dcrat | c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045

Resubmissions

21/12/2024, 04:50

241221-fgasaatlcl 10

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/12/2024, 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
Size

1.7MB
MD5

9b3e774fdf342e63dc855ce00ba70555
SHA1

2243b3e4cf15d76c33d7b791367002ddb929386d
SHA256

c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045
SHA512

d50374c8bae3c8c9d7e5abd3ca8494f0e458c9b99c444061291ea6efbc70e607d6036a647e25426da042243350cd36c49e68a2660b4b961310e26b40c00846f2
SSDEEP

24576:t3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:tgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2516	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2516	schtasks.exe	30

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2292-1-0x0000000001200000-0x00000000013B6000-memory.dmp	dcrat
behavioral1/files/0x00050000000193dc-27.dat	dcrat
behavioral1/files/0x00150000000120d6-151.dat	dcrat
behavioral1/files/0x000a000000019508-162.dat	dcrat
behavioral1/files/0x0007000000019510-173.dat	dcrat
behavioral1/memory/2860-342-0x0000000000100000-0x00000000002B6000-memory.dmp	dcrat
behavioral1/memory/628-354-0x0000000001160000-0x0000000001316000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1028	powershell.exe
2752	powershell.exe
1964	powershell.exe
2448	powershell.exe
2316	powershell.exe
2996	powershell.exe
2908	powershell.exe
1084	powershell.exe
1768	powershell.exe
1372	powershell.exe
688	powershell.exe
2472	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe

Executes dropped EXE 2 IoCs

pid	Process
2860	System.exe
628	System.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\System32\0C0A\csrss.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Windows\System32\0C0A\886983d96e3d3e	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Windows\System32\0C0A\RCXD5DF.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Windows\System32\0C0A\RCXD5E0.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Windows\System32\0C0A\csrss.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\RCXE9CF.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files (x86)\Google\Update\RCXE9D0.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXEC42.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\services.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\explorer.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\taskhost.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\RCXE354.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\RCXEC41.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files\Microsoft Games\Mahjong\es-ES\7a0fd90576e088	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files (x86)\Google\Update\56085415360792	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\RCXD3DC.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXDC5C.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXE0D2.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files (x86)\Google\Update\wininit.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\c5b4cb5e9653cc	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCXE7CA.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\RCXE7CB.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\smss.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\explorer.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files (x86)\Google\Update\wininit.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\5940a34987c991	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\69ddcba757bf72	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\24dbde2999530e	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXDBEE.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\RCXE140.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\es-ES\RCXE355.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files (x86)\Google\Temp\taskhost.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files (x86)\Google\Temp\b75386f1303e64	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\smss.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXEE47.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\27d1bcfc3c54e0	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\RCXD3DB.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXEE46.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\services.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vss\Writers\System\csrss.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Windows\Vss\Writers\System\csrss.exe	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File created	C:\Windows\Vss\Writers\System\886983d96e3d3e	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXE558.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
File opened for modification	C:\Windows\Vss\Writers\System\RCXE559.tmp	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1096	schtasks.exe
2036	schtasks.exe
2380	schtasks.exe
896	schtasks.exe
1532	schtasks.exe
292	schtasks.exe
1684	schtasks.exe
2812	schtasks.exe
904	schtasks.exe
2880	schtasks.exe
2352	schtasks.exe
2832	schtasks.exe
1656	schtasks.exe
1236	schtasks.exe
2300	schtasks.exe
1328	schtasks.exe
3068	schtasks.exe
1048	schtasks.exe
2752	schtasks.exe
3044	schtasks.exe
2696	schtasks.exe
316	schtasks.exe
2952	schtasks.exe
1084	schtasks.exe
300	schtasks.exe
1768	schtasks.exe
2644	schtasks.exe
2996	schtasks.exe
1304	schtasks.exe
1240	schtasks.exe
2788	schtasks.exe
2736	schtasks.exe
344	schtasks.exe
2448	schtasks.exe
1580	schtasks.exe
2004	schtasks.exe
1528	schtasks.exe
2920	schtasks.exe
2872	schtasks.exe
1428	schtasks.exe
2836	schtasks.exe
1688	schtasks.exe
2136	schtasks.exe
880	schtasks.exe
1952	schtasks.exe
684	schtasks.exe
2028	schtasks.exe
2328	schtasks.exe
2504	schtasks.exe
2588	schtasks.exe
1936	schtasks.exe
2664	schtasks.exe
2704	schtasks.exe
2852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
2752	powershell.exe
1028	powershell.exe
1084	powershell.exe
2316	powershell.exe
2448	powershell.exe
2996	powershell.exe
1768	powershell.exe
1964	powershell.exe
2908	powershell.exe
688	powershell.exe
2472	powershell.exe
1372	powershell.exe
2860	System.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2860	System.exe
Token: SeDebugPrivilege	628	System.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1028	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	86
PID 2292 wrote to memory of 1028	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	86
PID 2292 wrote to memory of 1028	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	86
PID 2292 wrote to memory of 2472	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	87
PID 2292 wrote to memory of 2472	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	87
PID 2292 wrote to memory of 2472	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	87
PID 2292 wrote to memory of 2752	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	88
PID 2292 wrote to memory of 2752	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	88
PID 2292 wrote to memory of 2752	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	88
PID 2292 wrote to memory of 2908	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	90
PID 2292 wrote to memory of 2908	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	90
PID 2292 wrote to memory of 2908	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	90
PID 2292 wrote to memory of 2996	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	91
PID 2292 wrote to memory of 2996	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	91
PID 2292 wrote to memory of 2996	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	91
PID 2292 wrote to memory of 1084	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	93
PID 2292 wrote to memory of 1084	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	93
PID 2292 wrote to memory of 1084	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	93
PID 2292 wrote to memory of 2316	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	94
PID 2292 wrote to memory of 2316	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	94
PID 2292 wrote to memory of 2316	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	94
PID 2292 wrote to memory of 2448	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	96
PID 2292 wrote to memory of 2448	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	96
PID 2292 wrote to memory of 2448	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	96
PID 2292 wrote to memory of 688	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	98
PID 2292 wrote to memory of 688	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	98
PID 2292 wrote to memory of 688	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	98
PID 2292 wrote to memory of 1372	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	99
PID 2292 wrote to memory of 1372	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	99
PID 2292 wrote to memory of 1372	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	99
PID 2292 wrote to memory of 1768	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	100
PID 2292 wrote to memory of 1768	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	100
PID 2292 wrote to memory of 1768	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	100
PID 2292 wrote to memory of 1964	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	101
PID 2292 wrote to memory of 1964	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	101
PID 2292 wrote to memory of 1964	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	101
PID 2292 wrote to memory of 2120	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	109
PID 2292 wrote to memory of 2120	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	109
PID 2292 wrote to memory of 2120	2292	c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe	109
PID 2120 wrote to memory of 2172	2120	cmd.exe	112
PID 2120 wrote to memory of 2172	2120	cmd.exe	112
PID 2120 wrote to memory of 2172	2120	cmd.exe	112
PID 2120 wrote to memory of 2860	2120	cmd.exe	113
PID 2120 wrote to memory of 2860	2120	cmd.exe	113
PID 2120 wrote to memory of 2860	2120	cmd.exe	113
PID 2860 wrote to memory of 904	2860	System.exe	114
PID 2860 wrote to memory of 904	2860	System.exe	114
PID 2860 wrote to memory of 904	2860	System.exe	114
PID 2860 wrote to memory of 1932	2860	System.exe	115
PID 2860 wrote to memory of 1932	2860	System.exe	115
PID 2860 wrote to memory of 1932	2860	System.exe	115
PID 904 wrote to memory of 628	904	WScript.exe	116
PID 904 wrote to memory of 628	904	WScript.exe	116
PID 904 wrote to memory of 628	904	WScript.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe
"C:\Users\Admin\AppData\Local\Temp\c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XGbYzrvfKy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2172
- - C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
    "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d22358a-3b8e-4af8-9798-fd03c479e44a.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:904
    - - C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe
        
        "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7afd64c4-b687-416b-b1c5-f152bcbd6d50.vbs"
      4⤵
      PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Pictures\Sample Pictures\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\0C0A\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\0C0A\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\0C0A\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045c" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045c" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Mahjong\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\System\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\taskhost.exe

Filesize
1.7MB

MD5
034dda682290d2413934d09870edff16

SHA1
ad16eca767682765d5d38efb54d76e0ef36b8e00

SHA256
8f3a3d748e44bc6c47d182c4d45ef38e2cf33a261d8954b05e6b597cf7ad82bd

SHA512
786c74fd549f7db1696e839b18d492b9d3f70e9de6d0743d66624b64bf0411ce7360abd685dd24d6790c23ac58062ccba36b686d66d0f9923fa42fba031a0f2d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\dllhost.exe

Filesize
1.7MB

MD5
3a198f75d56d3bad79ea867797dfa6ab

SHA1
0b1078ee6002ad5c0e2ac720e9921aa8aabd6d41

SHA256
86e2cf7dacc6b96d606d6ced3dca9c00ab1a6dc6572082f885a4623253433c61

SHA512
5f5d3543b6344c57d33ae24ce8d0ae5bdb853d4524b6255d4dcbbf84b3e470d68471f4fd5243e933a1ac7527963da751f70b55873851740d88c2ef26f3faee00

Download Submit
C:\ProgramData\Microsoft Help\WmiPrvSE.exe

Filesize
1.7MB

MD5
b90c5c852e6a2a6ac14f58a3cbf15ede

SHA1
7528992e90d528f89cbc340fbafef8923bd5a68f

SHA256
3e5f7b2cd5290bfd93cce90b9506cbdd6eacf1cab842405489334d1b4279ee55

SHA512
2c71cade0e20f2f097a3ac43568c19460e1776ad7f06a776522cf11b8a66e846e4bd4edb6c2f74c2a26b1bab7c90c79df111dd3a644c7f2dda83a9f98f8bdc52

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d22358a-3b8e-4af8-9798-fd03c479e44a.vbs

Filesize
757B

MD5
ce9343fa0178f42bf239b4505a747581

SHA1
302818df204355bcde0921b67d71b3dd142bb0f8

SHA256
dfbb747fdeb4e42cb151e323aac3493b53dbf28903ee5623f9719d254c375836

SHA512
1d7501d9f33cfc10d6a9cd5435f4ddfa145ad8063a3d323ac8556e51b38cbb0163d0367606f9d5143fd6a3a7c3e3f82e7a8f4fd393eb212d589eefcf7f36a1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7afd64c4-b687-416b-b1c5-f152bcbd6d50.vbs

Filesize
533B

MD5
cf5dc44f5d3e3638bae42ad254ba433e

SHA1
b8c4af6565c9f486c8da17c09694919f87048b89

SHA256
60cc6df48b73c2055b2ac20c2fff5631ae8bc3a9577b893c3345ed1deceefe1d

SHA512
74c969bccf05c9838a2cd4ff58c4198621835b444f24cc57bace63de22829f433fba167334168e3fdace6e03962c153ad093e416388f96ea91aaf9f16333e8e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\XGbYzrvfKy.bat

Filesize
246B

MD5
259ee3c83f3ecc6563b585ba6bab1213

SHA1
ead8ba74e6b688da4d331b2699d01634d0d0cdc1

SHA256
5b7c089cf384e4b110a2097362e4072fe00567926c7c4279bcdb9776334f616a

SHA512
a5bad30d50b27efc999e813ef3dd83f8ef0bc9a5fa74c047e8de0ef2f75d832d44b6481d88bb4d608d67e675dac70112a1a2101541526186e14660e6b1ac3892

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d6301242521f3ae3d17bd96bbfa50b08

SHA1
b56edb6812ee15a49cf0ae7d40ebf741368b9eb2

SHA256
9b6d9778072fd7103f997b87019632ff13ea1cb3a505d0f92d8e970d89d61999

SHA512
b1c063536b12f47f2a9045209150a75445c6341d84b1ec8578ffef73d6f71d01eb16afb1016fdd3b4ccc6fdb79925f288218ed05297d067ddddbf47cdba49c1d

Download Submit
C:\Windows\System32\0C0A\csrss.exe

Filesize
1.7MB

MD5
9b3e774fdf342e63dc855ce00ba70555

SHA1
2243b3e4cf15d76c33d7b791367002ddb929386d

SHA256
c1d8febd8745bf2f6a446abc920b1c67f76b8f2980e65f4dca8512c70a0d6045

SHA512
d50374c8bae3c8c9d7e5abd3ca8494f0e458c9b99c444061291ea6efbc70e607d6036a647e25426da042243350cd36c49e68a2660b4b961310e26b40c00846f2

Download Submit
memory/628-354-0x0000000001160000-0x0000000001316000-memory.dmp

Filesize
1.7MB

Download
memory/2292-17-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/2292-199-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/2292-12-0x0000000000A90000-0x0000000000A9C000-memory.dmp

Filesize
48KB

Download
memory/2292-14-0x0000000000AB0000-0x0000000000ABA000-memory.dmp

Filesize
40KB

Download
memory/2292-13-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2292-16-0x0000000000AD0000-0x0000000000ADC000-memory.dmp

Filesize
48KB

Download
memory/2292-15-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/2292-0-0x000007FEF57B3000-0x000007FEF57B4000-memory.dmp

Filesize
4KB

Download
memory/2292-20-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-9-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/2292-8-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/2292-7-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/2292-6-0x0000000000A30000-0x0000000000A46000-memory.dmp

Filesize
88KB

Download
memory/2292-10-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/2292-223-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-248-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-5-0x0000000000580000-0x0000000000590000-memory.dmp

Filesize
64KB

Download
memory/2292-289-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-1-0x0000000001200000-0x00000000013B6000-memory.dmp

Filesize
1.7MB

Download
memory/2292-2-0x000007FEF57B0000-0x000007FEF619C000-memory.dmp

Filesize
9.9MB

Download
memory/2292-4-0x0000000000570000-0x0000000000578000-memory.dmp

Filesize
32KB

Download
memory/2292-3-0x00000000001D0000-0x00000000001EC000-memory.dmp

Filesize
112KB

Download
memory/2752-286-0x000000001B860000-0x000000001BB42000-memory.dmp

Filesize
2.9MB

Download
memory/2752-288-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2860-343-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2860-342-0x0000000000100000-0x00000000002B6000-memory.dmp

Filesize
1.7MB

Download