dcrat | c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
Size

1.7MB
MD5

4f75597738cd353a6889438786801bf6
SHA1

63e5b961a8b77dedc46d8420cc78bb2df52c50ba
SHA256

c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c
SHA512

3d04a02dbda7b4ef1cee2316ffd19ed83970f7d11efcc7ee3c7c51f6c188fff06d93796caf5172293f27e7ad9cd7e56ef9fcf0378416d7b8caa99f96bfd064c0
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2600	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2600	schtasks.exe	31

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2664-1-0x0000000000EC0000-0x0000000001076000-memory.dmp	dcrat
behavioral1/files/0x0005000000019616-27.dat	dcrat
behavioral1/files/0x000600000001a4d8-68.dat	dcrat
behavioral1/files/0x00120000000173f6-171.dat	dcrat
behavioral1/memory/1160-252-0x0000000000D70000-0x0000000000F26000-memory.dmp	dcrat
behavioral1/memory/828-267-0x0000000001050000-0x0000000001206000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
976	powershell.exe
2744	powershell.exe
2740	powershell.exe
2592	powershell.exe
1488	powershell.exe
2236	powershell.exe
2432	powershell.exe
2792	powershell.exe
692	powershell.exe
2580	powershell.exe
2944	powershell.exe
2024	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe

Executes dropped EXE 2 IoCs

pid	Process
1160	Idle.exe
828	Idle.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\ja-JP\6ccacd8608530f	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Windows Portable Devices\56085415360792	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCX14.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Windows Portable Devices\wininit.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\6ccacd8608530f	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCXEE29.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXF511.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCXF512.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXFB9C.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXFB9D.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\b75386f1303e64	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCXEE28.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Windows Portable Devices\wininit.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\RCX13.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\lsm.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Windows\Registration\CRMLog\101b941d020240	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Windows\Web\Wallpaper\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\Registration\CRMLog\lsm.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\Web\Wallpaper\RCX6FC.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Windows\Web\Wallpaper\b606703f51ba90	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXFE0E.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\Registration\CRMLog\RCXFE0F.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\Web\Wallpaper\RCX6FD.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\Web\Wallpaper\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2888	schtasks.exe
2916	schtasks.exe
2056	schtasks.exe
2940	schtasks.exe
1096	schtasks.exe
896	schtasks.exe
2296	schtasks.exe
2432	schtasks.exe
2796	schtasks.exe
2976	schtasks.exe
2180	schtasks.exe
2124	schtasks.exe
2380	schtasks.exe
304	schtasks.exe
2060	schtasks.exe
2224	schtasks.exe
1756	schtasks.exe
1484	schtasks.exe
2660	schtasks.exe
792	schtasks.exe
2348	schtasks.exe
2880	schtasks.exe
3056	schtasks.exe
1156	schtasks.exe
588	schtasks.exe
2560	schtasks.exe
2176	schtasks.exe
1868	schtasks.exe
2512	schtasks.exe
1620	schtasks.exe
2580	schtasks.exe
320	schtasks.exe
1456	schtasks.exe
2264	schtasks.exe
1796	schtasks.exe
788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2792	powershell.exe
976	powershell.exe
2432	powershell.exe
2580	powershell.exe
2236	powershell.exe
2592	powershell.exe
2744	powershell.exe
692	powershell.exe
2944	powershell.exe
2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2024	powershell.exe
1488	powershell.exe
2740	powershell.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe
1160	Idle.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	1160	Idle.exe
Token: SeDebugPrivilege	828	Idle.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 976	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	69
PID 2664 wrote to memory of 976	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	69
PID 2664 wrote to memory of 976	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	69
PID 2664 wrote to memory of 2792	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	70
PID 2664 wrote to memory of 2792	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	70
PID 2664 wrote to memory of 2792	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	70
PID 2664 wrote to memory of 692	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	71
PID 2664 wrote to memory of 692	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	71
PID 2664 wrote to memory of 692	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	71
PID 2664 wrote to memory of 2744	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	72
PID 2664 wrote to memory of 2744	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	72
PID 2664 wrote to memory of 2744	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	72
PID 2664 wrote to memory of 2740	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	73
PID 2664 wrote to memory of 2740	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	73
PID 2664 wrote to memory of 2740	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	73
PID 2664 wrote to memory of 2592	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	74
PID 2664 wrote to memory of 2592	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	74
PID 2664 wrote to memory of 2592	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	74
PID 2664 wrote to memory of 2580	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	75
PID 2664 wrote to memory of 2580	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	75
PID 2664 wrote to memory of 2580	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	75
PID 2664 wrote to memory of 1488	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	76
PID 2664 wrote to memory of 1488	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	76
PID 2664 wrote to memory of 1488	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	76
PID 2664 wrote to memory of 2944	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	77
PID 2664 wrote to memory of 2944	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	77
PID 2664 wrote to memory of 2944	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	77
PID 2664 wrote to memory of 2236	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	78
PID 2664 wrote to memory of 2236	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	78
PID 2664 wrote to memory of 2236	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	78
PID 2664 wrote to memory of 2432	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	79
PID 2664 wrote to memory of 2432	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	79
PID 2664 wrote to memory of 2432	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	79
PID 2664 wrote to memory of 2024	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	80
PID 2664 wrote to memory of 2024	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	80
PID 2664 wrote to memory of 2024	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	80
PID 2664 wrote to memory of 1160	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	93
PID 2664 wrote to memory of 1160	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	93
PID 2664 wrote to memory of 1160	2664	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	93
PID 1160 wrote to memory of 2292	1160	Idle.exe	94
PID 1160 wrote to memory of 2292	1160	Idle.exe	94
PID 1160 wrote to memory of 2292	1160	Idle.exe	94
PID 1160 wrote to memory of 3040	1160	Idle.exe	95
PID 1160 wrote to memory of 3040	1160	Idle.exe	95
PID 1160 wrote to memory of 3040	1160	Idle.exe	95
PID 2292 wrote to memory of 828	2292	WScript.exe	96
PID 2292 wrote to memory of 828	2292	WScript.exe	96
PID 2292 wrote to memory of 828	2292	WScript.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
"C:\Users\Admin\AppData\Local\Temp\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe
  "C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1160
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0937a6a8-265e-4275-8bdb-131464e6fb3c.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe
      "C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:828
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fc3e1cd-f2ce-43a4-a627-c7a027449984.vbs"
    3⤵
    PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9cc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9cc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Start Menu\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9cc" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Wallpaper\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9cc" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe

Filesize
1.7MB

MD5
de3904d963630a3ba52c20fb3d9b2135

SHA1
80ef649800d1a7fbaae359b30fe40e6bc71d60fe

SHA256
c673135a9dc5cc7156a37594ec3c5076a7ba622bd6827d08f10e3e8fd1933a45

SHA512
a1a18d879719988e2bf00afacf17e0f7c80367cf99bc38e2d118b97905e2a36439272969222c686cc7287c4026e0696be7c195e60db76178347e37567f4ab839

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe

Filesize
1.7MB

MD5
8a7b249b943bbde2bd4da5ad105bbb26

SHA1
2af4f52b49ab6dafd7a6027fab3285df2c862ce0

SHA256
3684ef7d4ccd594844d04b783cd53c3cd0d265cb3f46e146a4e2cda740954a97

SHA512
d9189aa1b46ed0a7d5aba06ae80546928cd3d858ef1f3c33ec6a69a1c3dcc921b5da0a468b97be366645495990a162a6200d170e533333b6f50d085bf6a8ec75

Download Submit
C:\Users\Admin\AppData\Local\Temp\0937a6a8-265e-4275-8bdb-131464e6fb3c.vbs

Filesize
728B

MD5
11fa96012bf55bcc7f722cb8ec129ab1

SHA1
6d7c8d390305b6f80f0b9400927109a0522db6ba

SHA256
49aa368581391e29d6141b0dd55f358e25a28c3a98765c490e5822ef4a298572

SHA512
b380dd668683eff7496cd0d1ba7eeb3a2c0781c22e3fdd133ed674d99c51a26403dc152a66fffa46cbcc5ebcb987a180b14c7e4682e3588ed8689765441a3081

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fc3e1cd-f2ce-43a4-a627-c7a027449984.vbs

Filesize
504B

MD5
4cd49c4584d0d5295507597dc8d46751

SHA1
61611fafe731df9944025f613eaf4a41de975578

SHA256
c69b6e7ea3f15887e0f7ee26d43144d740f02ba42d01048281ebe58dff9d7353

SHA512
4ddb782a85065c705b0681c5f85f7a45dace6c4da9d1c3227e34f7fa0d9801cfe5f0ef636261ac2d031fc07bde43da958aad22a2b6c6a942b07b23d455e16c6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b449adfe9d8d9eca18a1ff922264a41c

SHA1
ed29d2c26fcf6c306722b164432c1e13dce85863

SHA256
9e1cbc3078bc500a7bde3be62a4ed26662f390e2afaa2e7bcfde0c98dadd8a1a

SHA512
e54e512caff9dcdcd6846ad5178309614958a73feb37672ed500c525589e68a50fac3476b6b040b70d2cf2b501bce81a5ddbf79bfd4cbaa59d8e75366b07952e

Download Submit
C:\Users\Admin\Desktop\lsass.exe

Filesize
1.7MB

MD5
4f75597738cd353a6889438786801bf6

SHA1
63e5b961a8b77dedc46d8420cc78bb2df52c50ba

SHA256
c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c

SHA512
3d04a02dbda7b4ef1cee2316ffd19ed83970f7d11efcc7ee3c7c51f6c188fff06d93796caf5172293f27e7ad9cd7e56ef9fcf0378416d7b8caa99f96bfd064c0

Download Submit
memory/828-268-0x0000000000740000-0x0000000000752000-memory.dmp

Filesize
72KB

Download
memory/828-267-0x0000000001050000-0x0000000001206000-memory.dmp

Filesize
1.7MB

Download
memory/1160-252-0x0000000000D70000-0x0000000000F26000-memory.dmp

Filesize
1.7MB

Download
memory/2432-233-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2432-234-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2664-15-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/2664-9-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2664-16-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/2664-0-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/2664-14-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2664-17-0x0000000000CA0000-0x0000000000CAC000-memory.dmp

Filesize
48KB

Download
memory/2664-19-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2664-12-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/2664-10-0x0000000000690000-0x0000000000698000-memory.dmp

Filesize
32KB

Download
memory/2664-13-0x0000000000CB0000-0x0000000000CBC000-memory.dmp

Filesize
48KB

Download
memory/2664-186-0x000007FEF52E3000-0x000007FEF52E4000-memory.dmp

Filesize
4KB

Download
memory/2664-8-0x0000000000680000-0x0000000000690000-memory.dmp

Filesize
64KB

Download
memory/2664-6-0x0000000000450000-0x0000000000466000-memory.dmp

Filesize
88KB

Download
memory/2664-7-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2664-5-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/2664-253-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2664-4-0x0000000000200000-0x0000000000208000-memory.dmp

Filesize
32KB

Download
memory/2664-3-0x0000000000430000-0x000000000044C000-memory.dmp

Filesize
112KB

Download
memory/2664-2-0x000007FEF52E0000-0x000007FEF5CCC000-memory.dmp

Filesize
9.9MB

Download
memory/2664-1-0x0000000000EC0000-0x0000000001076000-memory.dmp

Filesize
1.7MB

Download