dcrat | b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5

Analysis

max time kernel
119s
max time network
113s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
Size

1.7MB
MD5

e925545425c1bb324afb86cbf84ba820
SHA1

125c717a690986a94e3a6575086e7f6f07b34c55
SHA256

b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5
SHA512

80d676851c7076dfbd29f5de351337d0c32fac9f2652fdcac7eccc3652fabc401a1a8e865b628ac50aa69b9259481a45483205c5ae22c3ce6f2352548ae06ec3
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2808	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2808	schtasks.exe	30

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2528-1-0x0000000000B20000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/files/0x0005000000019384-27.dat	dcrat
behavioral1/files/0x0007000000019346-76.dat	dcrat
behavioral1/files/0x000f0000000160d5-123.dat	dcrat
behavioral1/files/0x000c0000000193f8-169.dat	dcrat
behavioral1/memory/1544-259-0x00000000001B0000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/1112-327-0x0000000001250000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/2768-339-0x0000000000030000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/2588-351-0x00000000002D0000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/2056-363-0x00000000003C0000-0x0000000000580000-memory.dmp	dcrat
behavioral1/memory/2976-376-0x00000000008F0000-0x0000000000AB0000-memory.dmp	dcrat
behavioral1/memory/2672-388-0x00000000003F0000-0x00000000005B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1992	powershell.exe
2664	powershell.exe
2236	powershell.exe
1068	powershell.exe
2068	powershell.exe
1960	powershell.exe
2032	powershell.exe
1520	powershell.exe
1672	powershell.exe
1540	powershell.exe
1284	powershell.exe
684	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe

Executes dropped EXE 7 IoCs

pid	Process
1544	smss.exe
1112	smss.exe
2768	smss.exe
2588	smss.exe
2056	smss.exe
2976	smss.exe
2672	smss.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXBB91.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXC008.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\7a0fd90576e088	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\1610b97d3ab4a7	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Program Files\Windows NT\f3b6ecef712a24	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCXBE02.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Program Files (x86)\Internet Explorer\886983d96e3d3e	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCXBB90.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\RCXC007.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Program Files\Windows NT\RCXC692.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Program Files\Windows NT\spoolsv.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Program Files (x86)\Internet Explorer\csrss.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Program Files\Windows NT\spoolsv.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\RCXBE03.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\csrss.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Program Files\Windows NT\RCXC693.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Offline Web Pages\sppsvc.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCXCD0F.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Windows\Offline Web Pages\sppsvc.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\RCXCD0E.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Windows\Resources\Ease of Access Themes\services.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Windows\L2Schemas\RCXAE8A.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Windows\Offline Web Pages\0a1fd5f707cd16	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Windows\Resources\Ease of Access Themes\services.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Windows\Resources\Ease of Access Themes\c5b4cb5e9653cc	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Windows\L2Schemas\RCXAE89.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXC48D.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Windows\L2Schemas\WmiPrvSE.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Windows\L2Schemas\24dbde2999530e	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File opened for modification	C:\Windows\Offline Web Pages\RCXC48E.tmp	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
File created	C:\Windows\L2Schemas\WmiPrvSE.exe	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2856	schtasks.exe
1580	schtasks.exe
976	schtasks.exe
2376	schtasks.exe
1212	schtasks.exe
1632	schtasks.exe
2728	schtasks.exe
2136	schtasks.exe
3036	schtasks.exe
1844	schtasks.exe
1352	schtasks.exe
2488	schtasks.exe
1652	schtasks.exe
2700	schtasks.exe
2740	schtasks.exe
1532	schtasks.exe
2252	schtasks.exe
2320	schtasks.exe
1736	schtasks.exe
2588	schtasks.exe
2664	schtasks.exe
2056	schtasks.exe
2316	schtasks.exe
944	schtasks.exe
328	schtasks.exe
1432	schtasks.exe
2572	schtasks.exe
1948	schtasks.exe
1716	schtasks.exe
2872	schtasks.exe
2676	schtasks.exe
1476	schtasks.exe
2904	schtasks.exe
1412	schtasks.exe
2504	schtasks.exe
1792	schtasks.exe
816	schtasks.exe
2624	schtasks.exe
3044	schtasks.exe
2144	schtasks.exe
2792	schtasks.exe
2464	schtasks.exe
2456	schtasks.exe
2804	schtasks.exe
2860	schtasks.exe
2704	schtasks.exe
2228	schtasks.exe
1528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
1520	powershell.exe
2032	powershell.exe
1992	powershell.exe
1672	powershell.exe
1284	powershell.exe
1540	powershell.exe
2068	powershell.exe
684	powershell.exe
1960	powershell.exe
2236	powershell.exe
2664	powershell.exe
1068	powershell.exe
1544	smss.exe
1544	smss.exe
1544	smss.exe
1544	smss.exe
1544	smss.exe
1544	smss.exe
1544	smss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1544	smss.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1112	smss.exe
Token: SeDebugPrivilege	2768	smss.exe
Token: SeDebugPrivilege	2588	smss.exe
Token: SeDebugPrivilege	2056	smss.exe
Token: SeDebugPrivilege	2976	smss.exe
Token: SeDebugPrivilege	2672	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1992	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	80
PID 2528 wrote to memory of 1992	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	80
PID 2528 wrote to memory of 1992	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	80
PID 2528 wrote to memory of 1520	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	81
PID 2528 wrote to memory of 1520	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	81
PID 2528 wrote to memory of 1520	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	81
PID 2528 wrote to memory of 2664	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	82
PID 2528 wrote to memory of 2664	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	82
PID 2528 wrote to memory of 2664	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	82
PID 2528 wrote to memory of 1672	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	84
PID 2528 wrote to memory of 1672	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	84
PID 2528 wrote to memory of 1672	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	84
PID 2528 wrote to memory of 1540	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	85
PID 2528 wrote to memory of 1540	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	85
PID 2528 wrote to memory of 1540	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	85
PID 2528 wrote to memory of 2236	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	86
PID 2528 wrote to memory of 2236	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	86
PID 2528 wrote to memory of 2236	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	86
PID 2528 wrote to memory of 1068	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	87
PID 2528 wrote to memory of 1068	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	87
PID 2528 wrote to memory of 1068	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	87
PID 2528 wrote to memory of 1284	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	88
PID 2528 wrote to memory of 1284	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	88
PID 2528 wrote to memory of 1284	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	88
PID 2528 wrote to memory of 684	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	89
PID 2528 wrote to memory of 684	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	89
PID 2528 wrote to memory of 684	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	89
PID 2528 wrote to memory of 2068	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	90
PID 2528 wrote to memory of 2068	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	90
PID 2528 wrote to memory of 2068	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	90
PID 2528 wrote to memory of 1960	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	91
PID 2528 wrote to memory of 1960	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	91
PID 2528 wrote to memory of 1960	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	91
PID 2528 wrote to memory of 2032	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	92
PID 2528 wrote to memory of 2032	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	92
PID 2528 wrote to memory of 2032	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	92
PID 2528 wrote to memory of 1544	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	104
PID 2528 wrote to memory of 1544	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	104
PID 2528 wrote to memory of 1544	2528	b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe	104
PID 1544 wrote to memory of 832	1544	smss.exe	105
PID 1544 wrote to memory of 832	1544	smss.exe	105
PID 1544 wrote to memory of 832	1544	smss.exe	105
PID 1544 wrote to memory of 1240	1544	smss.exe	106
PID 1544 wrote to memory of 1240	1544	smss.exe	106
PID 1544 wrote to memory of 1240	1544	smss.exe	106
PID 832 wrote to memory of 1112	832	WScript.exe	107
PID 832 wrote to memory of 1112	832	WScript.exe	107
PID 832 wrote to memory of 1112	832	WScript.exe	107
PID 1112 wrote to memory of 1808	1112	smss.exe	108
PID 1112 wrote to memory of 1808	1112	smss.exe	108
PID 1112 wrote to memory of 1808	1112	smss.exe	108
PID 1112 wrote to memory of 2028	1112	smss.exe	109
PID 1112 wrote to memory of 2028	1112	smss.exe	109
PID 1112 wrote to memory of 2028	1112	smss.exe	109
PID 1808 wrote to memory of 2768	1808	WScript.exe	110
PID 1808 wrote to memory of 2768	1808	WScript.exe	110
PID 1808 wrote to memory of 2768	1808	WScript.exe	110
PID 2768 wrote to memory of 2524	2768	smss.exe	111
PID 2768 wrote to memory of 2524	2768	smss.exe	111
PID 2768 wrote to memory of 2524	2768	smss.exe	111
PID 2768 wrote to memory of 2132	2768	smss.exe	112
PID 2768 wrote to memory of 2132	2768	smss.exe	112
PID 2768 wrote to memory of 2132	2768	smss.exe	112
PID 2524 wrote to memory of 2588	2524	WScript.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe
"C:\Users\Admin\AppData\Local\Temp\b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Users\Default User\smss.exe
  "C:\Users\Default User\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9dc8587f-0a47-44c1-9168-b3f56d770ea3.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:832
  - - C:\Users\Default User\smss.exe
      "C:\Users\Default User\smss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a48856d6-67e2-4bd4-a697-e38f4c9f69ab.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1808
      - C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5587335e-16f3-43be-b0f2-396130d10112.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01ca1d23-eb2e-41c6-b3f3-b57616feaabc.vbs"
        9⤵
        
        PID:1568
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0e265af-854e-4224-bd9e-c3ed0172fc9d.vbs"
        11⤵
        
        PID:2900
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32831a5e-42b2-456f-a175-f44f187e01f1.vbs"
        13⤵
        
        PID:2684
        
        C:\Users\Default User\smss.exe
        
        "C:\Users\Default User\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\274d81a6-b536-43f9-9dd6-442bc6dd9549.vbs"
        15⤵
        
        PID:1452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dd8d7e02-b214-4477-8285-9e5fa8a41720.vbs"
        15⤵
        
        PID:1236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b29cf4e-caac-4628-8805-7344f1bebe87.vbs"
        13⤵
        
        PID:1184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90dfa4a2-2dd9-4b3e-bc03-fe72b9d39dfd.vbs"
        11⤵
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05a09839-e001-427d-8424-edb50d023fe2.vbs"
        9⤵
        
        PID:876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\be96c827-0d48-436e-94c8-ba912dd57f67.vbs"
        7⤵
        
        PID:2132
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8b5822e5-1508-4d52-a02c-25d806694256.vbs"
        5⤵
        
        PID:2028
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7984b295-cbe9-4473-9c5d-f36d4546c14c.vbs"
    3⤵
    PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\Offline Web Pages\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default\My Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Ease of Access Themes\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Ease of Access Themes\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Idle.exe

Filesize
1.7MB

MD5
c88b74e445051cb891dabe89f00c0286

SHA1
fab40bdbf9756a288f97042039323d4ea04fa544

SHA256
16801c5dc8e16600ffc4eb8347582e2523f2b930b9c792ca632e8fff406784b9

SHA512
d154fc8ff8f6ac9aecb82b69591ad84402178eb61d962b1cacf78f363ca8575c7a8f9786fcc0d712a666a945497d7f134260e9ddfa36bf5792009368fba980a5

Download Submit
C:\ProgramData\Adobe\lsm.exe

Filesize
1.7MB

MD5
e925545425c1bb324afb86cbf84ba820

SHA1
125c717a690986a94e3a6575086e7f6f07b34c55

SHA256
b9ab7468de784cdab90190a6aa2d2071d733487cb331e41276f1d497e2d985f5

SHA512
80d676851c7076dfbd29f5de351337d0c32fac9f2652fdcac7eccc3652fabc401a1a8e865b628ac50aa69b9259481a45483205c5ae22c3ce6f2352548ae06ec3

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe

Filesize
1.7MB

MD5
faba950a2ffee3c76ac644956b785714

SHA1
a52c6b9fd03e791c58f90a56bee2edda9889736d

SHA256
ff3e9c593d716d1e926b11df5f91f8f7f07a465dde3c79495b8dc394b5e6346b

SHA512
4897cf882ce9d63e3f71158ed763a542ee2b96e98d173e6d7a83609ffc50a7c63dcb3bb699acdeb147a91919c0b07e31c78f6f3cf41818b92d4b8125f7dc304e

Download Submit
C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe

Filesize
1.7MB

MD5
7d84991539612cc3ddbec6b9a0adc7fb

SHA1
e12126391c01d8d396356f5bf12888d7ea77a62e

SHA256
8873459d9d0134eeb03febe1c5c7366bdf818872a10b1d1341a03ca37f6f01e5

SHA512
e8990fe642d51a77856172b5063ae9d970c439df51ec775bd496423389dcbef6e7a4f7714f435d2a904569f890c45ee30969c53466267e1d0231334b8d71e579

Download Submit
C:\Users\Admin\AppData\Local\Temp\01ca1d23-eb2e-41c6-b3f3-b57616feaabc.vbs

Filesize
706B

MD5
f93d3713f4d7520e7ab4aa80d04ec752

SHA1
e23c92fefbc667885787d7515b91f38263bf6b5f

SHA256
b62df49cbdf39e288d26270f7395d7a7c065bd470381fffae5f3ecf8c681b756

SHA512
4cae285f4ca1f0e668494ab9c79dbc4c3d58a7c2f72efe5d6fe7d1de6312f20fe788af37b7ab83ce0c978a0088127f8ba5d8604f2e7179a60737f2124a4d0685

Download Submit
C:\Users\Admin\AppData\Local\Temp\274d81a6-b536-43f9-9dd6-442bc6dd9549.vbs

Filesize
706B

MD5
fc6613e47d6ff050e02673f7cd243de3

SHA1
68f442d8d0b6ab51d7a06e8fdaf48f1c3b1503e9

SHA256
3590afa9bba9759bdfd7fb50ef71b51403d869db430872e5bb199a88e7cecc66

SHA512
e6ec0b1700b7ff60c54bb786408e53975aa64f0dc7fff843c3da6eff101bea612253326115f3fa83147824176f590b852553211ae4e10210582e2f11fffe811f

Download Submit
C:\Users\Admin\AppData\Local\Temp\32831a5e-42b2-456f-a175-f44f187e01f1.vbs

Filesize
706B

MD5
9d82e198c19bb62ddf947fd1facbda1b

SHA1
83c6850536da153d435913f0a04a97f5c2a4360d

SHA256
d4464d7bc2bcfa92a60ba56cb784b863ae84b97bfa06ef338325bc6dbcf20851

SHA512
0d14b300483f3f35a9b4b9984eb768cf16411d69a5a3590a8818fcdfe4228b9048895a95921035fba455f22cd098e76ff706805397cf44d767845a55224d30cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\5587335e-16f3-43be-b0f2-396130d10112.vbs

Filesize
706B

MD5
7788b70ea6dbaad53b4c0b2bf12b172f

SHA1
deefa1d978f284a7d5d536777cbd5eb1b926e989

SHA256
f057baafec960b5fa84f47850887fe5038ac25e41b0a22c82232eb26501632e8

SHA512
95e913ff648714cf16011163c62a385f95f346b32417927571beaa093a1cadb0ae89eb010ad57eda70975d06e999b37f4449a617ea1aaa9db0bb90e7fdb52f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7984b295-cbe9-4473-9c5d-f36d4546c14c.vbs

Filesize
482B

MD5
aa3624e1c3aa04cd35c3b157e99c9ff4

SHA1
b145958c18d274e2e1d6263387a232ac29dc6814

SHA256
eb50a358f2d13451cfac5918849ee092b10784f9a40d12b201a3b4d00b106359

SHA512
54135a3469245f2a69c4c901a813fa6b2d06e5457ca82f6ff25f223bd9840b26a34c10115c527c473f15018aebef424d48517d360eda779583288a191ce6363f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dc8587f-0a47-44c1-9168-b3f56d770ea3.vbs

Filesize
706B

MD5
c18e9757cf628ca405b4bed96ff81e6a

SHA1
874d7ab5220780da9575e65f6412a1a1c07ef49a

SHA256
cc50d862a1273114f744f43cdd8970aa2a189b91ce0db7a61ed20ee0394ec627

SHA512
ae3f00531c48961ddbf2ab7ffe3215fef0c984feeefd6ac60ddd432c9ae6357b9d1cdda1ffb5bd82ddbaf64bf0fbb936baa270c99dc1fff87828461f292a32ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0e265af-854e-4224-bd9e-c3ed0172fc9d.vbs

Filesize
706B

MD5
a0c62d802421cfcf928235dc95db772b

SHA1
3d3a487e5ab54bebf9739dc6805478dd1d31cce6

SHA256
e8c29370ff396af9a7f4d2d53e6da8dac7f3ddf17adf45f7eb7604abca10eb90

SHA512
baab08cb1ea087cf44204e62484aa7884d32062f078a8c464c8f3497eac1e168befd3d33a1b5a4807e8869a938b777c36b25559584ffa86c81ae236566962c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\a48856d6-67e2-4bd4-a697-e38f4c9f69ab.vbs

Filesize
706B

MD5
3bde5f9362653b23482964c2f67593f4

SHA1
2bb499538f1a6c53544d8b1cddb135b86a0d88f3

SHA256
618659a0a45f219c6ef59e6a453bbe31ea67c92b13c84a25e464744edb091919

SHA512
6cf7cc61c95b8773866001ba36227d920df5b11ed5a4965a2ce35a18a8ba206c1908cde049382fbfcd185b14d7a7711131e9d2bf5bd5b9fefe26df51a15ae0ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EN0C4O9T0FNKSEXGGBFC.temp

Filesize
7KB

MD5
2df9602701e3b2c8523ad13abc491e68

SHA1
45b8d4cef895e0ff967868188c6d965679e940b7

SHA256
42e3549020bd133aac98c89cb035ffad06a31ed0e53dd6b9844a8c34ea8527b5

SHA512
257684e63484f6a0a6539ecc909b68229cff1c0191be4684c212576cf4419391c8ad12957aba1ed680c5c6030f2845b70a2c46afbd8fa01f8dbd1078213cc81a

Download Submit
memory/1112-327-0x0000000001250000-0x0000000001410000-memory.dmp

Filesize
1.8MB

Download
memory/1520-281-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1520-280-0x000000001B7B0000-0x000000001BA92000-memory.dmp

Filesize
2.9MB

Download
memory/1544-259-0x00000000001B0000-0x0000000000370000-memory.dmp

Filesize
1.8MB

Download
memory/2056-363-0x00000000003C0000-0x0000000000580000-memory.dmp

Filesize
1.8MB

Download
memory/2056-364-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2528-12-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/2528-9-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/2528-17-0x0000000000B00000-0x0000000000B0C000-memory.dmp

Filesize
48KB

Download
memory/2528-196-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

Filesize
4KB

Download
memory/2528-220-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-245-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-16-0x0000000000AF0000-0x0000000000AFC000-memory.dmp

Filesize
48KB

Download
memory/2528-15-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/2528-14-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/2528-269-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-13-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/2528-0-0x000007FEF6643000-0x000007FEF6644000-memory.dmp

Filesize
4KB

Download
memory/2528-11-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/2528-20-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-8-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2528-1-0x0000000000B20000-0x0000000000CE0000-memory.dmp

Filesize
1.8MB

Download
memory/2528-7-0x0000000000620000-0x0000000000630000-memory.dmp

Filesize
64KB

Download
memory/2528-2-0x000007FEF6640000-0x000007FEF702C000-memory.dmp

Filesize
9.9MB

Download
memory/2528-6-0x0000000000600000-0x0000000000616000-memory.dmp

Filesize
88KB

Download
memory/2528-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2528-4-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2528-3-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2588-351-0x00000000002D0000-0x0000000000490000-memory.dmp

Filesize
1.8MB

Download
memory/2672-388-0x00000000003F0000-0x00000000005B0000-memory.dmp

Filesize
1.8MB

Download
memory/2672-389-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2768-339-0x0000000000030000-0x00000000001F0000-memory.dmp

Filesize
1.8MB

Download
memory/2976-376-0x00000000008F0000-0x0000000000AB0000-memory.dmp

Filesize
1.8MB

Download