dcrat | 2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9

Analysis

max time kernel
149s
max time network
139s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
Size

1.7MB
MD5

46702766a2b352b3db95618c69a14526
SHA1

0c2c1e90dc69c16e2b09b705f6914b2372431a59
SHA256

2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9
SHA512

e1f84e854034293444f0f3ce562816e3f011ec58008f3601e00a7cf7125fc29c2f965fad7a59498d4d96b941006f20a4dcbb3373b325cd9fb6018cfa2aefc06e
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2636	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2088-1-0x0000000000880000-0x0000000000A40000-memory.dmp	dcrat
behavioral1/files/0x0005000000019c34-27.dat	dcrat
behavioral1/files/0x000a000000018b68-83.dat	dcrat
behavioral1/files/0x000b000000019240-105.dat	dcrat
behavioral1/files/0x0008000000019c34-127.dat	dcrat
behavioral1/memory/2164-200-0x0000000001070000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2332-223-0x00000000010D0000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/2028-235-0x00000000001B0000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/2704-247-0x0000000000F40000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2568-271-0x0000000001170000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/632-327-0x0000000001270000-0x0000000001430000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2272	powershell.exe
3052	powershell.exe
632	powershell.exe
1248	powershell.exe
1728	powershell.exe
976	powershell.exe
2260	powershell.exe
836	powershell.exe
2036	powershell.exe
1620	powershell.exe
2276	powershell.exe
1436	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe

Executes dropped EXE 12 IoCs

pid	Process
2164	WmiPrvSE.exe
1280	WmiPrvSE.exe
2332	WmiPrvSE.exe
2028	WmiPrvSE.exe
2704	WmiPrvSE.exe
1092	WmiPrvSE.exe
2568	WmiPrvSE.exe
2352	WmiPrvSE.exe
2468	WmiPrvSE.exe
2692	WmiPrvSE.exe
2340	WmiPrvSE.exe
632	WmiPrvSE.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX4DE9.tmp	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX526E.tmp	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File created	C:\Program Files (x86)\Google\Temp\24dbde2999530e	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6ccacd8608530f	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\6ccacd8608530f	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File created	C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX4B76.tmp	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\RCX4B77.tmp	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\RCX4DE8.tmp	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCX526F.tmp	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\0a1fd5f707cd16	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File opened for modification	C:\Windows\es-ES\RCX54E0.tmp	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File opened for modification	C:\Windows\es-ES\RCX554E.tmp	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File opened for modification	C:\Windows\es-ES\sppsvc.exe	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
File created	C:\Windows\es-ES\sppsvc.exe	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2220	schtasks.exe
2360	schtasks.exe
2212	schtasks.exe
700	schtasks.exe
2660	schtasks.exe
1272	schtasks.exe
1984	schtasks.exe
2964	schtasks.exe
2608	schtasks.exe
3032	schtasks.exe
768	schtasks.exe
2784	schtasks.exe
2152	schtasks.exe
2856	schtasks.exe
2012	schtasks.exe
556	schtasks.exe
1320	schtasks.exe
1952	schtasks.exe
1652	schtasks.exe
2104	schtasks.exe
2264	schtasks.exe
1736	schtasks.exe
2580	schtasks.exe
3020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
2036	powershell.exe
3052	powershell.exe
976	powershell.exe
2272	powershell.exe
1620	powershell.exe
2260	powershell.exe
836	powershell.exe
1436	powershell.exe
1248	powershell.exe
2276	powershell.exe
1728	powershell.exe
632	powershell.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe
2164	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	2164	WmiPrvSE.exe
Token: SeDebugPrivilege	1280	WmiPrvSE.exe
Token: SeDebugPrivilege	2332	WmiPrvSE.exe
Token: SeDebugPrivilege	2028	WmiPrvSE.exe
Token: SeDebugPrivilege	2704	WmiPrvSE.exe
Token: SeDebugPrivilege	1092	WmiPrvSE.exe
Token: SeDebugPrivilege	2568	WmiPrvSE.exe
Token: SeDebugPrivilege	2352	WmiPrvSE.exe
Token: SeDebugPrivilege	2468	WmiPrvSE.exe
Token: SeDebugPrivilege	2692	WmiPrvSE.exe
Token: SeDebugPrivilege	2340	WmiPrvSE.exe
Token: SeDebugPrivilege	632	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2036	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	55
PID 2088 wrote to memory of 2036	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	55
PID 2088 wrote to memory of 2036	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	55
PID 2088 wrote to memory of 1248	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	56
PID 2088 wrote to memory of 1248	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	56
PID 2088 wrote to memory of 1248	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	56
PID 2088 wrote to memory of 1728	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	57
PID 2088 wrote to memory of 1728	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	57
PID 2088 wrote to memory of 1728	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	57
PID 2088 wrote to memory of 1620	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	59
PID 2088 wrote to memory of 1620	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	59
PID 2088 wrote to memory of 1620	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	59
PID 2088 wrote to memory of 976	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	60
PID 2088 wrote to memory of 976	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	60
PID 2088 wrote to memory of 976	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	60
PID 2088 wrote to memory of 2276	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	61
PID 2088 wrote to memory of 2276	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	61
PID 2088 wrote to memory of 2276	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	61
PID 2088 wrote to memory of 1436	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	62
PID 2088 wrote to memory of 1436	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	62
PID 2088 wrote to memory of 1436	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	62
PID 2088 wrote to memory of 2260	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	63
PID 2088 wrote to memory of 2260	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	63
PID 2088 wrote to memory of 2260	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	63
PID 2088 wrote to memory of 2272	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	64
PID 2088 wrote to memory of 2272	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	64
PID 2088 wrote to memory of 2272	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	64
PID 2088 wrote to memory of 3052	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	65
PID 2088 wrote to memory of 3052	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	65
PID 2088 wrote to memory of 3052	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	65
PID 2088 wrote to memory of 836	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	66
PID 2088 wrote to memory of 836	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	66
PID 2088 wrote to memory of 836	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	66
PID 2088 wrote to memory of 632	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	67
PID 2088 wrote to memory of 632	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	67
PID 2088 wrote to memory of 632	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	67
PID 2088 wrote to memory of 2512	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	72
PID 2088 wrote to memory of 2512	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	72
PID 2088 wrote to memory of 2512	2088	2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe	72
PID 2512 wrote to memory of 3024	2512	cmd.exe	81
PID 2512 wrote to memory of 3024	2512	cmd.exe	81
PID 2512 wrote to memory of 3024	2512	cmd.exe	81
PID 2512 wrote to memory of 2164	2512	cmd.exe	82
PID 2512 wrote to memory of 2164	2512	cmd.exe	82
PID 2512 wrote to memory of 2164	2512	cmd.exe	82
PID 2164 wrote to memory of 2992	2164	WmiPrvSE.exe	83
PID 2164 wrote to memory of 2992	2164	WmiPrvSE.exe	83
PID 2164 wrote to memory of 2992	2164	WmiPrvSE.exe	83
PID 2164 wrote to memory of 1672	2164	WmiPrvSE.exe	84
PID 2164 wrote to memory of 1672	2164	WmiPrvSE.exe	84
PID 2164 wrote to memory of 1672	2164	WmiPrvSE.exe	84
PID 2992 wrote to memory of 1280	2992	WScript.exe	85
PID 2992 wrote to memory of 1280	2992	WScript.exe	85
PID 2992 wrote to memory of 1280	2992	WScript.exe	85
PID 1280 wrote to memory of 2884	1280	WmiPrvSE.exe	86
PID 1280 wrote to memory of 2884	1280	WmiPrvSE.exe	86
PID 1280 wrote to memory of 2884	1280	WmiPrvSE.exe	86
PID 1280 wrote to memory of 1124	1280	WmiPrvSE.exe	87
PID 1280 wrote to memory of 1124	1280	WmiPrvSE.exe	87
PID 1280 wrote to memory of 1124	1280	WmiPrvSE.exe	87
PID 2884 wrote to memory of 2332	2884	WScript.exe	88
PID 2884 wrote to memory of 2332	2884	WScript.exe	88
PID 2884 wrote to memory of 2332	2884	WScript.exe	88
PID 2332 wrote to memory of 1492	2332	WmiPrvSE.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe
"C:\Users\Admin\AppData\Local\Temp\2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0pZdKji8NG.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3024
- - C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
    "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fd1baef-6ea3-46ca-8f11-8290829300f3.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1280
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4db8401-4631-4a72-9caa-440c5728bc83.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\500fdea2-191d-4755-bad2-47f3c57cd904.vbs"
        8⤵
        
        PID:1492
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d4470b7-0383-4292-aae3-849bbc2914ba.vbs"
        10⤵
        
        PID:2788
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08c08000-1254-4900-bd09-57e666d115cd.vbs"
        12⤵
        
        PID:1340
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49a80170-0b26-43c0-98e3-e6dd5cf51841.vbs"
        14⤵
        
        PID:1836
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4270e42-ba06-4f3b-bebd-79aff81deda7.vbs"
        16⤵
        
        PID:2708
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\807c2d9f-a73e-4e18-8818-c457aab66c40.vbs"
        18⤵
        
        PID:1152
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\688e6912-b51a-4acb-94cc-2e7aa98071ea.vbs"
        20⤵
        
        PID:2616
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3e1cc89c-b9a0-48bd-b5c0-059bb6420753.vbs"
        22⤵
        
        PID:2672
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0854bfe1-a5f2-4992-88c2-7c86bd4699d6.vbs"
        24⤵
        
        PID:2472
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f7fb43d-d017-462f-828e-25dbdc2e3fa7.vbs"
        26⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b5378c4-d687-474a-8022-c08f4dec977a.vbs"
        26⤵
        
        PID:1968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7d326d2-c026-478e-be60-9d02485b0c03.vbs"
        24⤵
        
        PID:2508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0f6ab9e4-0b0e-4ba2-bfc0-bb4b4acf5140.vbs"
        22⤵
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72c0fda6-e124-40a6-8126-81bb2fb7882b.vbs"
        20⤵
        
        PID:604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b77c56b-6769-4467-bfb8-f0cb2679f056.vbs"
        18⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5429803e-ba77-496a-b8dc-82e2408f51c9.vbs"
        16⤵
        
        PID:3052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\811a219f-9a2c-4759-8209-f37ec439ed63.vbs"
        14⤵
        
        PID:2932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bcdbb518-c48f-4f39-b7b6-fcb75f997d57.vbs"
        12⤵
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3c75bf0-6cd4-4e5b-81ac-c4da8f2f766c.vbs"
        10⤵
        
        PID:2316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b913115f-bd76-4f2d-92d4-39c16384d7d6.vbs"
        8⤵
        
        PID:2236
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\455272b0-f6aa-4b42-bd49-5f8ff8f45695.vbs"
        6⤵
        
        PID:1124
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\354cf917-c720-4dd6-9a29-a2755f77c615.vbs"
      4⤵
      PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Start Menu\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe

Filesize
1.7MB

MD5
46702766a2b352b3db95618c69a14526

SHA1
0c2c1e90dc69c16e2b09b705f6914b2372431a59

SHA256
2c3d4ff9418a1e587dd659c253e47af84820c7ff4218b8dbff46a6a4f1cf47b9

SHA512
e1f84e854034293444f0f3ce562816e3f011ec58008f3601e00a7cf7125fc29c2f965fad7a59498d4d96b941006f20a4dcbb3373b325cd9fb6018cfa2aefc06e

Download Submit
C:\Users\Admin\AppData\Local\Temp\0854bfe1-a5f2-4992-88c2-7c86bd4699d6.vbs

Filesize
723B

MD5
931cd8d46db151e2e258b225ad1f0e35

SHA1
16f824eba365ce019c43fb833cb4fc2d5c053cac

SHA256
399c9b57513022f90c9aced2af06530ae5f72c107d1bbc9812343185602fdad8

SHA512
ab66d7812ab2089e15f5ad72dcc17d7a1ce01aef13b696a67a8b48e617a8da0d3763839fa2c8bcbc1737709e8b91337ad7a9537da03d34c511f4c00ab0901841

Download Submit
C:\Users\Admin\AppData\Local\Temp\08c08000-1254-4900-bd09-57e666d115cd.vbs

Filesize
723B

MD5
1e55678875b4575a37711285ef545204

SHA1
072331ce0b1649a788baa4e055e41ca5bc21fd5f

SHA256
e6ca01797558c09c4dc21bba8feb43f7718809460aadf718679b2f18cbbbee38

SHA512
1c32cc37d63db6bb2f724ae9ad3b75a1389ced2e5e07d0a3b092adc8a057aa61465c2bf603b295d0853bd569bd6ae00e7063544b788dde200a79ec53ad888569

Download Submit
C:\Users\Admin\AppData\Local\Temp\0f7fb43d-d017-462f-828e-25dbdc2e3fa7.vbs

Filesize
722B

MD5
083249db6fb726c299e80f028fd9cb76

SHA1
35f2cefaf8ecd517f3646efac18c071e65aa6457

SHA256
d16946adf0925862da5af5335e005c2ff17510f2667a8380184fc205e0735394

SHA512
b5c3704e2ba388441b16b313dcde8330d4e1a2bd1e6e0d7add4eb56719e580e59923dc12d15b7171d89e0b78eb9c439ce650c825de496f48ecd483c6c3161d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0pZdKji8NG.bat

Filesize
212B

MD5
309fc933147868dc58baed5679923d2a

SHA1
334a4abe632896adee2e9a40135cd64258ced846

SHA256
75eab675c44b682731387501dae2c4131e178501b50ceeaeebbfacdb0feae773

SHA512
d9d1d08cabef4fcadae065cb2d14cad2567fc023ee6d3ac06fce53beac0f21d5a5dda06022cfac99cee42f6de3e10eaa80fc27b0b83c4f034589ac27b3822a1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\354cf917-c720-4dd6-9a29-a2755f77c615.vbs

Filesize
499B

MD5
601c074fbe1bea9b550f253e7af50780

SHA1
6eb1df64e80ff7d0a1ccdedea3547c95279b04c7

SHA256
0ee6913397e1e81d2fbdacbcbaa7866b72469ade44bf707cceb807cde08a93ef

SHA512
83c4ec663fe1cbc858ea1f9fc6ced55bfe4f95b6fb504475d432ac7af7610a1c086138eab1174878f3b36abe855e3e1b0cda56f88739f90e27cd49c258266c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3e1cc89c-b9a0-48bd-b5c0-059bb6420753.vbs

Filesize
723B

MD5
cc0c12e9a2c5a9da8ee649fc6e26642d

SHA1
2a64c188aeb7f0b9bb38a134b5d0b6b5e11cd823

SHA256
58d76d2f4b792ee8d900a24845418f2cb1f5b9e4db27471e61db326bcce37e2c

SHA512
dcb28f88839c9960f6c73083c3d20e028bda332f600ecd01a3b072ef7696821ce2b7865f489d9a8ad019cc94b3ac7c52cd67a5e2e7973dcf83fdeaff5596a584

Download Submit
C:\Users\Admin\AppData\Local\Temp\49a80170-0b26-43c0-98e3-e6dd5cf51841.vbs

Filesize
723B

MD5
876e61593dfa2276145377cb37005055

SHA1
b2b47cd8250a97a795649d079db1ab122d2b37f5

SHA256
003317bb21dc5bd52c5ad9d63d001e8c16dcaab8a4efb203e0fa295621b07ed8

SHA512
69d0d21abe67bb22ae63cefde57815aeb84d821f1041d26a33ea5dd92c2df981e442df12234191b7eef8dfb2e27e3347646b307d3d646958e2a1a10e5c2f602f

Download Submit
C:\Users\Admin\AppData\Local\Temp\500fdea2-191d-4755-bad2-47f3c57cd904.vbs

Filesize
723B

MD5
69d3be4b3125b6fd595d9b03ebbd4dce

SHA1
b62ead403021a8606caa7cbafe8ea2876a5ba3ec

SHA256
8ce71a79352c8f05494029949fc06459f35dd8373c1716bfa71a49e100ef6f4c

SHA512
239c0b0b263250b2b6f29f26139d7b05871cd59d9273b600c84837d0860ac86d6a52b9177664ac4cde734202fbd5f9b250ec7a333c994740690b520da173355d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fd1baef-6ea3-46ca-8f11-8290829300f3.vbs

Filesize
723B

MD5
6f2c819a013b631874f91df5b094a1b9

SHA1
636b4503d571a078e8340ef1b9e5381c8fb6897e

SHA256
8f84f47e3f5bf41daf802c856bc4ef1f113acf68e680da4311611078c699b7de

SHA512
a880693952d4598d79e9b4fa31ae282b1ae6ec8df882c0178786b7c16feee1912e2721ad8a491865900d72fd1641476992258e5382a908c6e72b890b1b792a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\688e6912-b51a-4acb-94cc-2e7aa98071ea.vbs

Filesize
723B

MD5
77b5ed9ac32a16b7ec8ff1baefbf6ac1

SHA1
38e664cd75eb180f40aff0a5497598ed8d861001

SHA256
7ebafd556af54f389c526216b4b2317d6ed7d52867a4648e62eb9dc0a056def1

SHA512
21b97f84f0c113e3b0190f700092d0ce29301229bca942e3bdfa6ee4f7c432f7a94e5dee0e955ccd13a6f91c7cfba12cdd1493148472b7dfb121cf4cfc7def60

Download Submit
C:\Users\Admin\AppData\Local\Temp\807c2d9f-a73e-4e18-8818-c457aab66c40.vbs

Filesize
723B

MD5
ee3781fe844451273463653885d952dc

SHA1
645cac4b1b435f1b7b8794dcde9e692dcecd8512

SHA256
2c4cdc0c5ab2d7c334ce041cbdd9d08e95db86aed914d93064c9a9a14e131c28

SHA512
0d18b5cb9c44389ab175d4305e79b58e409963e3f8cb870bbdc48164061abefc85ba4000bfd40bf875796c0271ce662cb77cba888b0f00d40e627abbfa5a1caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d4470b7-0383-4292-aae3-849bbc2914ba.vbs

Filesize
723B

MD5
3e0c296c636ee756acaae19baba60367

SHA1
e864d7ccc23f05779799da0a09e413dd2b784648

SHA256
c4121c14d673c0abeffebb1ceae4b8be8ac08dbce127fea36fc3605fc80d2403

SHA512
2a2dcd8836d3175c1c78cfb931a7379abf56a6dff709b0125b957095e209906553c9d9fadde2b64c294723c72c676724bf2aab853b46f8420cb5b96f0fdd5b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4270e42-ba06-4f3b-bebd-79aff81deda7.vbs

Filesize
723B

MD5
b826371e66d2eb1ea5c546d8e20c4911

SHA1
30a0a2e1c59b4576db5b9f9b3f7607939b9d1190

SHA256
0d3b9bfabb29d4fd26bcf1919407c8f3b2109115367b10c74fa5cbd234d3a156

SHA512
65e6033cc4baadd13a211fb3d43e16180b3cdd3aeeb472f4b92d9852b6f8349ffa27327cbe9a530daa981da2aa31f8be78d4302fe0dc8e4e2c7c2c596b1bd4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4db8401-4631-4a72-9caa-440c5728bc83.vbs

Filesize
723B

MD5
f669714f416fcdda4d8daa266c357a86

SHA1
d780dc5be26571796104b310d0c8cc9c343787f9

SHA256
c93498facfe1fc9a197c342443b3f2e4c3a521ba52e97868e24b4f2664d6b918

SHA512
c790eeee4d452996b085ef174873bc21495fd880f61cd368ecc25bf41dcc643640cbcb95b455cc328845c216b3cfc480878298d36bf751885c5f698d13f725ee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Network Shortcuts\csrss.exe

Filesize
1.7MB

MD5
cd2d1a49cbd166afa9a0952715ef1239

SHA1
3c948449784aa79c8c01f22ee428f83452029566

SHA256
af6b2e606fda1c1e371e8398640e141cf3f314ff22a4504575dd2018c558f89a

SHA512
aa6d0440e84d67cf7ff9ddb96c862d58e402319d880e9b8689ceede7baeec0d5c757f907efa7d3e8979679cdcd9ada51f223a20f716a053adcd70198ff51cf87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
93a52e977481360993665e724985b2b5

SHA1
b8295d44701a9a110aa9346326405df8eed54455

SHA256
2edf16903969befb38499c7240ae950aa8ebec8102c9a7f7963af2460efc00a7

SHA512
ea43ee8c7dfd2d1ada0230565da633f2a51cc40ffdad9417f536bdee886729ef93dcb792dbf87c21787059f53ce2ae1e311b8dd3771e121bb4bd354adbbbdc5f

Download Submit
C:\Users\Default\winlogon.exe

Filesize
1.7MB

MD5
82e6afd56ad1ec9510f910d90e5c00f1

SHA1
95d0b66568210025830599b40413d2490a6d8015

SHA256
8f2fd69ee11b6469e22cc682ae2a60b52bc8650d7452d522ff21517705ecb4ad

SHA512
0a2e243f0214e9cab6dc7efe3d4bcb6853af01516a9edfd2568bbfa5474f2eb82af69464ba06b54821345a9654d356d92b8fe55e1693f74fea600d3aa8cf8d0f

Download Submit
C:\Windows\es-ES\sppsvc.exe

Filesize
1.7MB

MD5
d5acdf7c0250ae1599b6324a53f7924f

SHA1
7672352d3d68a25afe6aef080ed722930d735417

SHA256
8e37dca27971862f31b08998c765900c4afbd6cb60e471dc1a735281bc37b63b

SHA512
9b353e55012979f8577601bdac5974533d735f7142efbb8f05ccbb9e810fd6d37671ffa96585ac0561618a0b03d1b8809ae2efa629e03624f1b24ddc9d4c6300

Download Submit
memory/632-327-0x0000000001270000-0x0000000001430000-memory.dmp

Filesize
1.8MB

Download
memory/1092-259-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2028-235-0x00000000001B0000-0x0000000000370000-memory.dmp

Filesize
1.8MB

Download
memory/2036-141-0x0000000001F10000-0x0000000001F18000-memory.dmp

Filesize
32KB

Download
memory/2036-140-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2088-14-0x0000000002300000-0x000000000230E000-memory.dmp

Filesize
56KB

Download
memory/2088-12-0x00000000022E0000-0x00000000022EC000-memory.dmp

Filesize
48KB

Download
memory/2088-19-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/2088-1-0x0000000000880000-0x0000000000A40000-memory.dmp

Filesize
1.8MB

Download
memory/2088-2-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/2088-17-0x0000000002330000-0x000000000233C000-memory.dmp

Filesize
48KB

Download
memory/2088-16-0x0000000002320000-0x000000000232C000-memory.dmp

Filesize
48KB

Download
memory/2088-15-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2088-3-0x0000000000840000-0x000000000085C000-memory.dmp

Filesize
112KB

Download
memory/2088-13-0x00000000022F0000-0x00000000022FA000-memory.dmp

Filesize
40KB

Download
memory/2088-0-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp

Filesize
4KB

Download
memory/2088-139-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/2088-4-0x0000000000860000-0x0000000000868000-memory.dmp

Filesize
32KB

Download
memory/2088-11-0x0000000002120000-0x0000000002132000-memory.dmp

Filesize
72KB

Download
memory/2088-9-0x0000000002110000-0x0000000002118000-memory.dmp

Filesize
32KB

Download
memory/2088-8-0x0000000002100000-0x000000000210C000-memory.dmp

Filesize
48KB

Download
memory/2088-5-0x0000000000870000-0x0000000000880000-memory.dmp

Filesize
64KB

Download
memory/2088-7-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2088-6-0x00000000020D0000-0x00000000020E6000-memory.dmp

Filesize
88KB

Download
memory/2164-201-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/2164-200-0x0000000001070000-0x0000000001230000-memory.dmp

Filesize
1.8MB

Download
memory/2332-223-0x00000000010D0000-0x0000000001290000-memory.dmp

Filesize
1.8MB

Download
memory/2568-271-0x0000000001170000-0x0000000001330000-memory.dmp

Filesize
1.8MB

Download
memory/2704-247-0x0000000000F40000-0x0000000001100000-memory.dmp

Filesize
1.8MB

Download