dcrat | e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/01/2025, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
Size

1.7MB
MD5

f1aff26566885c339febd3614e9949ce
SHA1

efc83772d697c76241c6f16db92d2a948bd5f3eb
SHA256

e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb
SHA512

7b24d470fc7addba58c287acaecd8945100a202bc748164c7e73f0455eda6cf11c8915973a5d875632cf0756d7db8fae60e34745dabf7d3920be86bfb92d400a
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2792	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2792	schtasks.exe	31

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2300-1-0x00000000003D0000-0x0000000000590000-memory.dmp	dcrat
behavioral1/files/0x0005000000019263-27.dat	dcrat
behavioral1/files/0x00080000000193c1-104.dat	dcrat
behavioral1/files/0x000b000000019263-139.dat	dcrat
behavioral1/files/0x0009000000019417-150.dat	dcrat
behavioral1/memory/1576-258-0x0000000001200000-0x00000000013C0000-memory.dmp	dcrat
behavioral1/memory/1004-335-0x00000000013B0000-0x0000000001570000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1448	powershell.exe
2920	powershell.exe
2000	powershell.exe
2928	powershell.exe
1944	powershell.exe
2344	powershell.exe
108	powershell.exe
2980	powershell.exe
2900	powershell.exe
2716	powershell.exe
2704	powershell.exe
2336	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe

Executes dropped EXE 9 IoCs

pid	Process
1576	WmiPrvSE.exe
864	WmiPrvSE.exe
2644	WmiPrvSE.exe
1504	WmiPrvSE.exe
1728	WmiPrvSE.exe
2728	WmiPrvSE.exe
2324	WmiPrvSE.exe
1004	WmiPrvSE.exe
1824	WmiPrvSE.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\csrss.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\f3b6ecef712a24	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\Windows Media Player\es-ES\WmiPrvSE.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\RCXE022.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\RCXE091.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\csrss.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\spoolsv.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\RCXD7A2.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\RCXD7A3.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\spoolsv.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\WmiPrvSE.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\886983d96e3d3e	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXD59D.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\RCXD59E.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Program Files\Windows Media Player\es-ES\24dbde2999530e	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\AuthCabs\lsass.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\Tasks\WMIADAP.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\Tasks\75a57c1bdf437c	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\CSC\v2.0.6\winlogon.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\SoftwareDistribution\AuthCabs\lsass.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File created	C:\Windows\SoftwareDistribution\AuthCabs\6203df4a6bafc7	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\Tasks\RCXD398.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\SoftwareDistribution\AuthCabs\RCXE70B.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\Tasks\RCXD399.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\Tasks\WMIADAP.exe	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
File opened for modification	C:\Windows\SoftwareDistribution\AuthCabs\RCXE70C.tmp	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
700	schtasks.exe
2604	schtasks.exe
1792	schtasks.exe
1440	schtasks.exe
2072	schtasks.exe
2980	schtasks.exe
1300	schtasks.exe
1912	schtasks.exe
2096	schtasks.exe
1864	schtasks.exe
2464	schtasks.exe
2152	schtasks.exe
1928	schtasks.exe
604	schtasks.exe
1092	schtasks.exe
2828	schtasks.exe
2372	schtasks.exe
2936	schtasks.exe
1028	schtasks.exe
1288	schtasks.exe
1628	schtasks.exe
2960	schtasks.exe
1352	schtasks.exe
1772	schtasks.exe
540	schtasks.exe
3064	schtasks.exe
2584	schtasks.exe
2820	schtasks.exe
1296	schtasks.exe
1944	schtasks.exe
2924	schtasks.exe
1652	schtasks.exe
2824	schtasks.exe
2728	schtasks.exe
1764	schtasks.exe
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
2704	powershell.exe
1944	powershell.exe
2336	powershell.exe
2000	powershell.exe
1448	powershell.exe
2980	powershell.exe
2716	powershell.exe
2900	powershell.exe
2928	powershell.exe
2920	powershell.exe
108	powershell.exe
2344	powershell.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe
1576	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1576	WmiPrvSE.exe
Token: SeDebugPrivilege	864	WmiPrvSE.exe
Token: SeDebugPrivilege	2644	WmiPrvSE.exe
Token: SeDebugPrivilege	1504	WmiPrvSE.exe
Token: SeDebugPrivilege	1728	WmiPrvSE.exe
Token: SeDebugPrivilege	2728	WmiPrvSE.exe
Token: SeDebugPrivilege	2324	WmiPrvSE.exe
Token: SeDebugPrivilege	1004	WmiPrvSE.exe
Token: SeDebugPrivilege	1824	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2716	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	68
PID 2300 wrote to memory of 2716	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	68
PID 2300 wrote to memory of 2716	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	68
PID 2300 wrote to memory of 2344	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	69
PID 2300 wrote to memory of 2344	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	69
PID 2300 wrote to memory of 2344	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	69
PID 2300 wrote to memory of 2704	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	70
PID 2300 wrote to memory of 2704	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	70
PID 2300 wrote to memory of 2704	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	70
PID 2300 wrote to memory of 108	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	71
PID 2300 wrote to memory of 108	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	71
PID 2300 wrote to memory of 108	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	71
PID 2300 wrote to memory of 2980	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	73
PID 2300 wrote to memory of 2980	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	73
PID 2300 wrote to memory of 2980	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	73
PID 2300 wrote to memory of 1448	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	74
PID 2300 wrote to memory of 1448	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	74
PID 2300 wrote to memory of 1448	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	74
PID 2300 wrote to memory of 2920	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	75
PID 2300 wrote to memory of 2920	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	75
PID 2300 wrote to memory of 2920	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	75
PID 2300 wrote to memory of 2336	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	76
PID 2300 wrote to memory of 2336	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	76
PID 2300 wrote to memory of 2336	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	76
PID 2300 wrote to memory of 2900	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	77
PID 2300 wrote to memory of 2900	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	77
PID 2300 wrote to memory of 2900	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	77
PID 2300 wrote to memory of 2000	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	78
PID 2300 wrote to memory of 2000	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	78
PID 2300 wrote to memory of 2000	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	78
PID 2300 wrote to memory of 2928	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	79
PID 2300 wrote to memory of 2928	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	79
PID 2300 wrote to memory of 2928	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	79
PID 2300 wrote to memory of 1944	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	80
PID 2300 wrote to memory of 1944	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	80
PID 2300 wrote to memory of 1944	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	80
PID 2300 wrote to memory of 2224	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	92
PID 2300 wrote to memory of 2224	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	92
PID 2300 wrote to memory of 2224	2300	e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe	92
PID 2224 wrote to memory of 2392	2224	cmd.exe	94
PID 2224 wrote to memory of 2392	2224	cmd.exe	94
PID 2224 wrote to memory of 2392	2224	cmd.exe	94
PID 2224 wrote to memory of 1576	2224	cmd.exe	95
PID 2224 wrote to memory of 1576	2224	cmd.exe	95
PID 2224 wrote to memory of 1576	2224	cmd.exe	95
PID 1576 wrote to memory of 2064	1576	WmiPrvSE.exe	96
PID 1576 wrote to memory of 2064	1576	WmiPrvSE.exe	96
PID 1576 wrote to memory of 2064	1576	WmiPrvSE.exe	96
PID 1576 wrote to memory of 2648	1576	WmiPrvSE.exe	97
PID 1576 wrote to memory of 2648	1576	WmiPrvSE.exe	97
PID 1576 wrote to memory of 2648	1576	WmiPrvSE.exe	97
PID 2064 wrote to memory of 864	2064	WScript.exe	98
PID 2064 wrote to memory of 864	2064	WScript.exe	98
PID 2064 wrote to memory of 864	2064	WScript.exe	98
PID 864 wrote to memory of 2464	864	WmiPrvSE.exe	99
PID 864 wrote to memory of 2464	864	WmiPrvSE.exe	99
PID 864 wrote to memory of 2464	864	WmiPrvSE.exe	99
PID 864 wrote to memory of 1692	864	WmiPrvSE.exe	100
PID 864 wrote to memory of 1692	864	WmiPrvSE.exe	100
PID 864 wrote to memory of 1692	864	WmiPrvSE.exe	100
PID 2464 wrote to memory of 2644	2464	WScript.exe	101
PID 2464 wrote to memory of 2644	2464	WScript.exe	101
PID 2464 wrote to memory of 2644	2464	WScript.exe	101
PID 2644 wrote to memory of 2936	2644	WmiPrvSE.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe
"C:\Users\Admin\AppData\Local\Temp\e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6iFNwlpp3j.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2392
- - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
    "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\55ea2136-a423-477e-a523-53b6161e74c9.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\51819b6c-8f49-4375-bab2-6973e7f95144.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68516bea-e278-4a08-b210-edc1a7326aae.vbs"
        8⤵
        
        PID:2936
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a542098-ed05-4e07-81d2-59b81df4dc43.vbs"
        10⤵
        
        PID:592
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c741ea22-722d-4608-bbe8-558d18d454bb.vbs"
        12⤵
        
        PID:1028
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a6d44cc-7a4d-4d77-820c-bfb2134e86bb.vbs"
        14⤵
        
        PID:1752
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99eb5538-642e-4d5d-a185-cc19eeb80b69.vbs"
        16⤵
        
        PID:2332
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a5d9699d-d0e6-4b97-bced-e0d2627c7352.vbs"
        18⤵
        
        PID:3008
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\939a0230-804f-4d15-abd0-65775f03af4f.vbs"
        20⤵
        
        PID:2784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2373999-c11f-432c-bc05-ec96ae969ebe.vbs"
        20⤵
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\285dc484-0e98-4b75-a7ed-1d1da5734ef1.vbs"
        18⤵
        
        PID:936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\377a8cf8-4fa3-4315-95c8-4a91011866a0.vbs"
        16⤵
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07f71048-4a33-46cf-a92d-42de22243469.vbs"
        14⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c2504e56-9acc-4f5b-9628-7c311c3142b2.vbs"
        12⤵
        
        PID:2380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\37a8ba84-91e7-4eab-8063-a1997b29e59d.vbs"
        10⤵
        
        PID:2124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\904e4691-1073-4d97-af6f-9b571bba2470.vbs"
        8⤵
        
        PID:812
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\23b3a345-0f6d-4b69-98d7-709a2c686681.vbs"
        6⤵
        
        PID:1692
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f96324ba-daf6-4cd7-a7e0-c4ebce798168.vbs"
      4⤵
      PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Tasks\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Documents\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Documents\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft Help\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\AuthCabs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe

Filesize
1.7MB

MD5
0aed461eb8eeaaf4f1d869f42f2ac953

SHA1
e1b22f755a01578891c2eecc8e95c6885c83209c

SHA256
cdee6088370a25b25431ff3bf8064f55fce61103f6b3221acaf405e8ba847e5f

SHA512
dbdee16d7ebce8090bc6a826fd0d15536fe478e7def1421439b85dbbca096a89e7ce2b15222c2bd1be674d88fa520d0b58715457289df66505c36314a90dd17d

Download Submit
C:\Program Files\Windows Media Player\es-ES\WmiPrvSE.exe

Filesize
1.7MB

MD5
56ecca6b87d6fc545586e3ec44159b51

SHA1
97f4f0e48c050553181a798bafcc624cd1c00a33

SHA256
1b7193b4591a5aa2895b40cc4027aa0e9708c0eb9086e2e296f88f45542cc850

SHA512
ae4edd89bd922134feb9c0d642fbaf4b4247024e3b8ed8115cbbd516bfed0567ea4ff6c43c5dd248b10ccd37e350d770442ee7a5f8bb932821203369a23ddaac

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe

Filesize
1.7MB

MD5
f1aff26566885c339febd3614e9949ce

SHA1
efc83772d697c76241c6f16db92d2a948bd5f3eb

SHA256
e2e7ee6a7381687a633e35fb2a1d2fb46fc55e3a04da07299d43cc3a0c4755cb

SHA512
7b24d470fc7addba58c287acaecd8945100a202bc748164c7e73f0455eda6cf11c8915973a5d875632cf0756d7db8fae60e34745dabf7d3920be86bfb92d400a

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe

Filesize
1.7MB

MD5
b3da93b5780a3ee51c5948668dcab084

SHA1
ab508a57fcbcb5f3f064dbfca0374438bc9e0130

SHA256
9e77d728bc689f2ba8623e1ba63a731df8dbd4b299f4808d1b8868c330ecd2a6

SHA512
36a1038a1711ae2fba8f943d37e7c9d14cc39d46748f5728cddb103054fb825c8f929c95a0782e0d1e52687090e996402dba0ea244c70f14955782baa5a6a45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a6d44cc-7a4d-4d77-820c-bfb2134e86bb.vbs

Filesize
737B

MD5
901c96b4cbe5058c553b45142d4ed40e

SHA1
1cf6eb698f1cbb06efb5a9866fd3e35975b813d0

SHA256
a5ab0fb8347c252134051d70c8bae7e375f58b0cbd00d6d74cdd9cb72f52114b

SHA512
dae253c0959d242bbc0b5ddeb183c1b2ba2be3b59e62c055a514af02e4ad717ecfa5161246a3b6f53ce5c924ccf7e2375c0a147ac7c9ad813bfdc8e5d54747ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a542098-ed05-4e07-81d2-59b81df4dc43.vbs

Filesize
737B

MD5
2721c7448b8dfacfe497bcadc72afaa3

SHA1
bb5909dbc1c125a97a00f82b6effee540ac24ad1

SHA256
b3f26c849b665cdd22bd640a93f2113b9574658bd6609015931ed9f649a33732

SHA512
3489f28360b21b349b8f474dbf5d8b0904776992fbca3a517461f8ece428839094e40385933b33e38e8835f13e6540ec462d62d9a218a86df89e7188baede8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\51819b6c-8f49-4375-bab2-6973e7f95144.vbs

Filesize
736B

MD5
7d769db6c94cca38454ea488c95008c3

SHA1
3467793fc1e5bc8712d4502b6954d0e46ba26f49

SHA256
89cd9833d0ff65d68d33fb727ff3092abba77361f19a456d934455d0a5c97cd0

SHA512
6f9b005843eba28d7a2b656aa634c9ff7f10e2128421a2236f2730e18a316a72daddad1b09b1a47f975059698558ac6e3bf02e6dee52efaa1fb9522a149e5fe2

Download Submit
C:\Users\Admin\AppData\Local\Temp\55ea2136-a423-477e-a523-53b6161e74c9.vbs

Filesize
737B

MD5
da8f75b0b0694083b83ec9957ff67c13

SHA1
7fb9a3f8dbaa2e8111ecafe96bc28acd2675ebfe

SHA256
3d042f6aa79defe9695946d73390e5a6f95d86f1dd1cfd0918c3e0953f8f3e18

SHA512
18a55686982bf6361f48b3c5f6fcfbd261412c170c499bd4a50091a8e37c48b34ca4f387544c60ae8d6e220c77a393590355d737452cbd82856b08b038a8fb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\68516bea-e278-4a08-b210-edc1a7326aae.vbs

Filesize
737B

MD5
784369f66d4edc8bfbace956d3f62102

SHA1
536629ff295657a16f803722dc48c576bfcdebc5

SHA256
b40246620f6e07e1881695f046e64e1e96a87896c9e16decd7fa2039fce4acbc

SHA512
85547368762d459506964bfc3a7b1324fde605759cc4bad14e912b8b25a9f5db9682fb795b1e4b89cdddf6ca5f199b4874284582ce684a2f1e0608cbf22fe3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\6iFNwlpp3j.bat

Filesize
226B

MD5
90842a882e8f369c9f513fe98de583c1

SHA1
077b0d9678f2e51b5cd8adbbdabd90eeb27a6346

SHA256
df42a38d4c86aed35a37ce02ac5a68f3903b039a44ce1e4b771557fc698cd10f

SHA512
38642858473a6a5a0d111f22d7bf0a0fd335eb89f20e1de6b4ca8dc8d144a8106176b6efec85455f97f7fdecaf0d2936c8397e7e1e226dfab3976775ec2f78b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\939a0230-804f-4d15-abd0-65775f03af4f.vbs

Filesize
737B

MD5
b7802fd2900c0452eec4ac2d9ee01d2b

SHA1
a41f3a19a18e3d6e2437faa6e42979244daebd24

SHA256
2af59ef93857702a61588dd2d85d096cfa3a7e8ea81d20a5203d204ff52eee50

SHA512
80f644d26d65e29e9eff057aee728b47d2987458627cf0bf55f68bf88122069c3601d52c2a0f8ca43be74192fba0a35ae91dbc57e222f25a2e17462d71a2bbdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\99eb5538-642e-4d5d-a185-cc19eeb80b69.vbs

Filesize
737B

MD5
3d2ca5cf3499d6c20048a1c2dd630299

SHA1
6401cbc4d3cfa4c1742c9096e5d98090cd25c708

SHA256
139070983ff88a4c64ab4d2b7f9d71ec2802ce5112bce77d8fe8f6498a8667d1

SHA512
87c6f5aa9668905d7acc5c200411cae4f8592d38ba172c9e533fa6979b67a5494cc26c105cb37f4a1b2c5f9828ada24fc6cf0810e261daee75f4993ee554c976

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5d9699d-d0e6-4b97-bced-e0d2627c7352.vbs

Filesize
737B

MD5
48649589920a7cce719e72022a354ce1

SHA1
ed6af08534ab91653d1798490064f1b5a79dd334

SHA256
5b5f7b437326ee6af6a20ecb28dccc7d14fe464eab4169b4bda72009600e1ec8

SHA512
ed15527829d2dec624e79040501429b58aaeba6b83c809f226043b9377ad76db20b153234bb626ebd99c721f98e89965d67bbec3084d8a06a3e60d24ee4bec0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c741ea22-722d-4608-bbe8-558d18d454bb.vbs

Filesize
737B

MD5
852594c982c33984b0cc519e63eba96d

SHA1
f93ad1842835da010555d2635421ebcc49c2785e

SHA256
56f405fdabe7ffa7c4faa05fab2276da9d51afd068f74d31d6ff1a5e9f3a4fc8

SHA512
3514ec62695922f9924b2c461f1d054289c07875e28a61ffaa60e3a45417b0cdc130e55a763693716cb7202f1489a3badf662eb39fdd07462e9b6e06548f0c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f96324ba-daf6-4cd7-a7e0-c4ebce798168.vbs

Filesize
513B

MD5
b5e1a8826721dd0acef7c5f4fffb362d

SHA1
898b4a6920b1f0980e73566e287cfe04db9442af

SHA256
46806d2c9fb33b2a8a3bf146cdeb84ab2f69d4c1f7209cbfcecdc3817f2895ce

SHA512
6feae8488a155defcfc1639a755e6cf41a4a9258bff744ac5e3751e9ec6398faa2965736080703542fabaec0ea26a271fb9d06131f21cadaa385c729d8b04ff1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8bcbc8813232c56524a6f5a97f3fab95

SHA1
db5e922810af0dc3ac83e3d957a25185249ceadc

SHA256
72dda10eff36074a5f5a2a581f29e8e3c1490812e46bc209c1702055791750de

SHA512
ae4d54c93715457e2055ce39fc986e74b7882c3668b1c387be648765adfe59e6cae31631a530106f80372b57204addd3b81fa241c926763ae465841b5e2a86ae

Download Submit
memory/1004-336-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1004-335-0x00000000013B0000-0x0000000001570000-memory.dmp

Filesize
1.8MB

Download
memory/1576-258-0x0000000001200000-0x00000000013C0000-memory.dmp

Filesize
1.8MB

Download
memory/2300-11-0x00000000006C0000-0x00000000006D2000-memory.dmp

Filesize
72KB

Download
memory/2300-0-0x000007FEF52B3000-0x000007FEF52B4000-memory.dmp

Filesize
4KB

Download
memory/2300-12-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/2300-196-0x000007FEF52B3000-0x000007FEF52B4000-memory.dmp

Filesize
4KB

Download
memory/2300-1-0x00000000003D0000-0x0000000000590000-memory.dmp

Filesize
1.8MB

Download
memory/2300-13-0x0000000002230000-0x000000000223A000-memory.dmp

Filesize
40KB

Download
memory/2300-199-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-2-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-16-0x0000000002240000-0x000000000224C000-memory.dmp

Filesize
48KB

Download
memory/2300-15-0x0000000000770000-0x0000000000778000-memory.dmp

Filesize
32KB

Download
memory/2300-9-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/2300-14-0x0000000002250000-0x000000000225E000-memory.dmp

Filesize
56KB

Download
memory/2300-8-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2300-7-0x0000000000690000-0x00000000006A0000-memory.dmp

Filesize
64KB

Download
memory/2300-6-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/2300-5-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2300-4-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2300-3-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/2300-19-0x000007FEF52B0000-0x000007FEF5C9C000-memory.dmp

Filesize
9.9MB

Download
memory/2300-17-0x0000000002260000-0x000000000226C000-memory.dmp

Filesize
48KB

Download
memory/2704-197-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2704-205-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download