasks.exe
2904	schtasks.exe
2672	schtasks.exe
1300	schtasks.exe
636	schtasks.exe
1780	schtasks.exe
1960	schtasks.exe
1776	schtasks.exe
1668	schtasks.exe
2004	schtasks.exe
1928	schtasks.exe
2244	schtasks.exe
776	schtasks.exe
2628	schtasks.exe
1924	schtasks.exe
1048	schtasks.exe
1872	schtasks.exe
1852	schtasks.exe
1472	schtasks.exe
2868	schtasks.exe
2632	schtasks.exe
796	schtasks.exe
552	schtasks.exe
3000	schtasks.exe
2800	schtasks.exe
1292	schtasks.exe
3024	schtasks.exe
856	schtasks.exe
580	schtasks.exe
2580	schtasks.exe
1196	schtasks.exe
2060	schtasks.exe
2796	schtasks.exe
1740	schtasks.exe
1372	schtasks.exe
2140	schtasks.exe
2968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
2024	powershell.exe
3068	powershell.exe
2416	powershell.exe
2060	powershell.exe
696	powershell.exe
1956	powershell.exe
2796	powershell.exe
1284	powershell.exe
2068	powershell.exe
1692	powershell.exe
1344	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1828	OSPPSVC.exe
Token: SeDebugPrivilege	408	OSPPSVC.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2416	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	77
PID 2104 wrote to memory of 2416	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	77
PID 2104 wrote to memory of 2416	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	77
PID 2104 wrote to memory of 2796	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	78
PID 2104 wrote to memory of 2796	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	78
PID 2104 wrote to memory of 2796	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	78
PID 2104 wrote to memory of 1284	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	79
PID 2104 wrote to memory of 1284	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	79
PID 2104 wrote to memory of 1284	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	79
PID 2104 wrote to memory of 1956	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	80
PID 2104 wrote to memory of 1956	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	80
PID 2104 wrote to memory of 1956	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	80
PID 2104 wrote to memory of 1344	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	81
PID 2104 wrote to memory of 1344	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	81
PID 2104 wrote to memory of 1344	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	81
PID 2104 wrote to memory of 696	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	82
PID 2104 wrote to memory of 696	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	82
PID 2104 wrote to memory of 696	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	82
PID 2104 wrote to memory of 3068	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	83
PID 2104 wrote to memory of 3068	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	83
PID 2104 wrote to memory of 3068	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	83
PID 2104 wrote to memory of 2068	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	84
PID 2104 wrote to memory of 2068	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	84
PID 2104 wrote to memory of 2068	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	84
PID 2104 wrote to memory of 1692	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	85
PID 2104 wrote to memory of 1692	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	85
PID 2104 wrote to memory of 1692	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	85
PID 2104 wrote to memory of 1504	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	86
PID 2104 wrote to memory of 1504	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	86
PID 2104 wrote to memory of 1504	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	86
PID 2104 wrote to memory of 2060	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	87
PID 2104 wrote to memory of 2060	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	87
PID 2104 wrote to memory of 2060	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	87
PID 2104 wrote to memory of 2024	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	88
PID 2104 wrote to memory of 2024	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	88
PID 2104 wrote to memory of 2024	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	88
PID 2104 wrote to memory of 536	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	101
PID 2104 wrote to memory of 536	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	101
PID 2104 wrote to memory of 536	2104	916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe	101
PID 536 wrote to memory of 1680	536	cmd.exe	103
PID 536 wrote to memory of 1680	536	cmd.exe	103
PID 536 wrote to memory of 1680	536	cmd.exe	103
PID 536 wrote to memory of 1828	536	cmd.exe	104
PID 536 wrote to memory of 1828	536	cmd.exe	104
PID 536 wrote to memory of 1828	536	cmd.exe	104
PID 1828 wrote to memory of 2464	1828	OSPPSVC.exe	105
PID 1828 wrote to memory of 2464	1828	OSPPSVC.exe	105
PID 1828 wrote to memory of 2464	1828	OSPPSVC.exe	105
PID 1828 wrote to memory of 3008	1828	OSPPSVC.exe	106
PID 1828 wrote to memory of 3008	1828	OSPPSVC.exe	106
PID 1828 wrote to memory of 3008	1828	OSPPSVC.exe	106
PID 2464 wrote to memory of 408	2464	WScript.exe	107
PID 2464 wrote to memory of 408	2464	WScript.exe	107
PID 2464 wrote to memory of 408	2464	WScript.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe
"C:\Users\Admin\AppData\Local\Temp\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5CwnD5YL3A.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1680
- - C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe
    "C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fd50ad3-dc25-425b-80a0-b20bd546b13d.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe
        
        "C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb3107ec-5eb3-4ef2-8a57-6defe805714f.vbs"
      4⤵
      PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Local Settings\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Favorites\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb99" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb99" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\IME\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\IME\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\ShellNew\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ShellNew\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Windows\ShellNew\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\AppCompat\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppCompat\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\AppCompat\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\WmiPrvSE.exe

Filesize
1.7MB

MD5
7a6337d1705c5b4e696b224c29fc5233

SHA1
5631625b8754ac8e02f9b441a47b229ac37a6cbc

SHA256
916a143563e75f975b628b8201560e7e870a7b0ae9684b1d1637884f7f30eeb9

SHA512
7727e5546724c46ac6c481989860e93f7b0e4537a0fc8a1d8595657181c985213f794390f0198a4a69f7b19f999b4bfef5d044f2a6fd2ecc51be119207753efe

Download Submit
C:\MSOCache\All Users\WmiPrvSE.exe

Filesize
1.7MB

MD5
6e02a954b02dbff8bad8fa88d1c41113

SHA1
bba5c6be2564684a307d3aaa18447fba949d54fb

SHA256
ae57df558f5b5ac240de5c6b41d0b498c1f3363afc24f211949312bb6a2f7826

SHA512
36fe7761118e916fb5a94ff61cb6f94580128c46686d59e4a2eeae38ca1768dbc6a36ccec03777c3b73dd9a39eb4cef778ef739bbc68c664a7916e5a847fc591

Download Submit
C:\Program Files (x86)\MSBuild\csrss.exe

Filesize
1.7MB

MD5
0c2902f8bde50a568318884cba5ec9e4

SHA1
9dd5a3f64db3520933e0460243247ec59da97426

SHA256
d82899d2e4378b2d218beacbf500a07e5bd1990e66e3d71743a140a25cc5f498

SHA512
7ecbd43bb3630efb251b0df1a92a6ea44ab19cd00f338e82afd33951214e10acbaf05a06b97332c92739061b6cf6d7bee48a82c7ba26086d2f54963acf80de8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fd50ad3-dc25-425b-80a0-b20bd546b13d.vbs

Filesize
724B

MD5
60cf039637220132bc9bb92e1a526b07

SHA1
bf5a4c2a239edb0fb2db83bece7d4f91ed631378

SHA256
ea2a061c3749a40c414a6c3a779b51ba9ffd1309e2227da3df343780b6538d40

SHA512
644a6703d76e07781facbba0b3cb0d338580feb93fa1bd039595e9d316183aa1352d8fa80d31e90cc72be9148c983ba7e6d5d5c3b4f2f0d87b52d8016fabc65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CwnD5YL3A.bat

Filesize
213B

MD5
4144f42c2905b281120de9ba74aeb6cf

SHA1
f88ae750a1ea0d2f63b2843df010426bf18d68dd

SHA256
cf25cab618509bb867093f5d97b28388149787788043df5cc954fd48219acf04

SHA512
443ee2989ee948f06ba3abcb73989a3848de69aa5c26d6b8cf0df6c4d02bcde5d6493dc76525bd0d95fc6f5b73c761707e4e899ca78473e055a4ca3ed8f388ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb3107ec-5eb3-4ef2-8a57-6defe805714f.vbs

Filesize
500B

MD5
a6f74186bd8749524559a26d33fd8709

SHA1
55fc87b5d69005962fb8e754b781aed321a1f6ea

SHA256
7b7211705c45e783ae6d088e1e752d0c379a213e6344eb9c1ca21c8c7c4413dc

SHA512
844805eb8afddca7395f82311ebefa62995670d21a4ba708efa16051fff674a65486f100e34ac3ebf7fcccaab8b2f601382444cabd1657b8d022a79d22b524fb

Download Submit
C:\Users\Admin\AppData\Local\audiodg.exe

Filesize
1.7MB

MD5
f04fb8340eae3da881aa82ed76cc2ecf

SHA1
09baef73f5c7bccb179734c21df88e2ef9100f51

SHA256
d2e19eb40375ca5d6f7747989dd5294ee76ec874d4f0dc7e3fc65821d8d82540

SHA512
061018f1090ee877ca8a03c11349538a87288232f0ad3d6c228e253b2e8b418db5021e546fca1d9404b8424bda649c6521df716bc0b246f53ded88d1d19bb411

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f8303938cb46167f6c72faf8cc190662

SHA1
bb73c2745622eaa6427b5393f3667037a49fa869

SHA256
e08c175df8a876ffcac1f3b8a7275d8c8aff0979cb029f5e3afef75206a1f12a

SHA512
82a790b2194b78eaa48510f335b6cad2fe3c1e8b6c28be5f9d375907ed9e764e6cbe5699d634b95cb43a963aea7c782bf8e1b01888bbd5c273394d5b06252179

Download Submit
C:\Users\Public\Favorites\dwm.exe

Filesize
1.7MB

MD5
9230c27269c0368fd9daa169844894a6

SHA1
64a84d3fa8f3ab12b2279795907cb25fc37e8580

SHA256
1507c57ec62f289f5484d8fab9b79247a29fb62aee73058064a72fd5b78726f9

SHA512
42ed22d8955c4aebad63765d9b6d9799ea942cdb7653ca8ce511700eca6873ea54370c1095eef5ca6bfe3c8045098a1e2461f739717c7f759d4be2893a8abf4c

Download Submit
memory/408-311-0x00000000004F0000-0x0000000000502000-memory.dmp

Filesize
72KB

Download
memory/1828-300-0x0000000000D50000-0x0000000000F06000-memory.dmp

Filesize
1.7MB

Download
memory/2024-296-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/2024-297-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2104-17-0x000000001AD60000-0x000000001AD6C000-memory.dmp

Filesize
48KB

Download
memory/2104-217-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-13-0x000000001AC20000-0x000000001AC2C000-memory.dmp

Filesize
48KB

Download
memory/2104-0-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

Filesize
4KB

Download
memory/2104-20-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-16-0x000000001AD50000-0x000000001AD5C000-memory.dmp

Filesize
48KB

Download
memory/2104-15-0x000000001AD40000-0x000000001AD48000-memory.dmp

Filesize
32KB

Download
memory/2104-12-0x000000001AC10000-0x000000001AC1C000-memory.dmp

Filesize
48KB

Download
memory/2104-10-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/2104-9-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2104-192-0x000007FEF55A3000-0x000007FEF55A4000-memory.dmp

Filesize
4KB

Download
memory/2104-14-0x000000001AC30000-0x000000001AC3A000-memory.dmp

Filesize
40KB

Download
memory/2104-240-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-8-0x0000000000B70000-0x0000000000B80000-memory.dmp

Filesize
64KB

Download
memory/2104-7-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/2104-6-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/2104-5-0x00000000009B0000-0x00000000009C0000-memory.dmp

Filesize
64KB

Download
memory/2104-4-0x00000000009A0000-0x00000000009A8000-memory.dmp

Filesize
32KB

Download
memory/2104-3-0x00000000004D0000-0x00000000004EC000-memory.dmp

Filesize
112KB

Download
memory/2104-2-0x000007FEF55A0000-0x000007FEF5F8C000-memory.dmp

Filesize
9.9MB

Download
memory/2104-1-0x0000000000F90000-0x0000000001146000-memory.dmp

Filesize
1.7MB

Download