dcrat | 0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/01/2025, 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
Size

1.7MB
MD5

73f8fb574f3eb89a16b9170aad01fec0
SHA1

15bf5763fc20fd9f777092176e16337941694ea3
SHA256

0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735
SHA512

115d89d8231c66101290fe4d73b8c51d56c21727c7cb855815254bbcd7c0e1f8bd97e23f329ccb665ddc8fe7dc18aad5149bfac4d9fe2ce25ded706ff842e2d9
SSDEEP

24576:j3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:jgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2708	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2708	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2644-1-0x0000000000AA0000-0x0000000000C56000-memory.dmp	dcrat
behavioral1/files/0x0008000000016399-27.dat	dcrat
behavioral1/files/0x000600000001a4c1-82.dat	dcrat
behavioral1/files/0x000f000000016399-171.dat	dcrat
behavioral1/files/0x0016000000016399-232.dat	dcrat
behavioral1/files/0x0017000000016399-243.dat	dcrat
behavioral1/memory/2980-307-0x00000000008E0000-0x0000000000A96000-memory.dmp	dcrat
behavioral1/memory/1880-371-0x0000000000AF0000-0x0000000000CA6000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1900	powershell.exe
1932	powershell.exe
560	powershell.exe
448	powershell.exe
2760	powershell.exe
1956	powershell.exe
2416	powershell.exe
1704	powershell.exe
2364	powershell.exe
1492	powershell.exe
408	powershell.exe
2664	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe

Executes dropped EXE 2 IoCs

pid	Process
2980	lsass.exe
1880	lsass.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\smss.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA47.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\smss.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX2193.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\MSBuild\42af1c969fbb7b	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files (x86)\Windows Portable Devices\69ddcba757bf72	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\6cb0b6c459d5d3	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RCX14CC.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\b75386f1303e64	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RCX14CB.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXA46.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\RCX2194.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Program Files\MSBuild\audiodg.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\MSBuild\RCX5CF.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\MSBuild\RCX63D.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Program Files\MSBuild\audiodg.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Media\c5b4cb5e9653cc	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Media\services.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Logs\DPX\RCX10C1.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Media\Festival\RCX261A.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\Media\services.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\Media\Festival\27d1bcfc3c54e0	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Media\RCX841.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Logs\DPX\RCX10C2.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Media\Festival\RCX261B.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\Logs\DPX\taskhost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\Logs\DPX\b75386f1303e64	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Logs\DPX\taskhost.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Media\Festival\System.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File created	C:\Windows\Media\Festival\System.exe	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
File opened for modification	C:\Windows\Media\RCX842.tmp	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2316	schtasks.exe
1616	schtasks.exe
1828	schtasks.exe
2272	schtasks.exe
2408	schtasks.exe
2280	schtasks.exe
696	schtasks.exe
1108	schtasks.exe
2348	schtasks.exe
836	schtasks.exe
1464	schtasks.exe
316	schtasks.exe
2360	schtasks.exe
1460	schtasks.exe
2844	schtasks.exe
2560	schtasks.exe
1980	schtasks.exe
1908	schtasks.exe
2892	schtasks.exe
2416	schtasks.exe
1524	schtasks.exe
2948	schtasks.exe
2012	schtasks.exe
2112	schtasks.exe
2172	schtasks.exe
2372	schtasks.exe
1816	schtasks.exe
2108	schtasks.exe
2832	schtasks.exe
408	schtasks.exe
2460	schtasks.exe
1896	schtasks.exe
484	schtasks.exe
1228	schtasks.exe
1780	schtasks.exe
2776	schtasks.exe
3036	schtasks.exe
2160	schtasks.exe
1860	schtasks.exe
1968	schtasks.exe
1728	schtasks.exe
1348	schtasks.exe
984	schtasks.exe
1640	schtasks.exe
1412	schtasks.exe
1440	schtasks.exe
2696	schtasks.exe
2544	schtasks.exe
1664	schtasks.exe
1700	schtasks.exe
1776	schtasks.exe
948	schtasks.exe
1468	schtasks.exe
780	schtasks.exe
2984	schtasks.exe
1476	schtasks.exe
2152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
1932	powershell.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
2760	powershell.exe
2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
1704	powershell.exe
2364	powershell.exe
448	powershell.exe
2664	powershell.exe
1492	powershell.exe
2416	powershell.exe
1900	powershell.exe
560	powershell.exe
408	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2980	lsass.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1880	lsass.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1900	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	88
PID 2644 wrote to memory of 1900	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	88
PID 2644 wrote to memory of 1900	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	88
PID 2644 wrote to memory of 1932	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	89
PID 2644 wrote to memory of 1932	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	89
PID 2644 wrote to memory of 1932	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	89
PID 2644 wrote to memory of 2416	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	90
PID 2644 wrote to memory of 2416	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	90
PID 2644 wrote to memory of 2416	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	90
PID 2644 wrote to memory of 1704	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	91
PID 2644 wrote to memory of 1704	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	91
PID 2644 wrote to memory of 1704	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	91
PID 2644 wrote to memory of 560	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	92
PID 2644 wrote to memory of 560	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	92
PID 2644 wrote to memory of 560	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	92
PID 2644 wrote to memory of 2364	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	93
PID 2644 wrote to memory of 2364	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	93
PID 2644 wrote to memory of 2364	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	93
PID 2644 wrote to memory of 1492	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	94
PID 2644 wrote to memory of 1492	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	94
PID 2644 wrote to memory of 1492	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	94
PID 2644 wrote to memory of 448	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	95
PID 2644 wrote to memory of 448	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	95
PID 2644 wrote to memory of 448	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	95
PID 2644 wrote to memory of 408	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	96
PID 2644 wrote to memory of 408	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	96
PID 2644 wrote to memory of 408	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	96
PID 2644 wrote to memory of 2760	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	97
PID 2644 wrote to memory of 2760	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	97
PID 2644 wrote to memory of 2760	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	97
PID 2644 wrote to memory of 1956	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	98
PID 2644 wrote to memory of 1956	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	98
PID 2644 wrote to memory of 1956	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	98
PID 2644 wrote to memory of 2664	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	99
PID 2644 wrote to memory of 2664	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	99
PID 2644 wrote to memory of 2664	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	99
PID 2644 wrote to memory of 2980	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	112
PID 2644 wrote to memory of 2980	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	112
PID 2644 wrote to memory of 2980	2644	0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe	112
PID 2980 wrote to memory of 2516	2980	lsass.exe	113
PID 2980 wrote to memory of 2516	2980	lsass.exe	113
PID 2980 wrote to memory of 2516	2980	lsass.exe	113
PID 2980 wrote to memory of 1664	2980	lsass.exe	114
PID 2980 wrote to memory of 1664	2980	lsass.exe	114
PID 2980 wrote to memory of 1664	2980	lsass.exe	114
PID 2516 wrote to memory of 1880	2516	WScript.exe	115
PID 2516 wrote to memory of 1880	2516	WScript.exe	115
PID 2516 wrote to memory of 1880	2516	WScript.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe
"C:\Users\Admin\AppData\Local\Temp\0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe
  "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1489d7dd-5ace-434f-a925-832fb6c4bd6f.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe
      "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1880
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b47b82b-91cf-4b40-ac75-734e613e69ff.vbs"
    3⤵
    PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\MSBuild\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Media\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Favorites\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Logs\DPX\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Logs\DPX\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Logs\DPX\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\My Documents\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\Festival\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Media\Festival\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\Festival\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\RCX2415.tmp

Filesize
1.7MB

MD5
a71cfb6e73c22fe140d19d479e8b57f8

SHA1
88b2bf160c24780663e9819ca10a9d6af52deab8

SHA256
bef4d3b8475fee95410c05288896daee24f7ca9629320fe9826934f11eb83043

SHA512
e0b87f0421ab1f9b64c2a2e47e46f08ea409663b0aee68350f801888cec27e62028e310f64eb71225d1cb03f4736bf45415d5a3c5690878ceda5a543d9145a1c

Download Submit
C:\Program Files (x86)\Microsoft.NET\RedistList\RCX2193.tmp

Filesize
1.7MB

MD5
ff9c87b7f608f43a8bb2780745ad94da

SHA1
e670f6eb0fc1a0f467a253420af2b209b0eb4e29

SHA256
8805aaebab753bc2c299a154d74ab48ce678db4e096752f918e4af9d82f5afdb

SHA512
e76b52e6ba008c1c1ebcbd433d34c91a672eb3578f39683e7f2ee45843373b3b1817c0b4f6390c0261342834125e4f5e026a9bafdb07e0c88fbbb7ce56a83a3c

Download Submit
C:\Program Files\MSBuild\audiodg.exe

Filesize
1.7MB

MD5
a1ef5f02b4884c8869a84bd6a1071341

SHA1
2658c159c3e2380a2e02751c38a1e7d05d58d11a

SHA256
e2a953cf1b608acd94b0cb298fbe9d526814df61a37726596ee5829ddf318ecf

SHA512
8dc8dce9295978229529f555b3852030cb8dad6ed7c8b35b47958706985f764c22fc5aa64ee407e9c1d8083c8960f23ebbc98f51cc7a1df936d342f84b316a5c

Download Submit
C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\RCX16D0.tmp

Filesize
1.7MB

MD5
22cb510755e7540dc90bb43c40ea8991

SHA1
3e584cb9b3170431f0d693f9cb3fd9cec020f058

SHA256
07e605b4aaabadab64b3a664da490a7bc97062cb8f2211f0348181a4f4fc44d9

SHA512
33a0e2cb778e4e2da286eccee5723ad86924fb980910655dce53f64427d22d05d97c7bc0bdf8454633768fc492ea6d6788cd694815975f9a011eec59a1836392

Download Submit
C:\Users\Admin\AppData\Local\Temp\1489d7dd-5ace-434f-a925-832fb6c4bd6f.vbs

Filesize
757B

MD5
00a5c46ca082991c10a9f67020272548

SHA1
01ad09e556061cce307030f7196f3e2235d2a500

SHA256
2f13def8aa28a67765368c80a5c57161c85b099dcb15d999ee6c5429c66d6f4b

SHA512
1a7ac993a17d511a0beaa73d256a3126f361845641ae5ef2ff876c481c3a6c20c12890f80e0de0905c936c15dd1151439c42ca0a3ecf50f9cfa5ffb0d562d486

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b47b82b-91cf-4b40-ac75-734e613e69ff.vbs

Filesize
533B

MD5
d04e6e2a7f1eb961b23119c61de01b85

SHA1
c1110ec395165a567206c4cfe94f37bbfa99ca1b

SHA256
a19dcae29044400711baeb92b50f9a1d3d9184eb127f1e6e1e7d8adaca894f60

SHA512
ad7c29bcf3d8f5fdddae570ea9e66658e73de7f2d53e6100ad910f4a693a88bf3c762ef7f319c3e39460149f9bc0323820e75c2d73ef4cb65233e9ee8e4058f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
71c1e7457928026a79bdbb2c0c3eced4

SHA1
bb2ec54d10d0b2b1c8528f563af52c56de85e6a3

SHA256
ed1eb181e422e8f7151ce4b8a3fd6a9692766b74d0c218985357bd435d93e580

SHA512
2daf2165c689b3064c2b35863fbcf1baa5dbbaac5d00908e54f32f9eccd49851e756d993b72d36c72b1ffee5b2726f1d33d38acdbfde7a257523290d4f5ad0f2

Download Submit
C:\Users\Public\Favorites\explorer.exe

Filesize
1.7MB

MD5
73f8fb574f3eb89a16b9170aad01fec0

SHA1
15bf5763fc20fd9f777092176e16337941694ea3

SHA256
0f4cc22a435dbc0b8871e23761d09e840fee180548af4de10e027cdf6b818735

SHA512
115d89d8231c66101290fe4d73b8c51d56c21727c7cb855815254bbcd7c0e1f8bd97e23f329ccb665ddc8fe7dc18aad5149bfac4d9fe2ce25ded706ff842e2d9

Download Submit
memory/1880-371-0x0000000000AF0000-0x0000000000CA6000-memory.dmp

Filesize
1.7MB

Download
memory/1932-296-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1932-294-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2644-228-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-5-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2644-16-0x0000000002400000-0x000000000240C000-memory.dmp

Filesize
48KB

Download
memory/2644-15-0x0000000002270000-0x0000000002278000-memory.dmp

Filesize
32KB

Download
memory/2644-17-0x0000000002490000-0x000000000249C000-memory.dmp

Filesize
48KB

Download
memory/2644-20-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-0-0x000007FEF6453000-0x000007FEF6454000-memory.dmp

Filesize
4KB

Download
memory/2644-7-0x0000000000690000-0x00000000006A2000-memory.dmp

Filesize
72KB

Download
memory/2644-6-0x0000000000670000-0x0000000000686000-memory.dmp

Filesize
88KB

Download
memory/2644-204-0x000007FEF6453000-0x000007FEF6454000-memory.dmp

Filesize
4KB

Download
memory/2644-8-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2644-14-0x00000000006F0000-0x00000000006FA000-memory.dmp

Filesize
40KB

Download
memory/2644-4-0x0000000000640000-0x0000000000648000-memory.dmp

Filesize
32KB

Download
memory/2644-252-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-13-0x00000000006E0000-0x00000000006EC000-memory.dmp

Filesize
48KB

Download
memory/2644-3-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/2644-12-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/2644-9-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2644-1-0x0000000000AA0000-0x0000000000C56000-memory.dmp

Filesize
1.7MB

Download
memory/2644-10-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/2644-330-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2644-2-0x000007FEF6450000-0x000007FEF6E3C000-memory.dmp

Filesize
9.9MB

Download
memory/2980-313-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/2980-307-0x00000000008E0000-0x0000000000A96000-memory.dmp

Filesize
1.7MB

Download