dcrat | 2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
Size

1.7MB
MD5

6edab7625800c81a8eb6ef36c2fb54fe
SHA1

28fe7ca7e96ccd496bb474ce9be0c7a828a92fed
SHA256

2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5
SHA512

2de808f6acfa8fd5d734db89d75668bab1187ab68d62a432d86fe8b4a1fb6de5422c4374cb8c0a2b894c1f8fb9fa514a3238e93123486c1254075178c67cba71
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2104	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2104	schtasks.exe	31

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/1628-1-0x0000000001180000-0x0000000001340000-memory.dmp	dcrat
behavioral1/files/0x0005000000019458-27.dat	dcrat
behavioral1/files/0x00080000000186f1-81.dat	dcrat
behavioral1/files/0x0007000000018739-125.dat	dcrat
behavioral1/files/0x0008000000019502-170.dat	dcrat
behavioral1/files/0x0009000000019512-192.dat	dcrat
behavioral1/files/0x00070000000195f0-204.dat	dcrat
behavioral1/memory/2980-336-0x0000000000EC0000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/2744-346-0x0000000001290000-0x0000000001450000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe
2584	powershell.exe
2096	powershell.exe
2128	powershell.exe
2556	powershell.exe
2636	powershell.exe
1828	powershell.exe
1912	powershell.exe
3028	powershell.exe
1720	powershell.exe
2520	powershell.exe
1960	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe

Executes dropped EXE 3 IoCs

pid	Process
2980	smss.exe
2744	smss.exe
3008	smss.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCXDE64.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCXE309.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Program Files\Windows Portable Devices\audiodg.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Program Files (x86)\Windows Mail\101b941d020240	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\27d1bcfc3c54e0	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\System.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCXE30A.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXEA7F.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\lsm.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXECF1.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\System.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Program Files (x86)\Windows Mail\lsm.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Program Files\Windows Portable Devices\audiodg.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Program Files\Windows Portable Devices\42af1c969fbb7b	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCXDE84.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXEA7E.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXECF0.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\6203df4a6bafc7	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Setup\State\RCXF36C.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Windows\Media\Cityscape\smss.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Windows\Media\Cityscape\69ddcba757bf72	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Windows\Setup\State\explorer.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Windows\Setup\State\7a0fd90576e088	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Windows\Media\Cityscape\smss.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File created	C:\Windows\rescache\rc0005\csrss.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Windows\Media\Cityscape\RCXEEF5.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Windows\Media\Cityscape\RCXEF63.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Windows\Setup\State\RCXF3DA.tmp	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
File opened for modification	C:\Windows\Setup\State\explorer.exe	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2912	schtasks.exe
2980	schtasks.exe
2944	schtasks.exe
1856	schtasks.exe
3024	schtasks.exe
2876	schtasks.exe
484	schtasks.exe
2540	schtasks.exe
2016	schtasks.exe
2432	schtasks.exe
2180	schtasks.exe
2420	schtasks.exe
912	schtasks.exe
1208	schtasks.exe
1912	schtasks.exe
3012	schtasks.exe
840	schtasks.exe
2960	schtasks.exe
2748	schtasks.exe
1704	schtasks.exe
2300	schtasks.exe
944	schtasks.exe
3052	schtasks.exe
3048	schtasks.exe
1072	schtasks.exe
2344	schtasks.exe
2604	schtasks.exe
1724	schtasks.exe
588	schtasks.exe
2744	schtasks.exe
2688	schtasks.exe
3036	schtasks.exe
1712	schtasks.exe
1676	schtasks.exe
892	schtasks.exe
2820	schtasks.exe
2292	schtasks.exe
1548	schtasks.exe
2756	schtasks.exe
2256	schtasks.exe
1160	schtasks.exe
2908	schtasks.exe
1808	schtasks.exe
1992	schtasks.exe
1636	schtasks.exe
380	schtasks.exe
1956	schtasks.exe
2560	schtasks.exe
2716	schtasks.exe
1640	schtasks.exe
1940	schtasks.exe
2416	schtasks.exe
2352	schtasks.exe
1068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
1828	powershell.exe
1960	powershell.exe
3028	powershell.exe
2584	powershell.exe
1720	powershell.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2980	smss.exe
Token: SeDebugPrivilege	2744	smss.exe
Token: SeDebugPrivilege	3008	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1720	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	86
PID 1628 wrote to memory of 1720	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	86
PID 1628 wrote to memory of 1720	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	86
PID 1628 wrote to memory of 2520	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	87
PID 1628 wrote to memory of 2520	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	87
PID 1628 wrote to memory of 2520	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	87
PID 1628 wrote to memory of 1960	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	88
PID 1628 wrote to memory of 1960	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	88
PID 1628 wrote to memory of 1960	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	88
PID 1628 wrote to memory of 2128	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	90
PID 1628 wrote to memory of 2128	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	90
PID 1628 wrote to memory of 2128	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	90
PID 1628 wrote to memory of 2180	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	92
PID 1628 wrote to memory of 2180	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	92
PID 1628 wrote to memory of 2180	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	92
PID 1628 wrote to memory of 3028	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	93
PID 1628 wrote to memory of 3028	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	93
PID 1628 wrote to memory of 3028	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	93
PID 1628 wrote to memory of 2096	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	94
PID 1628 wrote to memory of 2096	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	94
PID 1628 wrote to memory of 2096	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	94
PID 1628 wrote to memory of 1912	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	95
PID 1628 wrote to memory of 1912	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	95
PID 1628 wrote to memory of 1912	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	95
PID 1628 wrote to memory of 2584	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	96
PID 1628 wrote to memory of 2584	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	96
PID 1628 wrote to memory of 2584	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	96
PID 1628 wrote to memory of 1828	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	97
PID 1628 wrote to memory of 1828	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	97
PID 1628 wrote to memory of 1828	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	97
PID 1628 wrote to memory of 2636	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	98
PID 1628 wrote to memory of 2636	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	98
PID 1628 wrote to memory of 2636	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	98
PID 1628 wrote to memory of 2556	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	99
PID 1628 wrote to memory of 2556	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	99
PID 1628 wrote to memory of 2556	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	99
PID 1628 wrote to memory of 2168	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	110
PID 1628 wrote to memory of 2168	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	110
PID 1628 wrote to memory of 2168	1628	2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe	110
PID 2168 wrote to memory of 1300	2168	cmd.exe	112
PID 2168 wrote to memory of 1300	2168	cmd.exe	112
PID 2168 wrote to memory of 1300	2168	cmd.exe	112
PID 2168 wrote to memory of 2980	2168	cmd.exe	113
PID 2168 wrote to memory of 2980	2168	cmd.exe	113
PID 2168 wrote to memory of 2980	2168	cmd.exe	113
PID 2980 wrote to memory of 2000	2980	smss.exe	114
PID 2980 wrote to memory of 2000	2980	smss.exe	114
PID 2980 wrote to memory of 2000	2980	smss.exe	114
PID 2980 wrote to memory of 1484	2980	smss.exe	115
PID 2980 wrote to memory of 1484	2980	smss.exe	115
PID 2980 wrote to memory of 1484	2980	smss.exe	115
PID 2744 wrote to memory of 788	2744	smss.exe	117
PID 2744 wrote to memory of 788	2744	smss.exe	117
PID 2744 wrote to memory of 788	2744	smss.exe	117
PID 2744 wrote to memory of 2716	2744	smss.exe	118
PID 2744 wrote to memory of 2716	2744	smss.exe	118
PID 2744 wrote to memory of 2716	2744	smss.exe	118
PID 788 wrote to memory of 3008	788	WScript.exe	119
PID 788 wrote to memory of 3008	788	WScript.exe	119
PID 788 wrote to memory of 3008	788	WScript.exe	119
PID 3008 wrote to memory of 3020	3008	smss.exe	120
PID 3008 wrote to memory of 3020	3008	smss.exe	120
PID 3008 wrote to memory of 3020	3008	smss.exe	120
PID 3008 wrote to memory of 1724	3008	smss.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe
"C:\Users\Admin\AppData\Local\Temp\2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4CURSqoxo2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1300
- - C:\Windows\Media\Cityscape\smss.exe
    "C:\Windows\Media\Cityscape\smss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2980
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfe08ee7-1d48-4530-a622-92f3804aa90b.vbs"
      4⤵
      PID:2000
    - - C:\Windows\Media\Cityscape\smss.exe
        
        C:\Windows\Media\Cityscape\smss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e3c86c12-2a84-4886-ada4-51fd6fd205cd.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\Media\Cityscape\smss.exe
        
        C:\Windows\Media\Cityscape\smss.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21aea135-a657-4033-bab9-9662f445535a.vbs"
        8⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ff46510-58da-4099-a839-f833eac8a78a.vbs"
        8⤵
        
        PID:1724
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e1648bcf-f149-4dba-a551-0a089065165f.vbs"
        6⤵
        
        PID:2716
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0632d8bc-bf38-4e0b-9d6f-46b654323398.vbs"
      4⤵
      PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Cityscape\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\Cityscape\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Cityscape\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Contacts\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Contacts\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe

Filesize
1.7MB

MD5
f7fad42f9e4b261fa80f66651ce090b8

SHA1
7400359ba3ad39f19da238d5a83a2a77e815ec11

SHA256
bcea414d219f78750fcd13ea973b35fd013bd031a4e34a6d325d6d1e7a081042

SHA512
03a20a5faeb926477c3f5209359dceb9d2a9bc67054ad2f76a35fd338a99a2fa89a1844f7ee35c4757b11001489936b7dc235d241e8b213653db99574ef01405

Download Submit
C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RCXDC40.tmp

Filesize
1.7MB

MD5
f82ac711bee9b90f1f63712d106b3557

SHA1
0ab3905570949ba11b46959fb7443a7bd2be7a69

SHA256
e5a39b43b635070517339404773338bde489239ef949c3d3e5a56cc42237e51d

SHA512
63d8c3612b7be10112456efbc07c4d38006ab233d4b00ce65bb8e82ec4d9c7175094757b5a966cfb9e3abfe0d2b92871b472bab4ff0bdf2120ecbf829e126344

Download Submit
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\lsass.exe

Filesize
1.7MB

MD5
6edab7625800c81a8eb6ef36c2fb54fe

SHA1
28fe7ca7e96ccd496bb474ce9be0c7a828a92fed

SHA256
2b18b40a90808621be15138e6a5ab8dd849c62d5cc9bb43def5598a2ef578be5

SHA512
2de808f6acfa8fd5d734db89d75668bab1187ab68d62a432d86fe8b4a1fb6de5422c4374cb8c0a2b894c1f8fb9fa514a3238e93123486c1254075178c67cba71

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\lsass.exe

Filesize
1.7MB

MD5
bf998a70b4d938b266b56f79077b1934

SHA1
7dcc3035ceee0082b1afcdb753ce380ff64d2c9b

SHA256
266a9345c1ec70b8064b7d5cc6baf4171aa8c3271c7030d4373bbe193dc4abe7

SHA512
8d94541c2c3884c5398774dceb1a8d3ca740a85bf40a2e6346cc2d7cc01247e91babd448fa9e8fc5b445664cb254b638a6a0c092afe6bcc9d2a28647f4f93bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\0632d8bc-bf38-4e0b-9d6f-46b654323398.vbs

Filesize
487B

MD5
ab06abf41c6c20d75fd673c0544ef2b7

SHA1
c91eba154a7da107c2c4ef011e4d2f0279c399d3

SHA256
6b3966c53700c70cf07f19ecb1beab3ba77bb13cede5906483911f4ba64c6a66

SHA512
8d32afe76c35fc037f22aaf71485ddd43e448a6cc785b3a7cbbc695351129f207f21fc8f8b2a0a17de94890a4802c211a171824585e7c02127adde4158c786ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\21aea135-a657-4033-bab9-9662f445535a.vbs

Filesize
711B

MD5
6e265d61ab42a6a16fde9c201502a5a5

SHA1
b8d5e61771407d3de0af49b11a284553771d3048

SHA256
8c16a66a765d59d5857184268a98b22052885ee12a701cd5ce3f1e1ad24e6b14

SHA512
3af49eba0287e05a7d29ee0c52ddab66ccd7663977b7628acf32863270d3009203e07ad25c63c3da95916f092456a779ed9262575bfa4670844c9fb0f1f323ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\4CURSqoxo2.bat

Filesize
200B

MD5
938150f78b22c13ece886635b707c90a

SHA1
29997e2c4d55b4df260b04c733df992b3ce57a71

SHA256
bf8f98a8f1caf7d6ff8e2f2692aea019acf730d2e549fc5c1a1be08562b273fb

SHA512
0174102e92e7849ed12c00d3f909825dcd608927cec9fc86a3b8e3d8efb0f79dc2c662fe13e9673d953aba3499a3399b287be312303a62eccc5a9e1cdab52b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\e3c86c12-2a84-4886-ada4-51fd6fd205cd.vbs

Filesize
711B

MD5
bdcdb2ba08d0d969b68d91b5cd429c30

SHA1
02940605af9d99ed54c76d440493796fcd464593

SHA256
22bded0aa763953e7cf9a0a3e97996108affe8f447734597f902ace3a961afc0

SHA512
f97c9626082177282451f8abb94a93a3daabdbfd28d20552196d485287efa9e8b3b6c4d37c076a32ccf827fd20078881ce3d74dcaea66bff9fef7d3b417fa7fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a9718654fa343ee30f6f321dfb5ff43c

SHA1
0feb455dc9cdc3ea5bea2621c96dba36ed28381e

SHA256
b5b1daa504f77f32f603bc65b4d787dd736b30b7658a9067ac00417aa2e71ff7

SHA512
939de375021afd77075943650a5083ca8f172d3a030801eb2315debcb7a757dec2cdea32da300cfaa2228abffe372b6cc62e0a8ed07fa9d0f6b04917d650704b

Download Submit
C:\Windows\Media\Cityscape\smss.exe

Filesize
1.7MB

MD5
7a6e83ac205d4a6c898546bb91643d83

SHA1
6c64bff3e202c5596d796fceac17ca83e5f77203

SHA256
576f10229fe0020c512936d97b4c4df4fcf5d7ff995d005e28b28e3652012f5a

SHA512
4f3865dbd85d58e8aa910cf2ccc2a07adb8cd1d1caaa3bb42b462afaf816a5792e1003e9a609ef2edcb48f5a0d9acd25cb7c65e0033eb09a984d8bf531285426

Download Submit
C:\Windows\Setup\State\explorer.exe

Filesize
1.7MB

MD5
d4a0877a90ed6c769efd633a8a4caad8

SHA1
384c83b0b9b2f1d67e63c9b638b20fb12f89561f

SHA256
04bd13c397a9d1f812edb7ae527e545e58ba7689d0338597e16701c7b91fd855

SHA512
14bb0f4d3f39e3b239c4cdfed293a0238a6e0f6e9a12d932887462e74ddc47ff0d757aa16be15495c29b7f3b940425039b0f075ad0cc23414a0f864b0f0405b4

Download Submit
memory/1628-17-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/1628-13-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/1628-203-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-5-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/1628-16-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/1628-9-0x0000000000A70000-0x0000000000A78000-memory.dmp

Filesize
32KB

Download
memory/1628-20-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-8-0x0000000000A60000-0x0000000000A6C000-memory.dmp

Filesize
48KB

Download
memory/1628-7-0x0000000000A50000-0x0000000000A60000-memory.dmp

Filesize
64KB

Download
memory/1628-6-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/1628-12-0x0000000000AB0000-0x0000000000ABC000-memory.dmp

Filesize
48KB

Download
memory/1628-185-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

Filesize
4KB

Download
memory/1628-1-0x0000000001180000-0x0000000001340000-memory.dmp

Filesize
1.8MB

Download
memory/1628-14-0x0000000000AC0000-0x0000000000ACE000-memory.dmp

Filesize
56KB

Download
memory/1628-15-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/1628-208-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

Filesize
4KB

Download
memory/1628-11-0x0000000000A80000-0x0000000000A92000-memory.dmp

Filesize
72KB

Download
memory/1628-276-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-2-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-4-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/1628-3-0x0000000000450000-0x000000000046C000-memory.dmp

Filesize
112KB

Download
memory/1828-278-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1828-277-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2744-346-0x0000000001290000-0x0000000001450000-memory.dmp

Filesize
1.8MB

Download
memory/2980-336-0x0000000000EC0000-0x0000000001080000-memory.dmp

Filesize
1.8MB

Download