dcrat | 114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Size

1.7MB
MD5

4dec414f4409cea7c8b90fd730649803
SHA1

46ed1cf8ddcf4736aba57c1f46cacbaec2c09ecb
SHA256

114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c
SHA512

c9674bed0a92ea973c7b7b6cc2812c7dadf390c3a18cff0dca9b658760fe6b4015141ff93a7b0df7bdd2cc90bbe3c8077388db493831ee0385b6a4025689e573
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2964	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2964	schtasks.exe	31

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1632-1-0x00000000012D0000-0x0000000001490000-memory.dmp	dcrat
behavioral1/files/0x00050000000198f0-27.dat	dcrat
behavioral1/files/0x000e0000000198f0-156.dat	dcrat
behavioral1/memory/1660-247-0x0000000000EF0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/1528-269-0x0000000001290000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/1948-281-0x00000000000A0000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2308-294-0x0000000001030000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/1976-306-0x0000000001280000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/2772-329-0x0000000000240000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/900-341-0x0000000000080000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2068-354-0x0000000001370000-0x0000000001530000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2860	powershell.exe
2704	powershell.exe
2852	powershell.exe
2836	powershell.exe
1492	powershell.exe
2212	powershell.exe
3064	powershell.exe
2600	powershell.exe
2192	powershell.exe
2668	powershell.exe
2544	powershell.exe
2664	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe

Executes dropped EXE 10 IoCs

pid	Process
1660	sppsvc.exe
2864	sppsvc.exe
1528	sppsvc.exe
1948	sppsvc.exe
2308	sppsvc.exe
1976	sppsvc.exe
1708	sppsvc.exe
2772	sppsvc.exe
900	sppsvc.exe
2068	sppsvc.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\886983d96e3d3e	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\Internet Explorer\it-IT\winlogon.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\5940a34987c991	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\winlogon.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\RCX2B1.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\RCX6B9.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\de-DE\cc11b995f2a76d	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RCXF82B.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\dllhost.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\Windows NT\96a467520d05ca	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\RCXF626.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\RCXF627.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Windows NT\RCXAB.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\en-US\RCX2B0.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\winlogon.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\winlogon.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Windows NT\RCXAC.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\csrss.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\Internet Explorer\it-IT\cc11b995f2a76d	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files\Windows NT\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\dllhost.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\csrss.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RCXF82A.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Windows NT\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\de-DE\RCX6D9.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\services.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Windows\tracing\System.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\services.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\c5b4cb5e9653cc	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Windows\Speech\Common\de-DE\lsm.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\tracing\System.exe	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\RCXFC34.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File created	C:\Windows\tracing\27d1bcfc3c54e0	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\tracing\RCXFA2F.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\tracing\RCXFA30.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\RCXFC35.tmp	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1944	schtasks.exe
2092	schtasks.exe
1716	schtasks.exe
2792	schtasks.exe
2124	schtasks.exe
2756	schtasks.exe
2836	schtasks.exe
2748	schtasks.exe
588	schtasks.exe
336	schtasks.exe
2476	schtasks.exe
2904	schtasks.exe
2104	schtasks.exe
2896	schtasks.exe
2020	schtasks.exe
2548	schtasks.exe
3044	schtasks.exe
2676	schtasks.exe
676	schtasks.exe
2608	schtasks.exe
2252	schtasks.exe
2004	schtasks.exe
2080	schtasks.exe
2808	schtasks.exe
2580	schtasks.exe
852	schtasks.exe
2056	schtasks.exe
3036	schtasks.exe
708	schtasks.exe
2864	schtasks.exe
1948	schtasks.exe
2128	schtasks.exe
964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
2704	powershell.exe
2860	powershell.exe
2664	powershell.exe
3064	powershell.exe
2192	powershell.exe
2600	powershell.exe
2668	powershell.exe
1492	powershell.exe
2544	powershell.exe
2212	powershell.exe
2852	powershell.exe
2836	powershell.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe
1660	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1660	sppsvc.exe
Token: SeDebugPrivilege	2864	sppsvc.exe
Token: SeDebugPrivilege	1528	sppsvc.exe
Token: SeDebugPrivilege	1948	sppsvc.exe
Token: SeDebugPrivilege	2308	sppsvc.exe
Token: SeDebugPrivilege	1976	sppsvc.exe
Token: SeDebugPrivilege	1708	sppsvc.exe
Token: SeDebugPrivilege	2772	sppsvc.exe
Token: SeDebugPrivilege	900	sppsvc.exe
Token: SeDebugPrivilege	2068	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 2860	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	65
PID 1632 wrote to memory of 2860	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	65
PID 1632 wrote to memory of 2860	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	65
PID 1632 wrote to memory of 2704	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	66
PID 1632 wrote to memory of 2704	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	66
PID 1632 wrote to memory of 2704	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	66
PID 1632 wrote to memory of 2664	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	68
PID 1632 wrote to memory of 2664	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	68
PID 1632 wrote to memory of 2664	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	68
PID 1632 wrote to memory of 2852	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	69
PID 1632 wrote to memory of 2852	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	69
PID 1632 wrote to memory of 2852	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	69
PID 1632 wrote to memory of 2192	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	71
PID 1632 wrote to memory of 2192	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	71
PID 1632 wrote to memory of 2192	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	71
PID 1632 wrote to memory of 2600	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	73
PID 1632 wrote to memory of 2600	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	73
PID 1632 wrote to memory of 2600	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	73
PID 1632 wrote to memory of 2544	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	74
PID 1632 wrote to memory of 2544	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	74
PID 1632 wrote to memory of 2544	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	74
PID 1632 wrote to memory of 2668	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	76
PID 1632 wrote to memory of 2668	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	76
PID 1632 wrote to memory of 2668	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	76
PID 1632 wrote to memory of 3064	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	77
PID 1632 wrote to memory of 3064	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	77
PID 1632 wrote to memory of 3064	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	77
PID 1632 wrote to memory of 2836	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	79
PID 1632 wrote to memory of 2836	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	79
PID 1632 wrote to memory of 2836	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	79
PID 1632 wrote to memory of 1492	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	80
PID 1632 wrote to memory of 1492	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	80
PID 1632 wrote to memory of 1492	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	80
PID 1632 wrote to memory of 2212	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	81
PID 1632 wrote to memory of 2212	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	81
PID 1632 wrote to memory of 2212	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	81
PID 1632 wrote to memory of 3060	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	89
PID 1632 wrote to memory of 3060	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	89
PID 1632 wrote to memory of 3060	1632	114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe	89
PID 3060 wrote to memory of 2908	3060	cmd.exe	91
PID 3060 wrote to memory of 2908	3060	cmd.exe	91
PID 3060 wrote to memory of 2908	3060	cmd.exe	91
PID 3060 wrote to memory of 1660	3060	cmd.exe	92
PID 3060 wrote to memory of 1660	3060	cmd.exe	92
PID 3060 wrote to memory of 1660	3060	cmd.exe	92
PID 1660 wrote to memory of 2876	1660	sppsvc.exe	93
PID 1660 wrote to memory of 2876	1660	sppsvc.exe	93
PID 1660 wrote to memory of 2876	1660	sppsvc.exe	93
PID 1660 wrote to memory of 2960	1660	sppsvc.exe	94
PID 1660 wrote to memory of 2960	1660	sppsvc.exe	94
PID 1660 wrote to memory of 2960	1660	sppsvc.exe	94
PID 2876 wrote to memory of 2864	2876	WScript.exe	95
PID 2876 wrote to memory of 2864	2876	WScript.exe	95
PID 2876 wrote to memory of 2864	2876	WScript.exe	95
PID 2864 wrote to memory of 2476	2864	sppsvc.exe	96
PID 2864 wrote to memory of 2476	2864	sppsvc.exe	96
PID 2864 wrote to memory of 2476	2864	sppsvc.exe	96
PID 2864 wrote to memory of 2868	2864	sppsvc.exe	97
PID 2864 wrote to memory of 2868	2864	sppsvc.exe	97
PID 2864 wrote to memory of 2868	2864	sppsvc.exe	97
PID 2476 wrote to memory of 1528	2476	WScript.exe	98
PID 2476 wrote to memory of 1528	2476	WScript.exe	98
PID 2476 wrote to memory of 1528	2476	WScript.exe	98
PID 1528 wrote to memory of 3040	1528	sppsvc.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe
"C:\Users\Admin\AppData\Local\Temp\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pectBbsFUI.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2908
- - C:\Users\Admin\PrintHood\sppsvc.exe
    "C:\Users\Admin\PrintHood\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4db9965b-da22-445d-a6ab-53e4d9e7947b.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e405f4f2-2acb-4955-873e-1135a8ce7c63.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7b319f1-09b0-47ec-9c15-02d41c64aad8.vbs"
        8⤵
        
        PID:3040
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d924321f-3610-4776-a8d7-3f167762a27a.vbs"
        10⤵
        
        PID:2792
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f955c6e2-b5f4-4a86-8070-fe825ee11039.vbs"
        12⤵
        
        PID:3028
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec8e8dba-7eeb-4799-a941-bca835d3b5ef.vbs"
        14⤵
        
        PID:1480
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af014c57-daa1-4937-851a-6dfe566749f1.vbs"
        16⤵
        
        PID:1132
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\95ddf378-46d2-467f-a56d-246b86219a6d.vbs"
        18⤵
        
        PID:2024
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\20fe08b0-7dda-45f6-a424-51887154cb99.vbs"
        20⤵
        
        PID:1008
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        
        C:\Users\Admin\PrintHood\sppsvc.exe
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db9978b6-e747-46d6-8694-dd2dbfcfb689.vbs"
        22⤵
        
        PID:1716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca7473d0-3bac-494e-bcc9-2af6ccda82c4.vbs"
        22⤵
        
        PID:1804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\48f71dba-d350-4fc2-a9b5-d3ae456e045a.vbs"
        20⤵
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f896c62-18b9-42c9-b835-241669fda414.vbs"
        18⤵
        
        PID:1704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\daeaf257-c718-4ddc-a154-ec4e05142892.vbs"
        16⤵
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64e8ee71-4e40-43bc-838e-9b664652651d.vbs"
        14⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36c1478c-f30f-4ef0-a88d-d7d9772e79cc.vbs"
        12⤵
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\41217692-606f-4730-9d86-d0df928dc630.vbs"
        10⤵
        
        PID:2700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e694f0df-528e-4de3-a214-e52d125e6d79.vbs"
        8⤵
        
        PID:788
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\16cdacdf-2139-4e94-91bf-c2b1434ed16d.vbs"
        6⤵
        
        PID:2868
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\777414fc-d4df-4059-99bc-a788cfa1c811.vbs"
      4⤵
      PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\VideoLAN\VLC\skins\fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\it-IT\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\it-IT\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c1" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c" /sc ONLOGON /tr "'C:\Program Files\Windows NT\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c1" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\PrintHood\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Minesweeper\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Minesweeper\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Games\Minesweeper\de-DE\RCX6B9.tmp

Filesize
1.7MB

MD5
7c0a2126b9bb85ebd1473d056dc65d5f

SHA1
f0f2eb248a8b091f1862a484648487282ee18cc0

SHA256
72231ad7b981bd93403ceda92f3685ba71ddc7636ffc784b92dd6fedebb4bf42

SHA512
127a8a6625608810e624650d28f098acf14426f84cc414fc5d88ff7cba7179dfbb150f4b6f547cd58cd612d0feb1a0f8f9922fb76d4a97eca8a8b113b385cabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\20fe08b0-7dda-45f6-a424-51887154cb99.vbs

Filesize
710B

MD5
897778d832f25d6775f50058982a0160

SHA1
aef38d363812c8e8eb1909529799a5be6834ae22

SHA256
60d9086f709fa7b04493c337abf56a354ae2f78de10997834f5c35bcde51af65

SHA512
37e20b2bb9cdb5c8a3ddf5349fa9fd23533f0695ed8cf2909e1c3adedf911eb3771998f61de0a16114dd31f1f41caf49d57544f682319a8120706f0c5f849fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4db9965b-da22-445d-a6ab-53e4d9e7947b.vbs

Filesize
711B

MD5
786ca73902187e6b3df39cdd3a316edd

SHA1
3e8f95a8703c0e2025caa5b4c11daf2f99defc7f

SHA256
38d7d6d201cc57065cdbf0da2fb6e6fb20236d391d927f00eb41957d5710c7a0

SHA512
955fe19e0cae138728d2c5b149d883f69b0454ce4f3b4ff6345fd5f369bb17781b15193e0de235d74ab12cc1601b70b3849abcab3b0ce630f3c411641d617c57

Download Submit
C:\Users\Admin\AppData\Local\Temp\777414fc-d4df-4059-99bc-a788cfa1c811.vbs

Filesize
487B

MD5
66710bbcf483a2d8e7143e2ae0eb3b44

SHA1
4735933473f7f33862768c455c18f517c9662e83

SHA256
6ed0c845e42e32fa18345c0afc2bc92704af11171bba5680e585d38a75f34c70

SHA512
8ea14f01332d340e0533f26904825667111cee3f3124da7f931b4c8b9012555d490d1e45286008adf6dbfb61f394f341e12aac578d1321a83bdb4503bf354ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\95ddf378-46d2-467f-a56d-246b86219a6d.vbs

Filesize
711B

MD5
609bb704794442f7c7e865670d770e94

SHA1
796878abf824d027a7cdf7a4dd0b82e42bd01ef3

SHA256
2757d22bf44fc16b09ecda3b97670df41df1a64d5fcd014ec7ad1bc4883cb50e

SHA512
e12438e67d087532b424766c1b5d5486bdab2cab742422cf57d64e0afddf6f5f64382629c6cb01e90150062cc7bb82ede45249a05d87f2b9ca609df6ec6c1c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7b319f1-09b0-47ec-9c15-02d41c64aad8.vbs

Filesize
711B

MD5
1260e2c6a4cafae7d28a7a1c7686fb45

SHA1
47f0544b65a49f61c7f2dba17b0d2ed8f0709538

SHA256
b96018341928f9ffe0469012ce86c176579568284ed1f91d65bf8b536efb498e

SHA512
3984a861d4def5ceec1b9e2432f6cc5866c46e53024b3cc561508fbf6c62cbaa7e3b1b9974af4975137a5042acdcb065b227603138c5acd2287bb1dbd78c6e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\af014c57-daa1-4937-851a-6dfe566749f1.vbs

Filesize
711B

MD5
30031a17209eeffdb3a28f15f09f7649

SHA1
9fc58cf3a2df987172a8237b7a711a828241cc3b

SHA256
f2564da5968dbb3392f78fd15d46c2d789027cc41daf54dd8b2ecdf448229da7

SHA512
fafcc35ee420b089a6c106cf19fd6737aabac067820b13dd9981e3b2e7d73238f2bb1f1cbbb31dc997cb1389efb243c3a0055ee896ffb6d35698b27c5db9436c

Download Submit
C:\Users\Admin\AppData\Local\Temp\d924321f-3610-4776-a8d7-3f167762a27a.vbs

Filesize
711B

MD5
e0b2e896ad07043434c1edd4f84555cb

SHA1
44b5eab1d26412537bd25332807bee7975894fbb

SHA256
87c27e26e2e63bd0630cbf28676ff63af2975923ddc3dd4ca0fe5845555c3f38

SHA512
fff0816b5104de8de007310a3c8ceed24477d92c4fe06c317370fb9bacffea9bb2b978ceea2d0e392eaae5a8c6f36899be7594710ad1bb779eaaf669b415c765

Download Submit
C:\Users\Admin\AppData\Local\Temp\db9978b6-e747-46d6-8694-dd2dbfcfb689.vbs

Filesize
711B

MD5
a0931b51970d2f513b91a6df35f2851d

SHA1
370519a208ce3351ebf936145b9bd8be6cec0eb8

SHA256
f0ffbdd05283041add710d61d2467f59eefc4dfed6f5ed3a2d5dc6313d6b848c

SHA512
c57dec2dfe5cb875194540f48a7b3a6495899caed46b8201a764b43d18b6830b4f8420d594d203bb8684535254ff9e0762d5b3cba42d8497b3aaa3b7c3ae3673

Download Submit
C:\Users\Admin\AppData\Local\Temp\e405f4f2-2acb-4955-873e-1135a8ce7c63.vbs

Filesize
711B

MD5
7100d24aa76d5824bc15351a162886c2

SHA1
3ee27befce80384b09c8546dc37b72e3a4e39dfa

SHA256
dcfb2a0aea2fa5b60ea140f992abce1132faeb904d0ca962984b46011f70c46e

SHA512
b689d5dfffd91e92f6283d7ecfa5da21180fa6d96f4e0537385dfc97d8e0597a72035e71c5e1b1cf1b6adaa08a77d552c7e8066dbfcc856cd9ed6ebdf53fed7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec8e8dba-7eeb-4799-a941-bca835d3b5ef.vbs

Filesize
711B

MD5
2224404978f6cc0f16376a83e07720de

SHA1
14c50b145bba89dce708e7c5a557b1b425baa17c

SHA256
2100be6b2ce16e515137b654e95ea871468d00077b0d64d124a56a91722da3c8

SHA512
668005a11333087ae51ec4746459c15a1d078f815b119fb71f4c4604e675607fc97f2b23eb09d5b3b5e8a43b041a56383fbd5ce9673b3348c1ad223231d5eb07

Download Submit
C:\Users\Admin\AppData\Local\Temp\f955c6e2-b5f4-4a86-8070-fe825ee11039.vbs

Filesize
711B

MD5
e88ba540c567c2ebeeb105b25fc9eba4

SHA1
7741a27e8da0398a085ec7d0e67d6627af67d59a

SHA256
4a279f25bf314e1a422b3e5feec5a49857350c8b9fcd391ad44275c888a22f74

SHA512
5cd1f693b1122504d0179496d0ca382428d50e466aa1dfa76a38d68a80f74f702346ed1c8d5dbf73a3e6fc8b8e6c35b62d9225eb658eaf6fbe28395e26aa6ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pectBbsFUI.bat

Filesize
200B

MD5
ff9ea6d4ffe520d6ace427aac8ec25ef

SHA1
2a0d28946b9bd7f42125a00998575a45ce407b70

SHA256
d82bdc8416774b101ed06d3bf49446c40ada5d6968b3af7c0fa31d0bb54488ac

SHA512
6093f8f5c875028ec393218dba6b16084386ae2a9f43514dd25a9549a01d5e1ef32adeb9f3e276732e00d2ca870d23891c893d43181ef849e394fbeaa7b3961e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
04e478ffb37620f78816ee6c1281e783

SHA1
7995093cf94ee7a6e97d8c285cb15ec2b73b3989

SHA256
0738979c2b6c0a6f01ce4a635b0cc98b3b238cca106b13b54205c1563192eab2

SHA512
35d0cc942aadf6a89e9f1a3f7f301299e67bb69855e0f7cb3266ba76dba63ab817adb27e8923eda7f50aa2893d3184a4d4abc7a4a600e658855eb051f9acc93e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_64\PresentationCFFRast#\services.exe

Filesize
1.7MB

MD5
4dec414f4409cea7c8b90fd730649803

SHA1
46ed1cf8ddcf4736aba57c1f46cacbaec2c09ecb

SHA256
114e22cb2c971f3b91c2967e0742b006950e65a2cb23fb0f581a09457b9b657c

SHA512
c9674bed0a92ea973c7b7b6cc2812c7dadf390c3a18cff0dca9b658760fe6b4015141ff93a7b0df7bdd2cc90bbe3c8077388db493831ee0385b6a4025689e573

Download Submit
memory/900-341-0x0000000000080000-0x0000000000240000-memory.dmp

Filesize
1.8MB

Download
memory/900-342-0x0000000000610000-0x0000000000622000-memory.dmp

Filesize
72KB

Download
memory/1528-269-0x0000000001290000-0x0000000001450000-memory.dmp

Filesize
1.8MB

Download
memory/1632-12-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download
memory/1632-14-0x0000000000C50000-0x0000000000C5E000-memory.dmp

Filesize
56KB

Download
memory/1632-1-0x00000000012D0000-0x0000000001490000-memory.dmp

Filesize
1.8MB

Download
memory/1632-17-0x0000000000FF0000-0x0000000000FFC000-memory.dmp

Filesize
48KB

Download
memory/1632-198-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-2-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-16-0x0000000000FE0000-0x0000000000FEC000-memory.dmp

Filesize
48KB

Download
memory/1632-20-0x000007FEF5EA0000-0x000007FEF688C000-memory.dmp

Filesize
9.9MB

Download
memory/1632-15-0x0000000000ED0000-0x0000000000ED8000-memory.dmp

Filesize
32KB

Download
memory/1632-7-0x00000000005F0000-0x0000000000600000-memory.dmp

Filesize
64KB

Download
memory/1632-13-0x0000000000C60000-0x0000000000C6A000-memory.dmp

Filesize
40KB

Download
memory/1632-0-0x000007FEF5EA3000-0x000007FEF5EA4000-memory.dmp

Filesize
4KB

Download
memory/1632-11-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/1632-3-0x00000000005B0000-0x00000000005CC000-memory.dmp

Filesize
112KB

Download
memory/1632-4-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/1632-9-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/1632-5-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/1632-8-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/1632-6-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/1660-247-0x0000000000EF0000-0x00000000010B0000-memory.dmp

Filesize
1.8MB

Download
memory/1948-282-0x0000000000780000-0x0000000000792000-memory.dmp

Filesize
72KB

Download
memory/1948-281-0x00000000000A0000-0x0000000000260000-memory.dmp

Filesize
1.8MB

Download
memory/1976-306-0x0000000001280000-0x0000000001440000-memory.dmp

Filesize
1.8MB

Download
memory/2068-354-0x0000000001370000-0x0000000001530000-memory.dmp

Filesize
1.8MB

Download
memory/2308-294-0x0000000001030000-0x00000000011F0000-memory.dmp

Filesize
1.8MB

Download
memory/2704-197-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2704-186-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2772-329-0x0000000000240000-0x0000000000400000-memory.dmp

Filesize
1.8MB

Download