dcrat | 970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24/01/2025, 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
Size

1.7MB
MD5

fa16bee9ad161642e30e173ea53b67b5
SHA1

5d72f5f20fa40c1033dc76f59f88ffbc087b04bc
SHA256

970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c
SHA512

39c98a666a28b2793617d07263b98ddb786188acf6ce44d9cc8c0ed04eef9a3cb21b0103109894559b77adddc06566bd3b4d084e0e33ab5db635e32e240039c9
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvs:OTHUxUoh1IF9gl2V

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2464	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	356	2464	schtasks.exe	30

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2432-1-0x0000000000050000-0x0000000000210000-memory.dmp	dcrat
behavioral1/files/0x000600000001946b-27.dat	dcrat
behavioral1/files/0x0007000000019581-106.dat	dcrat
behavioral1/memory/1308-213-0x0000000000230000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/1256-283-0x0000000001130000-0x00000000012F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1952	powershell.exe
1376	powershell.exe
2768	powershell.exe
2992	powershell.exe
2928	powershell.exe
2856	powershell.exe
2280	powershell.exe
2756	powershell.exe
2904	powershell.exe
2084	powershell.exe
2196	powershell.exe
1936	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe

Executes dropped EXE 3 IoCs

pid	Process
1308	csrss.exe
1256	csrss.exe
2988	csrss.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Portable Devices\RCXB022.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Program Files\Uninstall Information\explorer.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Program Files (x86)\Windows Media Player\csrss.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\csrss.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXA183.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXB021.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\csrss.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXA58D.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCXA5FB.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Program Files\Uninstall Information\7a0fd90576e088	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Program Files\Windows Portable Devices\24dbde2999530e	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCX9F7E.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\RCX9F7F.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXA184.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\RCXAA03.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\WmiPrvSE.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Program Files\Windows Sidebar\es-ES\csrss.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Program Files\Windows Sidebar\es-ES\886983d96e3d3e	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Program Files (x86)\Windows Media Player\886983d96e3d3e	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\886983d96e3d3e	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files\Uninstall Information\explorer.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\RCXAA14.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\WmiPrvSE.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Windows\Tasks\RCX9D7A.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Windows\RemotePackages\RCXA389.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Windows\RemotePackages\winlogon.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Windows\Tasks\RCX9D79.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File opened for modification	C:\Windows\RemotePackages\RCXA388.tmp	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Windows\Tasks\WmiPrvSE.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Windows\Tasks\24dbde2999530e	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Windows\RemotePackages\winlogon.exe	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
File created	C:\Windows\RemotePackages\cc11b995f2a76d	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2600	schtasks.exe
2728	schtasks.exe
2864	schtasks.exe
1760	schtasks.exe
1088	schtasks.exe
1876	schtasks.exe
2828	schtasks.exe
748	schtasks.exe
572	schtasks.exe
2800	schtasks.exe
2812	schtasks.exe
3048	schtasks.exe
1212	schtasks.exe
2848	schtasks.exe
2776	schtasks.exe
332	schtasks.exe
2752	schtasks.exe
2656	schtasks.exe
2296	schtasks.exe
2896	schtasks.exe
2820	schtasks.exe
2652	schtasks.exe
2904	schtasks.exe
1756	schtasks.exe
1328	schtasks.exe
2948	schtasks.exe
1524	schtasks.exe
356	schtasks.exe
2740	schtasks.exe
1252	schtasks.exe
1948	schtasks.exe
1804	schtasks.exe
852	schtasks.exe
752	schtasks.exe
2112	schtasks.exe
2364	schtasks.exe
2224	schtasks.exe
1868	schtasks.exe
1164	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
2904	powershell.exe
2280	powershell.exe
2756	powershell.exe
1936	powershell.exe
2992	powershell.exe
1376	powershell.exe
2928	powershell.exe
1952	powershell.exe
2768	powershell.exe
2084	powershell.exe
2196	powershell.exe
1308	csrss.exe
1308	csrss.exe
1308	csrss.exe
2856	powershell.exe
1308	csrss.exe
1308	csrss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1308	csrss.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	1256	csrss.exe
Token: SeDebugPrivilege	2988	csrss.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 2280	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	70
PID 2432 wrote to memory of 2280	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	70
PID 2432 wrote to memory of 2280	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	70
PID 2432 wrote to memory of 1936	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	71
PID 2432 wrote to memory of 1936	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	71
PID 2432 wrote to memory of 1936	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	71
PID 2432 wrote to memory of 1952	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	72
PID 2432 wrote to memory of 1952	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	72
PID 2432 wrote to memory of 1952	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	72
PID 2432 wrote to memory of 2756	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	73
PID 2432 wrote to memory of 2756	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	73
PID 2432 wrote to memory of 2756	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	73
PID 2432 wrote to memory of 1376	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	74
PID 2432 wrote to memory of 1376	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	74
PID 2432 wrote to memory of 1376	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	74
PID 2432 wrote to memory of 2768	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	75
PID 2432 wrote to memory of 2768	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	75
PID 2432 wrote to memory of 2768	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	75
PID 2432 wrote to memory of 2992	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	76
PID 2432 wrote to memory of 2992	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	76
PID 2432 wrote to memory of 2992	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	76
PID 2432 wrote to memory of 2904	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	77
PID 2432 wrote to memory of 2904	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	77
PID 2432 wrote to memory of 2904	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	77
PID 2432 wrote to memory of 2928	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	78
PID 2432 wrote to memory of 2928	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	78
PID 2432 wrote to memory of 2928	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	78
PID 2432 wrote to memory of 2856	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	79
PID 2432 wrote to memory of 2856	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	79
PID 2432 wrote to memory of 2856	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	79
PID 2432 wrote to memory of 2084	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	80
PID 2432 wrote to memory of 2084	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	80
PID 2432 wrote to memory of 2084	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	80
PID 2432 wrote to memory of 2196	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	81
PID 2432 wrote to memory of 2196	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	81
PID 2432 wrote to memory of 2196	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	81
PID 2432 wrote to memory of 1308	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	94
PID 2432 wrote to memory of 1308	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	94
PID 2432 wrote to memory of 1308	2432	970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe	94
PID 1308 wrote to memory of 2640	1308	csrss.exe	95
PID 1308 wrote to memory of 2640	1308	csrss.exe	95
PID 1308 wrote to memory of 2640	1308	csrss.exe	95
PID 1308 wrote to memory of 3052	1308	csrss.exe	96
PID 1308 wrote to memory of 3052	1308	csrss.exe	96
PID 1308 wrote to memory of 3052	1308	csrss.exe	96
PID 2640 wrote to memory of 1256	2640	WScript.exe	98
PID 2640 wrote to memory of 1256	2640	WScript.exe	98
PID 2640 wrote to memory of 1256	2640	WScript.exe	98
PID 1256 wrote to memory of 1444	1256	csrss.exe	99
PID 1256 wrote to memory of 1444	1256	csrss.exe	99
PID 1256 wrote to memory of 1444	1256	csrss.exe	99
PID 1256 wrote to memory of 1524	1256	csrss.exe	100
PID 1256 wrote to memory of 1524	1256	csrss.exe	100
PID 1256 wrote to memory of 1524	1256	csrss.exe	100
PID 1444 wrote to memory of 2988	1444	WScript.exe	101
PID 1444 wrote to memory of 2988	1444	WScript.exe	101
PID 1444 wrote to memory of 2988	1444	WScript.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe
"C:\Users\Admin\AppData\Local\Temp\970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2992
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2856
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2196
- C:\Program Files\Windows Sidebar\es-ES\csrss.exe
  "C:\Program Files\Windows Sidebar\es-ES\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2e8b03d8-f37b-4295-9476-dd8a9ee3b60c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Program Files\Windows Sidebar\es-ES\csrss.exe
      "C:\Program Files\Windows Sidebar\es-ES\csrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b55f1022-b87b-4427-a9e2-0b77d5f3637b.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1444
      - C:\Program Files\Windows Sidebar\es-ES\csrss.exe
        
        "C:\Program Files\Windows Sidebar\es-ES\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9ee0cc7-6fc4-4ace-a41a-0062b103b5dc.vbs"
        5⤵
        
        PID:1524
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\844008fa-6bbb-4a43-96ea-0a59f8aed4e1.vbs"
    3⤵
    PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Tasks\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\RemotePackages\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\RemotePackages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\RemotePackages\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c9" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c" /sc ONLOGON /tr "'C:\Users\Default User\970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c9" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Media Player\csrss.exe

Filesize
1.7MB

MD5
fa16bee9ad161642e30e173ea53b67b5

SHA1
5d72f5f20fa40c1033dc76f59f88ffbc087b04bc

SHA256
970501570f0a621e198be60edc51d91292faa0b74621954d840fb46dab5d892c

SHA512
39c98a666a28b2793617d07263b98ddb786188acf6ce44d9cc8c0ed04eef9a3cb21b0103109894559b77adddc06566bd3b4d084e0e33ab5db635e32e240039c9

Download Submit
C:\Program Files (x86)\Windows Media Player\csrss.exe

Filesize
1.7MB

MD5
f2679a98cc3ffa22d37115e4f06d585b

SHA1
386a0fa0cf8a25be6407b0d83dadff75350867ec

SHA256
3357db0d006b0de32ff33fb9b71d83c5450924d73ad29c71d7e30cbc8fcb98ec

SHA512
6dc727f8c126cef638f90f8fb88c88368f8674ce5bfbb8f088e029ea4756200fc88c6e0a7bb40c495aa40cb139bc233f05769fafcc1a424f8112b5f1e986a951

Download Submit
C:\Users\Admin\AppData\Local\Temp\2e8b03d8-f37b-4295-9476-dd8a9ee3b60c.vbs

Filesize
724B

MD5
3ee95a288bfe6a9d48c19c6c6d33eb60

SHA1
506993dada1c5f4801c23b3ff0d1ac11cc1dbf59

SHA256
f699b385cab4058790af0136355f3b1797c1dbf00892a518af1c02812176b431

SHA512
8401ec3e382dc8c2e4e55893d5c6c4c27da439da8e6bbe743c0274800c891ffe6910de0275586bd994c8777db34d939a107a2e5eb43ad82df24e4db3a25d1804

Download Submit
C:\Users\Admin\AppData\Local\Temp\844008fa-6bbb-4a43-96ea-0a59f8aed4e1.vbs

Filesize
500B

MD5
63a7416e8a11328f0cec38803534f87d

SHA1
ee72c424b5439169cc47378bb975c8c49639c5e9

SHA256
80785d16e9415f6ef163eaadc73a3baa9aecc453ed3bed1c5df83dd62386b63e

SHA512
f7315822ebaaf3dd5cf72e1a01319b657e5d85af3914056a9af87e1c6a104a6f49c4a25b090f665c33f6e696ae5e0ec1457f6c124395dd288a9c793e082bbf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b55f1022-b87b-4427-a9e2-0b77d5f3637b.vbs

Filesize
724B

MD5
588a439b4890cb25629376428f216201

SHA1
93cf3c5c69981a100de998b6b61ad0b9af6b596e

SHA256
f993f7c1d7884dcb691fd0af0a38d67ffe8ac33ef52d74e7d6a8aca7cf3ae51d

SHA512
ca4f08fa765e298ace274bf0910b4ba9d9fa1eadaf78f6326b379db0d9275e33523d97bbc4fc94cd8e2c8323e0456121498d73dc4566854e18f9d544aff7e967

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2df6d063ff82ec89cc2a1db2b0b6052b

SHA1
4820d0b7ccea827ca34e63a5abf536aa51ccfe36

SHA256
26b97158e97e1868c0aa0dcf92dc4aea167b46541f35395859ee266f0e51fe90

SHA512
2a24e14da392ac5ec8647f41fe3d21ec8e1dcf6497e7512d383d5727aed00207a85e4a304ca8caa31ffb32d5a188e3d676ceeded36b4fd9760d723a476c4f733

Download Submit
memory/1256-283-0x0000000001130000-0x00000000012F0000-memory.dmp

Filesize
1.8MB

Download
memory/1308-213-0x0000000000230000-0x00000000003F0000-memory.dmp

Filesize
1.8MB

Download
memory/2280-236-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/2432-17-0x00000000023D0000-0x00000000023DC000-memory.dmp

Filesize
48KB

Download
memory/2432-205-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/2432-12-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/2432-14-0x0000000002320000-0x000000000232E000-memory.dmp

Filesize
56KB

Download
memory/2432-16-0x0000000002340000-0x000000000234C000-memory.dmp

Filesize
48KB

Download
memory/2432-0-0x000007FEF5713000-0x000007FEF5714000-memory.dmp

Filesize
4KB

Download
memory/2432-15-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2432-13-0x0000000002310000-0x000000000231A000-memory.dmp

Filesize
40KB

Download
memory/2432-18-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-11-0x00000000021D0000-0x00000000021E2000-memory.dmp

Filesize
72KB

Download
memory/2432-9-0x00000000021C0000-0x00000000021C8000-memory.dmp

Filesize
32KB

Download
memory/2432-8-0x00000000021B0000-0x00000000021BC000-memory.dmp

Filesize
48KB

Download
memory/2432-214-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2432-6-0x0000000002190000-0x00000000021A6000-memory.dmp

Filesize
88KB

Download
memory/2432-1-0x0000000000050000-0x0000000000210000-memory.dmp

Filesize
1.8MB

Download
memory/2432-7-0x0000000002100000-0x0000000002110000-memory.dmp

Filesize
64KB

Download
memory/2432-5-0x00000000020F0000-0x0000000002100000-memory.dmp

Filesize
64KB

Download
memory/2432-4-0x00000000008A0000-0x00000000008A8000-memory.dmp

Filesize
32KB

Download
memory/2432-3-0x0000000000880000-0x000000000089C000-memory.dmp

Filesize
112KB

Download
memory/2432-2-0x000007FEF5710000-0x000007FEF60FC000-memory.dmp

Filesize
9.9MB

Download
memory/2904-235-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2988-295-0x0000000000BA0000-0x0000000000BB2000-memory.dmp

Filesize
72KB

Download