dcrat | 1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48

Analysis

max time kernel
120s
max time network
111s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
Size

1.7MB
MD5

2865c19b41d7790e761e3375174b8b2e
SHA1

745a04eeee90df0823e8b3c7b0e1b297646acda1
SHA256

1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48
SHA512

c76edaee744073ffdc32a4a15448b1b6faaac07ecce7792f06e352868a9ab4b68e3bdbf07b58b95bdeb7d4f3e8ea95979576769253390550a9dd25ec313bd4aa
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvx:OTHUxUoh1IF9gl2q

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2696	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2696	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2156-1-0x0000000000CC0000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/files/0x000600000001658c-27.dat	dcrat
behavioral1/files/0x000c0000000156a6-113.dat	dcrat
behavioral1/files/0x0011000000015d36-172.dat	dcrat
behavioral1/memory/1244-205-0x0000000000E60000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/1904-278-0x0000000001170000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/1448-290-0x00000000002F0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/956-302-0x0000000000110000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/2348-314-0x0000000000980000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/1964-326-0x0000000000A90000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/2408-339-0x0000000001140000-0x0000000001300000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2392	powershell.exe
2440	powershell.exe
1292	powershell.exe
2600	powershell.exe
2552	powershell.exe
2200	powershell.exe
544	powershell.exe
1620	powershell.exe
2212	powershell.exe
2176	powershell.exe
1856	powershell.exe
2876	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe

Executes dropped EXE 8 IoCs

pid	Process
1244	lsass.exe
1152	lsass.exe
1904	lsass.exe
1448	lsass.exe
956	lsass.exe
2348	lsass.exe
1964	lsass.exe
2408	lsass.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX73C0.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Program Files (x86)\Google\CrashReports\Idle.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\smss.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX6FB6.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX6FB7.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\RCX6253.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\Idle.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\RCX6DB2.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\explorer.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\smss.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Program Files (x86)\Google\CrashReports\services.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\ebdcc2a3945b30	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\RCX6252.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files\Windows Sidebar\it-IT\RCX6DB1.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\services.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Program Files\Windows Sidebar\it-IT\7a0fd90576e088	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Program Files (x86)\Google\CrashReports\c5b4cb5e9653cc	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX64C5.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCX742E.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\69ddcba757bf72	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Program Files (x86)\Google\CrashReports\6ccacd8608530f	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Program Files\Windows Sidebar\it-IT\explorer.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Program Files (x86)\Google\CrashReports\RCX64C4.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Fonts\RCX7633.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Windows\Fonts\Idle.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Windows\it-IT\RCX6BAD.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Windows\Fonts\RCX7632.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Windows\Fonts\Idle.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Windows\Fonts\6ccacd8608530f	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Windows\it-IT\RCX6BAE.tmp	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File opened for modification	C:\Windows\it-IT\lsass.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Windows\it-IT\lsass.exe	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
File created	C:\Windows\it-IT\6203df4a6bafc7	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2044	schtasks.exe
2832	schtasks.exe
1948	schtasks.exe
820	schtasks.exe
2956	schtasks.exe
2196	schtasks.exe
2888	schtasks.exe
1788	schtasks.exe
276	schtasks.exe
2252	schtasks.exe
2680	schtasks.exe
800	schtasks.exe
1612	schtasks.exe
2844	schtasks.exe
2404	schtasks.exe
1032	schtasks.exe
2244	schtasks.exe
1620	schtasks.exe
2396	schtasks.exe
900	schtasks.exe
868	schtasks.exe
2540	schtasks.exe
2180	schtasks.exe
1108	schtasks.exe
1052	schtasks.exe
1924	schtasks.exe
1900	schtasks.exe
1412	schtasks.exe
376	schtasks.exe
2112	schtasks.exe
2552	schtasks.exe
2620	schtasks.exe
2460	schtasks.exe
2296	schtasks.exe
1516	schtasks.exe
1964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
2552	powershell.exe
2212	powershell.exe
2440	powershell.exe
1856	powershell.exe
544	powershell.exe
2200	powershell.exe
2600	powershell.exe
2176	powershell.exe
2392	powershell.exe
1292	powershell.exe
2876	powershell.exe
1620	powershell.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe
1244	lsass.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1244	lsass.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1152	lsass.exe
Token: SeDebugPrivilege	1904	lsass.exe
Token: SeDebugPrivilege	1448	lsass.exe
Token: SeDebugPrivilege	956	lsass.exe
Token: SeDebugPrivilege	2348	lsass.exe
Token: SeDebugPrivilege	1964	lsass.exe
Token: SeDebugPrivilege	2408	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2600	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	67
PID 2156 wrote to memory of 2600	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	67
PID 2156 wrote to memory of 2600	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	67
PID 2156 wrote to memory of 2552	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	68
PID 2156 wrote to memory of 2552	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	68
PID 2156 wrote to memory of 2552	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	68
PID 2156 wrote to memory of 2200	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	69
PID 2156 wrote to memory of 2200	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	69
PID 2156 wrote to memory of 2200	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	69
PID 2156 wrote to memory of 2212	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	70
PID 2156 wrote to memory of 2212	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	70
PID 2156 wrote to memory of 2212	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	70
PID 2156 wrote to memory of 544	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	71
PID 2156 wrote to memory of 544	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	71
PID 2156 wrote to memory of 544	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	71
PID 2156 wrote to memory of 1620	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	72
PID 2156 wrote to memory of 1620	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	72
PID 2156 wrote to memory of 1620	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	72
PID 2156 wrote to memory of 2176	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	73
PID 2156 wrote to memory of 2176	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	73
PID 2156 wrote to memory of 2176	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	73
PID 2156 wrote to memory of 2392	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	74
PID 2156 wrote to memory of 2392	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	74
PID 2156 wrote to memory of 2392	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	74
PID 2156 wrote to memory of 2440	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	75
PID 2156 wrote to memory of 2440	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	75
PID 2156 wrote to memory of 2440	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	75
PID 2156 wrote to memory of 1856	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	76
PID 2156 wrote to memory of 1856	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	76
PID 2156 wrote to memory of 1856	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	76
PID 2156 wrote to memory of 2876	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	77
PID 2156 wrote to memory of 2876	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	77
PID 2156 wrote to memory of 2876	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	77
PID 2156 wrote to memory of 1292	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	78
PID 2156 wrote to memory of 1292	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	78
PID 2156 wrote to memory of 1292	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	78
PID 2156 wrote to memory of 1244	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	91
PID 2156 wrote to memory of 1244	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	91
PID 2156 wrote to memory of 1244	2156	1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe	91
PID 1244 wrote to memory of 2312	1244	lsass.exe	92
PID 1244 wrote to memory of 2312	1244	lsass.exe	92
PID 1244 wrote to memory of 2312	1244	lsass.exe	92
PID 1244 wrote to memory of 2872	1244	lsass.exe	93
PID 1244 wrote to memory of 2872	1244	lsass.exe	93
PID 1244 wrote to memory of 2872	1244	lsass.exe	93
PID 2312 wrote to memory of 1152	2312	WScript.exe	94
PID 2312 wrote to memory of 1152	2312	WScript.exe	94
PID 2312 wrote to memory of 1152	2312	WScript.exe	94
PID 1152 wrote to memory of 2420	1152	lsass.exe	95
PID 1152 wrote to memory of 2420	1152	lsass.exe	95
PID 1152 wrote to memory of 2420	1152	lsass.exe	95
PID 1152 wrote to memory of 2956	1152	lsass.exe	96
PID 1152 wrote to memory of 2956	1152	lsass.exe	96
PID 1152 wrote to memory of 2956	1152	lsass.exe	96
PID 2420 wrote to memory of 1904	2420	WScript.exe	98
PID 2420 wrote to memory of 1904	2420	WScript.exe	98
PID 2420 wrote to memory of 1904	2420	WScript.exe	98
PID 1904 wrote to memory of 764	1904	lsass.exe	99
PID 1904 wrote to memory of 764	1904	lsass.exe	99
PID 1904 wrote to memory of 764	1904	lsass.exe	99
PID 1904 wrote to memory of 1632	1904	lsass.exe	100
PID 1904 wrote to memory of 1632	1904	lsass.exe	100
PID 1904 wrote to memory of 1632	1904	lsass.exe	100
PID 764 wrote to memory of 1448	764	WScript.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe
"C:\Users\Admin\AppData\Local\Temp\1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2876
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\MSOCache\All Users\lsass.exe
  "C:\MSOCache\All Users\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8704846-8a3d-410c-a222-cf8e3777656c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\MSOCache\All Users\lsass.exe
      "C:\MSOCache\All Users\lsass.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e55d4e78-00de-4f67-95fe-bbe602297c4c.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2420
      - C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\59d8462d-a860-46f9-84e0-ebf61b27347d.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b141f90-4e45-4d33-8527-7733fe6a3799.vbs"
        9⤵
        
        PID:2540
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\13997092-e68f-49cb-8f06-a5b1aecf5a7a.vbs"
        11⤵
        
        PID:2064
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2486771f-361b-4b04-a40b-2ad3a19ab4a4.vbs"
        13⤵
        
        PID:888
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f2f11a1-4411-4c06-a615-7ce403562a61.vbs"
        15⤵
        
        PID:2616
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a7a1186-5ddc-4db8-9f1e-6bb1b334ea80.vbs"
        17⤵
        
        PID:1936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19f0a75d-7dc0-4177-a15e-a7aa628b4623.vbs"
        17⤵
        
        PID:2472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c7ea16fb-c5f4-49d3-b61b-51c0c04c01de.vbs"
        15⤵
        
        PID:1068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f2a6741-d7a3-49b8-9740-3b52c68bf10a.vbs"
        13⤵
        
        PID:2772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b05d08fc-3c94-453b-9ab1-337999c9b74d.vbs"
        11⤵
        
        PID:568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\841844df-5b68-431c-85b3-72cdb20bae78.vbs"
        9⤵
        
        PID:2840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\027f033d-44fe-46fb-9953-4b9938740847.vbs"
        7⤵
        
        PID:1632
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96a5d3ed-e316-47d8-8d61-d7d531103f94.vbs"
        5⤵
        
        PID:2956
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5fb5ec87-65c0-485d-bb00-ed3de6fce301.vbs"
    3⤵
    PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\VideoLAN\VLC\plugins\misc\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\CrashReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb481" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb481" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\dwm.exe

Filesize
1.7MB

MD5
2865c19b41d7790e761e3375174b8b2e

SHA1
745a04eeee90df0823e8b3c7b0e1b297646acda1

SHA256
1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48

SHA512
c76edaee744073ffdc32a4a15448b1b6faaac07ecce7792f06e352868a9ab4b68e3bdbf07b58b95bdeb7d4f3e8ea95979576769253390550a9dd25ec313bd4aa

Download Submit
C:\MSOCache\All Users\lsass.exe

Filesize
1.7MB

MD5
59242dfa73223064a8b3fd4bf28afb55

SHA1
c39b37e6ea75a9c7f152eaa355e29fdca436954f

SHA256
92b6469c8e9587c2b7f40ca9aaa8a0ab2e818354b64e048649820b1616779cc1

SHA512
115390d175584f2bcab373f57a2e52fc0a5524d6a8ea3e3d07ce18b479168a0590060c9f17754d2999ac2684fb35ec0ccd5c8980777535a7ab21f5c63e9ca68d

Download Submit
C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\1f861816998420f9cf99ee91c77fe8cb5fb3ff7750caaed27e0570aa35a7bb48.exe

Filesize
1.7MB

MD5
5ea54731d7253832ce6a0d58f5088831

SHA1
9e2f29b8802f5edfa6ea1e45f77e220217637167

SHA256
fc85ff8458b5efd50c6cf89ac21f9df3b1205e31ce43b91d694efe63a85815f0

SHA512
28207fa10880075a20626366aa9be1dad89fda545df2818deed87c946de5c2f41e979b26464176c48d4f0705c4ce63b65eebff8566b5037c258f04c5c1fca464

Download Submit
C:\Users\Admin\AppData\Local\Temp\13997092-e68f-49cb-8f06-a5b1aecf5a7a.vbs

Filesize
706B

MD5
1c5b0f70c2d259971cc1739285d49230

SHA1
0e910d24040c337e93be3214ee773a2c704fc1b7

SHA256
6d5062b163effc96abf64bb04ed1720f18d3e47e26dbe2b34cffa305987af0ab

SHA512
807fcf4ffe18bfeec50f58aaa3241655d60c72a46495d873585f22343024e87a9bb3e7586064d29c9c0d26150868003e63a6317a80e5aa60f8675b280ee2bdb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2486771f-361b-4b04-a40b-2ad3a19ab4a4.vbs

Filesize
707B

MD5
8cd4fe1cc23e0039b57ceba9511efa69

SHA1
4cb2020fffb34126726edbfb6f7368d0984f9fef

SHA256
dcf5579ced47b2a20aa53c96cc50adc7e1b60abf774a0662dd9c554f449dc158

SHA512
bded1e3bbd560f52576d2a575cc21c26ed9c618b93e2f11dd5bb809006f98759be898060d68657be8a88fed2070bfa98fd4361faa54003784581c3ec12aee144

Download Submit
C:\Users\Admin\AppData\Local\Temp\59d8462d-a860-46f9-84e0-ebf61b27347d.vbs

Filesize
707B

MD5
458645617ac63ed0cdc9457008d2fc0e

SHA1
e48002a5405b515d348675ff8926f23206c7a036

SHA256
cb52b6c40905f5fc351160a52e8ebad29a0f57a9190ec42a394e57c46d35ab7e

SHA512
3c9975872768df283f52e7830ca57ca6cd844dd2a1240031775b5b0d12f1e0e6f4987fe965e1c5a8c14a78e4e2976889c3ddc3535218b805975d3818cc376ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5fb5ec87-65c0-485d-bb00-ed3de6fce301.vbs

Filesize
483B

MD5
e1b6d3a934c46077473f16d67adb3ccf

SHA1
0a41fcce44a71e1ad2f776d4852f68fa66585c6a

SHA256
b1ee0d5a1b4188491546eaa112c2896a61c36b1f546a4942a4e3d1bcda20c2db

SHA512
c1f7e35ca2ffbd5f10c7b4501d307dcf9bdc0d51c759a2bf31e2a16be7bca66c00c17ec96bebfbb01ff1875650c2c1979f2035c5ffbe567ba99cc5d5c66b6c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b141f90-4e45-4d33-8527-7733fe6a3799.vbs

Filesize
707B

MD5
a8f4229560c3b8057657e913fc10d077

SHA1
fbf6d7bc994763d1e226be818da0fd7850f1ed62

SHA256
6ce36aab5e9932d1b8d13ae35d1c6a3fc1781fd22075cefdd1dadff71c0fda3c

SHA512
07b31486e6796073e2fa3bff04de27b1aa88aac1ca786bbae8a0c4e5f982e7eea84f096730fc3c9e2e8a7fc614d68312f93e04de0272d090f8412b4bb9b7bbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f2f11a1-4411-4c06-a615-7ce403562a61.vbs

Filesize
707B

MD5
6952c4dd793f98d66a34d9a32c530192

SHA1
da9dc3c2e0c8ff7188316b27b82fba105acdc4c4

SHA256
9a68568caeb15960f2108804f3d0b093de3c5d6aed728c99e57e75cfb18d8ef1

SHA512
ccac2dd7f84f319851cec0edaa3dde07d5c0cb35d2f0a5ee6a11b62e9870a819d5d1a7b474f343dd241ba9723dcaab2d1ab6e70938d2fc991b2e8c5fd0157c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8704846-8a3d-410c-a222-cf8e3777656c.vbs

Filesize
707B

MD5
037556cc2ea6f2681e4f8216bc2b1881

SHA1
11f3e46de85f25118aaedcf81ee2e7249ff6c762

SHA256
52ed07e360cd9d70a0b1b8e5cc7276d14dc3c3f24aee12f401f4e3d043d2be38

SHA512
7341a895e71f068d2f9df43bedee0fcbad020666975bf345a3578ead47d9fd3d05590df9cd0d7556d58d9f34668977ec34536b0054d09cb18dde4901266bd51e

Download Submit
C:\Users\Admin\AppData\Local\Temp\e55d4e78-00de-4f67-95fe-bbe602297c4c.vbs

Filesize
707B

MD5
236ce9bd4b251299a0f89f8159f2f8c7

SHA1
c0fdd4a4ce3ec06765d478c850b1fee126867c16

SHA256
4a02a319ca5abcc85a76115fcf280e9fdf03b21c829b5c5cac9b1bd62d27897d

SHA512
ce05bb19b93309ee0d3e52e191a3dd2299a0fa01ce0b8a98c64b4cc5c5ba55fa077cf1905c8c221e749993f4749fa908481f96fc72247b5685cca8bb0818cf57

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f035a01e8bcd386dc2cf285d5770cfcd

SHA1
8402d17a679e21195736007b8543cd8c0bc1dcaf

SHA256
0595a982d124904a58308eba0e6df62c3134172cef089d9a8abe6ebff2995b77

SHA512
2e446314928444a8324992a2e92086d73a9bb4af006e735b45bf762db88f080c25f2fe0b6b91010afed5cf90ff72dd9d9cbc8d827dab62fefb51e9de235774c3

Download Submit
memory/956-302-0x0000000000110000-0x00000000002D0000-memory.dmp

Filesize
1.8MB

Download
memory/1244-205-0x0000000000E60000-0x0000000001020000-memory.dmp

Filesize
1.8MB

Download
memory/1448-290-0x00000000002F0000-0x00000000004B0000-memory.dmp

Filesize
1.8MB

Download
memory/1904-278-0x0000000001170000-0x0000000001330000-memory.dmp

Filesize
1.8MB

Download
memory/1964-326-0x0000000000A90000-0x0000000000C50000-memory.dmp

Filesize
1.8MB

Download
memory/1964-327-0x00000000007E0000-0x00000000007F2000-memory.dmp

Filesize
72KB

Download
memory/2156-9-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2156-18-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-13-0x00000000024C0000-0x00000000024CA000-memory.dmp

Filesize
40KB

Download
memory/2156-186-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2156-14-0x0000000002320000-0x000000000232E000-memory.dmp

Filesize
56KB

Download
memory/2156-17-0x000000001AAF0000-0x000000001AAFC000-memory.dmp

Filesize
48KB

Download
memory/2156-12-0x0000000002310000-0x000000000231C000-memory.dmp

Filesize
48KB

Download
memory/2156-1-0x0000000000CC0000-0x0000000000E80000-memory.dmp

Filesize
1.8MB

Download
memory/2156-226-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2156-11-0x00000000022A0000-0x00000000022B2000-memory.dmp

Filesize
72KB

Download
memory/2156-8-0x0000000002280000-0x000000000228C000-memory.dmp

Filesize
48KB

Download
memory/2156-15-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download
memory/2156-6-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

Filesize
88KB

Download
memory/2156-7-0x00000000005E0000-0x00000000005F0000-memory.dmp

Filesize
64KB

Download
memory/2156-0-0x000007FEF58E3000-0x000007FEF58E4000-memory.dmp

Filesize
4KB

Download
memory/2156-5-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2156-4-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/2156-3-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2156-16-0x000000001AAE0000-0x000000001AAEC000-memory.dmp

Filesize
48KB

Download
memory/2156-2-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmp

Filesize
9.9MB

Download
memory/2348-314-0x0000000000980000-0x0000000000B40000-memory.dmp

Filesize
1.8MB

Download
memory/2408-339-0x0000000001140000-0x0000000001300000-memory.dmp

Filesize
1.8MB

Download
memory/2552-204-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2552-215-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download