dcrat | b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
Size

1.7MB
MD5

5f8fd8f1e910dd9061f1a5a1c3bf1f76
SHA1

b6c997850b6358dea95e1c80f6920a57fb5098d4
SHA256

b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12
SHA512

efb4c860977a40978536b746ec5b372ca23c3fefd1b9a44ad1356fad414a0cfcf4695c7ba6c8b4a9f1c7242e7d72e81b0e9cf1686c08e265a493276be64149ab
SSDEEP

24576:t3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ6:tgwuuEpdDLNwVMeXDL0fdSzAGr

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2908	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2908	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/768-1-0x0000000000A90000-0x0000000000C46000-memory.dmp	dcrat
behavioral1/files/0x00050000000193e1-27.dat	dcrat
behavioral1/files/0x0009000000019427-98.dat	dcrat
behavioral1/files/0x000c0000000186e4-121.dat	dcrat
behavioral1/files/0x0007000000019431-132.dat	dcrat
behavioral1/files/0x000700000001950c-143.dat	dcrat
behavioral1/files/0x0009000000019609-166.dat	dcrat
behavioral1/files/0x0006000000019617-211.dat	dcrat
behavioral1/files/0x000700000001961b-296.dat	dcrat
behavioral1/memory/2972-298-0x0000000000E40000-0x0000000000FF6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2948	powershell.exe
1800	powershell.exe
704	powershell.exe
1592	powershell.exe
2320	powershell.exe
3068	powershell.exe
1924	powershell.exe
2848	powershell.exe
1480	powershell.exe
2152	powershell.exe
2992	powershell.exe
1652	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe

Executes dropped EXE 2 IoCs

pid	Process
2972	System.exe
1588	System.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\RCXA540.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXACA5.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files\Uninstall Information\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Program Files\Mozilla Firefox\fonts\0a1fd5f707cd16	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\Idle.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXBA77.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files\Uninstall Information\explorer.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\RCXB321.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Program Files\Windows Mail\de-DE\taskhost.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Program Files\Windows Mail\de-DE\b75386f1303e64	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cc11b995f2a76d	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXA53F.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Program Files\Uninstall Information\explorer.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Program Files\Uninstall Information\7a0fd90576e088	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Program Files\Uninstall Information\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXAC37.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXBA09.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\RCXB320.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\taskhost.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Program Files\Uninstall Information\28723e8fd17064	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX9CBE.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCX9CBF.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\0a1fd5f707cd16	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Windows\de-DE\RCXB0AE.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Windows\de-DE\RCXB11C.tmp	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File opened for modification	C:\Windows\de-DE\sppsvc.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
File created	C:\Windows\de-DE\sppsvc.exe	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2932	schtasks.exe
2160	schtasks.exe
2316	schtasks.exe
1160	schtasks.exe
3040	schtasks.exe
1800	schtasks.exe
988	schtasks.exe
2680	schtasks.exe
1508	schtasks.exe
1720	schtasks.exe
2012	schtasks.exe
2484	schtasks.exe
2632	schtasks.exe
1808	schtasks.exe
636	schtasks.exe
1356	schtasks.exe
2500	schtasks.exe
3016	schtasks.exe
2708	schtasks.exe
480	schtasks.exe
1608	schtasks.exe
2916	schtasks.exe
2808	schtasks.exe
1604	schtasks.exe
760	schtasks.exe
928	schtasks.exe
2592	schtasks.exe
2096	schtasks.exe
2036	schtasks.exe
2348	schtasks.exe
2244	schtasks.exe
352	schtasks.exe
2584	schtasks.exe
2068	schtasks.exe
1364	schtasks.exe
2992	schtasks.exe
844	schtasks.exe
848	schtasks.exe
796	schtasks.exe
900	schtasks.exe
3056	schtasks.exe
3004	schtasks.exe
2732	schtasks.exe
2844	schtasks.exe
1224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
2948	powershell.exe
1480	powershell.exe
2320	powershell.exe
1800	powershell.exe
1652	powershell.exe
3068	powershell.exe
2152	powershell.exe
1592	powershell.exe
2992	powershell.exe
1924	powershell.exe
704	powershell.exe
2848	powershell.exe
2972	System.exe
2972	System.exe
2972	System.exe
2972	System.exe
2972	System.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2972	System.exe
Token: SeDebugPrivilege	1588	System.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 1592	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	76
PID 768 wrote to memory of 1592	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	76
PID 768 wrote to memory of 1592	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	76
PID 768 wrote to memory of 2320	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	77
PID 768 wrote to memory of 2320	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	77
PID 768 wrote to memory of 2320	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	77
PID 768 wrote to memory of 704	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	78
PID 768 wrote to memory of 704	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	78
PID 768 wrote to memory of 704	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	78
PID 768 wrote to memory of 1652	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	79
PID 768 wrote to memory of 1652	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	79
PID 768 wrote to memory of 1652	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	79
PID 768 wrote to memory of 2992	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	80
PID 768 wrote to memory of 2992	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	80
PID 768 wrote to memory of 2992	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	80
PID 768 wrote to memory of 2152	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	81
PID 768 wrote to memory of 2152	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	81
PID 768 wrote to memory of 2152	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	81
PID 768 wrote to memory of 1480	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	83
PID 768 wrote to memory of 1480	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	83
PID 768 wrote to memory of 1480	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	83
PID 768 wrote to memory of 2848	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	84
PID 768 wrote to memory of 2848	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	84
PID 768 wrote to memory of 2848	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	84
PID 768 wrote to memory of 1800	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	85
PID 768 wrote to memory of 1800	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	85
PID 768 wrote to memory of 1800	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	85
PID 768 wrote to memory of 1924	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	88
PID 768 wrote to memory of 1924	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	88
PID 768 wrote to memory of 1924	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	88
PID 768 wrote to memory of 3068	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	89
PID 768 wrote to memory of 3068	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	89
PID 768 wrote to memory of 3068	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	89
PID 768 wrote to memory of 2948	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	91
PID 768 wrote to memory of 2948	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	91
PID 768 wrote to memory of 2948	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	91
PID 768 wrote to memory of 1772	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	100
PID 768 wrote to memory of 1772	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	100
PID 768 wrote to memory of 1772	768	b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe	100
PID 1772 wrote to memory of 2016	1772	cmd.exe	102
PID 1772 wrote to memory of 2016	1772	cmd.exe	102
PID 1772 wrote to memory of 2016	1772	cmd.exe	102
PID 1772 wrote to memory of 2972	1772	cmd.exe	104
PID 1772 wrote to memory of 2972	1772	cmd.exe	104
PID 1772 wrote to memory of 2972	1772	cmd.exe	104
PID 2972 wrote to memory of 1964	2972	System.exe	105
PID 2972 wrote to memory of 1964	2972	System.exe	105
PID 2972 wrote to memory of 1964	2972	System.exe	105
PID 2972 wrote to memory of 592	2972	System.exe	106
PID 2972 wrote to memory of 592	2972	System.exe	106
PID 2972 wrote to memory of 592	2972	System.exe	106
PID 1964 wrote to memory of 1588	1964	WScript.exe	107
PID 1964 wrote to memory of 1588	1964	WScript.exe	107
PID 1964 wrote to memory of 1588	1964	WScript.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe
"C:\Users\Admin\AppData\Local\Temp\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i9xshOVDUh.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2016
- - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
    "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08602551-000a-41b9-8c8f-95eb82cdf648.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76249587-6667-4f16-b274-de985ba434c1.vbs"
      4⤵
      PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12b" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12" /sc ONLOGON /tr "'C:\MSOCache\All Users\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12b" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12b" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12b" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Recent\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12b" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12b" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe

Filesize
1.7MB

MD5
8496e567d8725a76d63474022f7e5a99

SHA1
f4569cb8650273b9b865baf8c6a159689268acf0

SHA256
cfb72ba71c0f81206ab3f8aa76f27b59010ff2c4b56ddd7e5aec94101128c8cb

SHA512
cc8a066d9694fcba783748303ae62bda9f54520bec39e77d44985dabdc65909bc9f04613790a8745756cab997630bd5311c4a7bb7182f4e0e7e600477fe8f66a

Download Submit
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe

Filesize
1.7MB

MD5
75cbbc91edacec6924f4aab610ba9a86

SHA1
e458af8833c10f4ba8e7710a5f4f625b063d138e

SHA256
88d37072e5c6ecd539ddd60dd0cb8d58209abd331e63aab7f7e7f825a9e98dff

SHA512
fb6eac93b1fc50310333d628722b15cd1527b313898ba8ef4735008f1e2e7ffdebbd5837377b6cc08d03e79ec3c674827e54332048ae219efa3f3f4508ceadb2

Download Submit
C:\Program Files\Uninstall Information\b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12.exe

Filesize
1.7MB

MD5
78d28197f45f929955ea178b981db869

SHA1
723bcb68f945e59e248ccd35ef91c8348a56ef29

SHA256
7a7b4928369fd4f3247e4d9d1ef979dc37fe72548116f00d46c2a19c9b1db2b4

SHA512
1cc89ba277552397f1ec80760309c8805293a3f85c3a2f7ac6b122a456fe1acadf05f96a25b7f3844a3ce21f4ceae309cc3876154d5527fc9bc32b2837150808

Download Submit
C:\Program Files\Uninstall Information\explorer.exe

Filesize
1.7MB

MD5
5f8fd8f1e910dd9061f1a5a1c3bf1f76

SHA1
b6c997850b6358dea95e1c80f6920a57fb5098d4

SHA256
b132f19ab5f81b1b7fa86d8b35b1d8b69d0c10c097f817727625534bd4d1eb12

SHA512
efb4c860977a40978536b746ec5b372ca23c3fefd1b9a44ad1356fad414a0cfcf4695c7ba6c8b4a9f1c7242e7d72e81b0e9cf1686c08e265a493276be64149ab

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe

Filesize
1.7MB

MD5
f1110d4734bf7f3aae146a461fb508d6

SHA1
084d42b4448ed4e4a9cb4f29ae1de6a4b84772d3

SHA256
f36de35444f8e54f83e19e56c5b3851ce891811cce7406c686d506746fccfb83

SHA512
bab7c3c0a3979d21df71234ded32b05eff51c91eeaaed36eacf0bbc7052f4a14427b28d208196a6047b5ef589d683fd261beb6d53d174b5ed709b02f13aae011

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\sppsvc.exe

Filesize
1.7MB

MD5
aa4628bd915c58c2ad486d197b337fad

SHA1
0eee3ddd40c326233eac8da1fdedd38ae500b45d

SHA256
bd03fdd2d3d3e9de535ab6985cf80f0a0b53d588630f259e0b4af1556d4ecd9d

SHA512
8f253d3e6b65024931b61cb183d14ce5889918a99df104b4842a7d14c88135b6fe8b97602ef7490607167fdc130a32d5bb7432b521a10c21de18ab48a2cbdd24

Download Submit
C:\Users\Admin\AppData\Local\Temp\08602551-000a-41b9-8c8f-95eb82cdf648.vbs

Filesize
735B

MD5
e8ba4bccf2094e0af734097983b11af9

SHA1
21f08cd0c4962a318bcaf1bda7dcfa33f7ebd8a9

SHA256
7350a75f2d84b738ba2e43449bd61ac07878f48c2bfe80c9b3fbc55f3a354d42

SHA512
451c05239689af5393984f36f0a695db9e9f0c22f9a2d20dcf2dbe296a764638c1be19d1827e13c109ea46fb2991b4313a69a97650c2f0916c2548c90c2dc6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\76249587-6667-4f16-b274-de985ba434c1.vbs

Filesize
511B

MD5
94bb39fe23596479f819aa4ac6d4a4e3

SHA1
15fb4fb804a83b1970ef181d6c43449925971ffd

SHA256
d04f22a3eaca3ca38005a5e181fbe3f6847baa0b7cb9896816ad7a756b1a9313

SHA512
a97332276f32cd5f86635b573e0037dec6b2169a72298a9bd07438fd67173b7a2967698c6698133065c0e12ef75e1733c616cbd4d56fb8d567f4270793d1c18b

Download Submit
C:\Users\Admin\AppData\Local\Temp\i9xshOVDUh.bat

Filesize
224B

MD5
229d29b4a5aae08d7a3113f5ea7f416c

SHA1
88c649663c9f8123a590af1827f60f7b1fdc901a

SHA256
087a9e8c7d321c09e1f15e50da76e5f82822f9a89e81ac7c41be8b3c63b80bd3

SHA512
7e6a58e557633b5c8f1d10119c3c066dd0d20747a1b7d8c61d71e03280d47ecf08bd56b12917684472f64f779f7904aa1446cc9e735587cb74e71e857ac1366c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
046df06e401a31e008fa818a584833c3

SHA1
6703f305751ee5b4c574f723843c70b344b8ad80

SHA256
36d903cec29ba69de74183a8457e7cf4e0a36df6ea89e19d55726b0e7d5fbeb2

SHA512
dfed8dcff89358251695ff1e8d154df0d387a685173bde1275a75d562df43ecb6c8b194039edc02aa09a27136267b294645a4867989cddf4340bfadbe08e42cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\taskhost.exe

Filesize
1.7MB

MD5
c22b47d4631dc8aa65edf82bd6a01e16

SHA1
e6dbd6a89d491b69d4750a3bede80f870876317e

SHA256
8ffb794d1b4e148ab889123ca0bcabc279b09626c13dd9e631d32b061e762527

SHA512
7d60d901c96d62220f74c605995c7a9f03fe966c6f367dca392c340be87999f918542f681cfaf8fb9ddc89bc3b489d3bfa25164500756816b1d3eebb668a73ce

Download Submit
C:\Windows\de-DE\sppsvc.exe

Filesize
1.7MB

MD5
49a26c62231d864460c91114f7a12b6b

SHA1
44a2c7898ad7e4b4060933859f4d0951054e6140

SHA256
326d1d0f8df91c53c146d7d3f745f2ae3dbc0dc5c2c00d5faa9abedd833a74bf

SHA512
553aa1038bc1242076873339e08c08d5db005c62a121d06d7ac6ace86de8862b7396f65fde26a37733ec256febc941ef7d4ad8d01fee3850001b13e73b3f451b

Download Submit
memory/768-9-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/768-210-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/768-15-0x00000000009D0000-0x00000000009D8000-memory.dmp

Filesize
32KB

Download
memory/768-16-0x00000000009E0000-0x00000000009EC000-memory.dmp

Filesize
48KB

Download
memory/768-17-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/768-20-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/768-14-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/768-12-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/768-10-0x0000000000680000-0x0000000000688000-memory.dmp

Filesize
32KB

Download
memory/768-0-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

Filesize
4KB

Download
memory/768-8-0x0000000000630000-0x0000000000640000-memory.dmp

Filesize
64KB

Download
memory/768-6-0x0000000000610000-0x0000000000626000-memory.dmp

Filesize
88KB

Download
memory/768-192-0x000007FEF5DA3000-0x000007FEF5DA4000-memory.dmp

Filesize
4KB

Download
memory/768-13-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/768-7-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/768-227-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/768-4-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/768-5-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/768-1-0x0000000000A90000-0x0000000000C46000-memory.dmp

Filesize
1.7MB

Download
memory/768-2-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/768-233-0x000007FEF5DA0000-0x000007FEF678C000-memory.dmp

Filesize
9.9MB

Download
memory/768-3-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/1588-310-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/2948-249-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2948-264-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Filesize
32KB

Download
memory/2972-298-0x0000000000E40000-0x0000000000FF6000-memory.dmp

Filesize
1.7MB

Download
memory/2972-299-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download