dcrat | 55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddc

Resubmissions

13/01/2025, 05:27

250113-f5d5lszrem 10

12/01/2025, 20:07

250112-yv3pbszlel 10

Analysis

max time kernel
830s
max time network
718s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 05:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
Size

1.7MB
MD5

2709efc85a850a7ddb9ec3d228ef6640
SHA1

010165c876f030f0158b09d20af67238b954af66
SHA256

55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddc
SHA512

de2741c12710609eb94a420ca2ff139d10e3783ced7ec827b3f30cba6824a81c23b2e8608fe3725f26c7beb816884720fcef689b9c78a4150228772352772de1
SSDEEP

24576:t3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:tgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2720	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2720	schtasks.exe	30

DCRat payload 20 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2172-1-0x0000000000A40000-0x0000000000BF6000-memory.dmp	dcrat
behavioral1/files/0x00080000000190e0-27.dat	dcrat
behavioral1/files/0x000600000001a4a6-66.dat	dcrat
behavioral1/files/0x0008000000018687-77.dat	dcrat
behavioral1/files/0x0008000000019426-144.dat	dcrat
behavioral1/files/0x00070000000194ae-155.dat	dcrat
behavioral1/files/0x00070000000194df-166.dat	dcrat
behavioral1/memory/300-240-0x0000000000C00000-0x0000000000DB6000-memory.dmp	dcrat
behavioral1/memory/676-252-0x0000000000240000-0x00000000003F6000-memory.dmp	dcrat
behavioral1/memory/1512-258-0x00000000002B0000-0x0000000000466000-memory.dmp	dcrat
behavioral1/memory/1268-260-0x0000000000C00000-0x0000000000DB6000-memory.dmp	dcrat
behavioral1/memory/1152-263-0x0000000001340000-0x00000000014F6000-memory.dmp	dcrat
behavioral1/memory/1656-266-0x00000000009C0000-0x0000000000B76000-memory.dmp	dcrat
behavioral1/memory/2400-270-0x0000000000C10000-0x0000000000DC6000-memory.dmp	dcrat
behavioral1/memory/2688-272-0x0000000000880000-0x0000000000A36000-memory.dmp	dcrat
behavioral1/memory/1592-278-0x0000000000F10000-0x00000000010C6000-memory.dmp	dcrat
behavioral1/memory/2140-279-0x00000000013C0000-0x0000000001576000-memory.dmp	dcrat
behavioral1/memory/2404-280-0x00000000003E0000-0x0000000000596000-memory.dmp	dcrat
behavioral1/memory/2848-285-0x00000000008B0000-0x0000000000A66000-memory.dmp	dcrat
behavioral1/memory/2592-290-0x0000000000820000-0x00000000009D6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2552	powershell.exe
2656	powershell.exe
2676	powershell.exe
2768	powershell.exe
2920	powershell.exe
2124	powershell.exe
2592	powershell.exe
2708	powershell.exe
1708	powershell.exe
2784	powershell.exe
2760	powershell.exe
2316	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe

Executes dropped EXE 15 IoCs

pid	Process
300	lsm.exe
676	lsm.exe
1268	audiodg.exe
1512	sppsvc.exe
1152	explorer.exe
1656	smss.exe
2400	dwm.exe
2688	lsm.exe
2140	sppsvc.exe
1592	dllhost.exe
2404	audiodg.exe
1836	System.exe
2848	WmiPrvSE.exe
1128	explorer.exe
2592	csrss.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\69ddcba757bf72	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\101b941d020240	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\RCX69E3.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files\Microsoft Office\smss.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\RCX75AF.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\smss.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\69ddcba757bf72	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\RCX69E2.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Program Files\Microsoft Office\smss.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX6C55.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX6EC6.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX6EC7.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\RCX761D.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5940a34987c991	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\smss.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Program Files\Microsoft Office\RCX6C54.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\csrss.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Windows\Microsoft.NET\886983d96e3d3e	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Windows\Logs\CBS\dwm.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX62FA.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Windows\Microsoft.NET\RCX733D.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Windows\Performance\WinSAT\DataStore\24dbde2999530e	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Windows\Logs\CBS\dwm.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Windows\Logs\CBS\6cb0b6c459d5d3	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCX62F9.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Windows\Microsoft.NET\csrss.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Windows\Logs\CBS\RCX789F.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File created	C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Windows\Logs\CBS\RCX7831.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
File opened for modification	C:\Windows\Microsoft.NET\RCX733E.tmp	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2384	schtasks.exe
2788	schtasks.exe
1348	schtasks.exe
2796	schtasks.exe
2916	schtasks.exe
2636	schtasks.exe
844	schtasks.exe
2936	schtasks.exe
1972	schtasks.exe
2248	schtasks.exe
2544	schtasks.exe
3056	schtasks.exe
2080	schtasks.exe
672	schtasks.exe
1768	schtasks.exe
2660	schtasks.exe
2108	schtasks.exe
1120	schtasks.exe
2188	schtasks.exe
1148	schtasks.exe
1320	schtasks.exe
2152	schtasks.exe
2020	schtasks.exe
3000	schtasks.exe
2880	schtasks.exe
1236	schtasks.exe
540	schtasks.exe
2300	schtasks.exe
2252	schtasks.exe
2560	schtasks.exe
2072	schtasks.exe
2856	schtasks.exe
3064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
2784	powershell.exe
2676	powershell.exe
2920	powershell.exe
2768	powershell.exe
1708	powershell.exe
2592	powershell.exe
2656	powershell.exe
2760	powershell.exe
2552	powershell.exe
2124	powershell.exe
2708	powershell.exe
2316	powershell.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe
300	lsm.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	300	lsm.exe
Token: SeDebugPrivilege	676	lsm.exe
Token: SeDebugPrivilege	1512	sppsvc.exe
Token: SeDebugPrivilege	1268	audiodg.exe
Token: SeDebugPrivilege	1152	explorer.exe
Token: SeDebugPrivilege	1656	smss.exe
Token: SeDebugPrivilege	2400	dwm.exe
Token: SeDebugPrivilege	2688	lsm.exe
Token: SeDebugPrivilege	1592	dllhost.exe
Token: SeDebugPrivilege	2140	sppsvc.exe
Token: SeDebugPrivilege	2404	audiodg.exe
Token: SeDebugPrivilege	1836	System.exe
Token: SeDebugPrivilege	2848	WmiPrvSE.exe
Token: SeDebugPrivilege	1128	explorer.exe
Token: SeDebugPrivilege	2592	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2656	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	64
PID 2172 wrote to memory of 2656	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	64
PID 2172 wrote to memory of 2656	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	64
PID 2172 wrote to memory of 2784	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	65
PID 2172 wrote to memory of 2784	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	65
PID 2172 wrote to memory of 2784	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	65
PID 2172 wrote to memory of 2760	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	66
PID 2172 wrote to memory of 2760	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	66
PID 2172 wrote to memory of 2760	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	66
PID 2172 wrote to memory of 2768	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	67
PID 2172 wrote to memory of 2768	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	67
PID 2172 wrote to memory of 2768	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	67
PID 2172 wrote to memory of 2920	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	68
PID 2172 wrote to memory of 2920	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	68
PID 2172 wrote to memory of 2920	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	68
PID 2172 wrote to memory of 2124	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	69
PID 2172 wrote to memory of 2124	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	69
PID 2172 wrote to memory of 2124	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	69
PID 2172 wrote to memory of 2676	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	70
PID 2172 wrote to memory of 2676	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	70
PID 2172 wrote to memory of 2676	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	70
PID 2172 wrote to memory of 2552	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	71
PID 2172 wrote to memory of 2552	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	71
PID 2172 wrote to memory of 2552	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	71
PID 2172 wrote to memory of 2592	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	72
PID 2172 wrote to memory of 2592	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	72
PID 2172 wrote to memory of 2592	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	72
PID 2172 wrote to memory of 2708	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	73
PID 2172 wrote to memory of 2708	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	73
PID 2172 wrote to memory of 2708	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	73
PID 2172 wrote to memory of 1708	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	74
PID 2172 wrote to memory of 1708	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	74
PID 2172 wrote to memory of 1708	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	74
PID 2172 wrote to memory of 2316	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	75
PID 2172 wrote to memory of 2316	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	75
PID 2172 wrote to memory of 2316	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	75
PID 2172 wrote to memory of 2104	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	88
PID 2172 wrote to memory of 2104	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	88
PID 2172 wrote to memory of 2104	2172	55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe	88
PID 2104 wrote to memory of 1100	2104	cmd.exe	90
PID 2104 wrote to memory of 1100	2104	cmd.exe	90
PID 2104 wrote to memory of 1100	2104	cmd.exe	90
PID 2104 wrote to memory of 300	2104	cmd.exe	91
PID 2104 wrote to memory of 300	2104	cmd.exe	91
PID 2104 wrote to memory of 300	2104	cmd.exe	91
PID 300 wrote to memory of 884	300	lsm.exe	92
PID 300 wrote to memory of 884	300	lsm.exe	92
PID 300 wrote to memory of 884	300	lsm.exe	92
PID 300 wrote to memory of 2620	300	lsm.exe	93
PID 300 wrote to memory of 2620	300	lsm.exe	93
PID 300 wrote to memory of 2620	300	lsm.exe	93
PID 884 wrote to memory of 676	884	WScript.exe	94
PID 884 wrote to memory of 676	884	WScript.exe	94
PID 884 wrote to memory of 676	884	WScript.exe	94
PID 2888 wrote to memory of 1512	2888	taskeng.exe	96
PID 2888 wrote to memory of 1512	2888	taskeng.exe	96
PID 2888 wrote to memory of 1512	2888	taskeng.exe	96
PID 2888 wrote to memory of 1512	2888	taskeng.exe	96
PID 2888 wrote to memory of 1512	2888	taskeng.exe	96
PID 2888 wrote to memory of 1268	2888	taskeng.exe	97
PID 2888 wrote to memory of 1268	2888	taskeng.exe	97
PID 2888 wrote to memory of 1268	2888	taskeng.exe	97
PID 2888 wrote to memory of 1152	2888	taskeng.exe	98
PID 2888 wrote to memory of 1152	2888	taskeng.exe	98

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe
C:\Users\Admin\AppData\Local\Temp\55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddcN.exe cmd /c %SIGILL% "SIGTERM|DELETE|SIGKILL"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WddsjisPEu.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1100
- - C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe
    "C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:300
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b3a4cc4-dd3f-4e08-b53c-1ccfe0c13716.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe
        
        "C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c887be3-aeb9-4fbb-8b85-a8b7b6c9d39c.vbs"
      4⤵
      PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\Acrobat\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Microsoft.NET\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\Logs\CBS\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\CBS\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\taskeng.exe
taskeng.exe {1AD94108-1FCC-496A-9B12-790AD59D57AE} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe
  C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Users\All Users\Adobe\Acrobat\audiodg.exe
  "C:\Users\All Users\Adobe\Acrobat\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe
  "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\smss.exe
  "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\smss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\Logs\CBS\dwm.exe
  C:\Windows\Logs\CBS\dwm.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2400
- C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe
  "C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe
  "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe
  C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Users\All Users\Adobe\Acrobat\audiodg.exe
  "C:\Users\All Users\Adobe\Acrobat\audiodg.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2404
- C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe
  "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe
  C:\Windows\Performance\WinSAT\DataStore\WmiPrvSE.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe
  "C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\Microsoft.NET\csrss.exe
  C:\Windows\Microsoft.NET\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DVD Maker\Shared\DvdStyles\lsm.exe

Filesize
1.7MB

MD5
64c1c64edb0f88bf3c1b19475996ce0f

SHA1
452448d312e6a52c74c238bb304f69624fd0a6e0

SHA256
7f9dd3bbf6fcf1b1450c689cbef72c629a6981a110dbe85ffea99f65c1dcc5c3

SHA512
3bc92266f616bfa272777d28d579f1b6b685919282abce10ba16383a7b0432b80f3afd4df113c364708237383a9065becc734b8abad8160c959c5c1b471f4013

Download Submit
C:\Program Files\Microsoft Office\smss.exe

Filesize
1.7MB

MD5
2709efc85a850a7ddb9ec3d228ef6640

SHA1
010165c876f030f0158b09d20af67238b954af66

SHA256
55ef6c766af0ded94cf6feaa0a5b53d332ebb01e05e6dcdee03ec92bc2421ddc

SHA512
de2741c12710609eb94a420ca2ff139d10e3783ced7ec827b3f30cba6824a81c23b2e8608fe3725f26c7beb816884720fcef689b9c78a4150228772352772de1

Download Submit
C:\ProgramData\Adobe\Acrobat\audiodg.exe

Filesize
1.7MB

MD5
04f90d62573c76f609af9306be72981d

SHA1
8f3ac77c80b733e1fb87c215ca1599b7b3ce96cb

SHA256
91f6c0731ac4dd96977ffc6231ed494380d54e245661fe0d9c6ef05bda6c163c

SHA512
0cfb54e24dbd0f34d107e969a41e43a2d6a816b96f9c5c560c53b6e1305202e9963c7f0d47a1232491a43df732573ccd8162c5686edf07ce1a76a8154cded632

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\explorer.exe

Filesize
1.7MB

MD5
5b0829db8d23b3fb92e2d0ed8474b42d

SHA1
c4c5b5e3dc9490c138808d81bf3152e8edb4f0dd

SHA256
6473d1bb7a18f0e97f09db2481763e3de5dfb04ad997ae1c93ad8c50ad9a02ee

SHA512
8097d91f2fc33d2573c9da251de869acf9caaf3cfea4c53473553b01039c80e4ab377dc7bad6728df62182ed113278b174775f14a4dd2cf1f9039d91bdbd4bae

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe

Filesize
1.7MB

MD5
83647dacf66c050af3d0b12f61d4b8e6

SHA1
bb5c1379581eecedc111243690c7e11b722a3efe

SHA256
8e5eda9c0e88c55f15a1ff56d5815eb12adbc07aa92532462388f104e0968612

SHA512
ee3683fc16d24a1fc09276298a3f420893c27fa58515b044686284c239a63a24f828267336e962be0b04978afef678141e00eda3167bb819cf9c53953a703f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c887be3-aeb9-4fbb-8b85-a8b7b6c9d39c.vbs

Filesize
503B

MD5
51a1843cee5076dbbd7125b862d26661

SHA1
291d982818990d230e930f3311f95a4bd15b3cbf

SHA256
ad6b1bdd31d9b2fda5b4bef618ff03c4cc6efb4552bf6b8ec4d553cfc0a7620a

SHA512
c6cfd064662da2e087717fb9ae828cabc1809e3619d3a591d9329382013276226c9e62f289472e5fb4af23c02502e6e161b80ae0d9f5381bd2c82ea78c9394e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\7b3a4cc4-dd3f-4e08-b53c-1ccfe0c13716.vbs

Filesize
726B

MD5
2f61e14213df8b5f0e6641cfcd11d39a

SHA1
e66af182452f6897c6dc686cbd1810e33bbb3291

SHA256
28d40a4f6dd53c33df8eefca2230226e1545b944e91e39d1af2c8654c029766b

SHA512
2f40fc187833369970a1b5e2435ed0793ff7082e0afcc2583998a7b0ae412fe669df3d007c9accd6d7dafdc5cbb9ca38d94bfb27ba5568dc5238970e32d0fccd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WddsjisPEu.bat

Filesize
216B

MD5
21f0c1349f65363b984df4255287a9ab

SHA1
5cf9d8cf594e8c746079a1a712be8e037ed928ae

SHA256
202dc787ac4b90cb49995986a3843415af91e17299922dddbf62233c2ee350b0

SHA512
627e0125acdfacd89cca64a2b5f43abe7791de732f728cbd8d91b187919366d603e70971d17bc73931fa607893ba6677adfa6d0ae754c67d364c5b3db2686212

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dfa89939b7b50747536e07161971e388

SHA1
b975b80a98a91775634a811eeda9505e3f2d921e

SHA256
fd5235ce5d1d241c92cb76ae5da19f83a70409ba50778868c227ca91219e96a7

SHA512
f6696ffb393ad512458e171bbc565f4d41e8326ca162cf9278fa9dc241ef0b282f27b93a524012e763d34601a83b8ee10021387eaf47a9ad341392951acefc02

Download Submit
C:\Windows\Logs\CBS\dwm.exe

Filesize
1.7MB

MD5
219a85a6025e641f0f73a2a7f9e7c372

SHA1
de4c31644bdf57f91b3ebc66c1161edf92015a18

SHA256
9c9927bdfeaba609e9e57e8033f578b7ecf4b706e8541a07046e8df011afcebc

SHA512
5c485b31300c2f45b3972ae483afc72efa29f5a49e8a645cde1f03dd9d8e68f517f1abfb28d7c3defe862ce82ba0ce9957883f5c59e46dd9cd7a9aa1f0b90885

Download Submit
memory/300-240-0x0000000000C00000-0x0000000000DB6000-memory.dmp

Filesize
1.7MB

Download
memory/300-241-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/676-252-0x0000000000240000-0x00000000003F6000-memory.dmp

Filesize
1.7MB

Download
memory/676-253-0x0000000002010000-0x0000000002022000-memory.dmp

Filesize
72KB

Download
memory/1152-263-0x0000000001340000-0x00000000014F6000-memory.dmp

Filesize
1.7MB

Download
memory/1268-260-0x0000000000C00000-0x0000000000DB6000-memory.dmp

Filesize
1.7MB

Download
memory/1512-258-0x00000000002B0000-0x0000000000466000-memory.dmp

Filesize
1.7MB

Download
memory/1512-259-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/1592-278-0x0000000000F10000-0x00000000010C6000-memory.dmp

Filesize
1.7MB

Download
memory/1656-267-0x0000000002130000-0x0000000002142000-memory.dmp

Filesize
72KB

Download
memory/1656-266-0x00000000009C0000-0x0000000000B76000-memory.dmp

Filesize
1.7MB

Download
memory/1836-286-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2140-279-0x00000000013C0000-0x0000000001576000-memory.dmp

Filesize
1.7MB

Download
memory/2172-174-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

Filesize
4KB

Download
memory/2172-0-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

Filesize
4KB

Download
memory/2172-20-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-17-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2172-16-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2172-214-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-9-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2172-8-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2172-7-0x0000000000200000-0x0000000000212000-memory.dmp

Filesize
72KB

Download
memory/2172-6-0x0000000000410000-0x0000000000426000-memory.dmp

Filesize
88KB

Download
memory/2172-4-0x00000000001E0000-0x00000000001E8000-memory.dmp

Filesize
32KB

Download
memory/2172-5-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2172-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2172-10-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2172-12-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2172-2-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-1-0x0000000000A40000-0x0000000000BF6000-memory.dmp

Filesize
1.7MB

Download
memory/2172-13-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/2172-14-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/2172-15-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/2400-270-0x0000000000C10000-0x0000000000DC6000-memory.dmp

Filesize
1.7MB

Download
memory/2404-280-0x00000000003E0000-0x0000000000596000-memory.dmp

Filesize
1.7MB

Download
memory/2592-290-0x0000000000820000-0x00000000009D6000-memory.dmp

Filesize
1.7MB

Download
memory/2676-197-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2688-272-0x0000000000880000-0x0000000000A36000-memory.dmp

Filesize
1.7MB

Download
memory/2688-273-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2784-203-0x0000000001CF0000-0x0000000001CF8000-memory.dmp

Filesize
32KB

Download
memory/2848-285-0x00000000008B0000-0x0000000000A66000-memory.dmp

Filesize
1.7MB

Download