dcrat | c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 08:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
Size

1.7MB
MD5

4f75597738cd353a6889438786801bf6
SHA1

63e5b961a8b77dedc46d8420cc78bb2df52c50ba
SHA256

c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c
SHA512

3d04a02dbda7b4ef1cee2316ffd19ed83970f7d11efcc7ee3c7c51f6c188fff06d93796caf5172293f27e7ad9cd7e56ef9fcf0378416d7b8caa99f96bfd064c0
SSDEEP

24576:N3QwuLyEbVoCtPreIjNLoN/VNGeSQDx1m17zezKOkCzeJGFUJ:NgwuuEpdDLNwVMeXDL0fdSzAG

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2904	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2904	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2016-1-0x0000000000EF0000-0x00000000010A6000-memory.dmp	dcrat
behavioral1/files/0x0008000000016dd1-27.dat	dcrat
behavioral1/files/0x000500000001a4d9-64.dat	dcrat
behavioral1/files/0x000a0000000120fe-75.dat	dcrat
behavioral1/files/0x000a000000016d4a-86.dat	dcrat
behavioral1/files/0x0006000000019606-166.dat	dcrat
behavioral1/files/0x000900000001961c-190.dat	dcrat
behavioral1/files/0x0007000000019c3c-199.dat	dcrat
behavioral1/memory/2268-289-0x0000000001040000-0x00000000011F6000-memory.dmp	dcrat
behavioral1/memory/580-312-0x0000000000250000-0x0000000000406000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2420	powershell.exe
2064	powershell.exe
2940	powershell.exe
2036	powershell.exe
2552	powershell.exe
2956	powershell.exe
1076	powershell.exe
2600	powershell.exe
2896	powershell.exe
1128	powershell.exe
2228	powershell.exe
2928	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe

Executes dropped EXE 2 IoCs

pid	Process
2268	OSPPSVC.exe
580	OSPPSVC.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXCFD1.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXD03F.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\lsass.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\taskhost.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Internet Explorer\it-IT\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files (x86)\Uninstall Information\27d1bcfc3c54e0	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXD243.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\RCXDDC2.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Internet Explorer\it-IT\b606703f51ba90	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\taskhost.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXE4AB.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCXE4AC.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RCXEBD2.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\b75386f1303e64	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\lsass.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXD2B1.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\RCXDDC3.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files\Internet Explorer\it-IT\RCXEBD3.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files (x86)\Uninstall Information\System.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\6203df4a6bafc7	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\System.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\twain_32\csrss.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\SoftwareDistribution\EventCache\RCXCDCD.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\twain_32\RCXE941.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\twain_32\RCXE9AF.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\twain_32\csrss.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Windows\SoftwareDistribution\EventCache\explorer.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\SoftwareDistribution\EventCache\explorer.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Windows\SoftwareDistribution\EventCache\7a0fd90576e088	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Windows\rescache\rc0002\winlogon.exe	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File created	C:\Windows\twain_32\886983d96e3d3e	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
File opened for modification	C:\Windows\SoftwareDistribution\EventCache\RCXCD40.tmp	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2800	schtasks.exe
2696	schtasks.exe
1048	schtasks.exe
2220	schtasks.exe
2604	schtasks.exe
2316	schtasks.exe
2204	schtasks.exe
1600	schtasks.exe
2760	schtasks.exe
576	schtasks.exe
1256	schtasks.exe
952	schtasks.exe
1764	schtasks.exe
1668	schtasks.exe
2980	schtasks.exe
2960	schtasks.exe
1980	schtasks.exe
1924	schtasks.exe
2552	schtasks.exe
1400	schtasks.exe
1440	schtasks.exe
3044	schtasks.exe
1492	schtasks.exe
2504	schtasks.exe
2484	schtasks.exe
2636	schtasks.exe
2168	schtasks.exe
688	schtasks.exe
1936	schtasks.exe
748	schtasks.exe
1736	schtasks.exe
2880	schtasks.exe
2868	schtasks.exe
808	schtasks.exe
2140	schtasks.exe
2808	schtasks.exe
288	schtasks.exe
296	schtasks.exe
2100	schtasks.exe
2736	schtasks.exe
2036	schtasks.exe
2928	schtasks.exe
1740	schtasks.exe
2356	schtasks.exe
2700	schtasks.exe
1156	schtasks.exe
2468	schtasks.exe
1044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2420	powershell.exe
2036	powershell.exe
2552	powershell.exe
1128	powershell.exe
2600	powershell.exe
1076	powershell.exe
2940	powershell.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2928	powershell.exe
2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
2956	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2268	OSPPSVC.exe
Token: SeDebugPrivilege	580	OSPPSVC.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2552	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	80
PID 2016 wrote to memory of 2552	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	80
PID 2016 wrote to memory of 2552	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	80
PID 2016 wrote to memory of 2420	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	81
PID 2016 wrote to memory of 2420	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	81
PID 2016 wrote to memory of 2420	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	81
PID 2016 wrote to memory of 1128	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	83
PID 2016 wrote to memory of 1128	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	83
PID 2016 wrote to memory of 1128	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	83
PID 2016 wrote to memory of 2036	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	84
PID 2016 wrote to memory of 2036	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	84
PID 2016 wrote to memory of 2036	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	84
PID 2016 wrote to memory of 2940	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	85
PID 2016 wrote to memory of 2940	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	85
PID 2016 wrote to memory of 2940	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	85
PID 2016 wrote to memory of 2896	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	86
PID 2016 wrote to memory of 2896	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	86
PID 2016 wrote to memory of 2896	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	86
PID 2016 wrote to memory of 2064	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	87
PID 2016 wrote to memory of 2064	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	87
PID 2016 wrote to memory of 2064	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	87
PID 2016 wrote to memory of 2600	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	88
PID 2016 wrote to memory of 2600	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	88
PID 2016 wrote to memory of 2600	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	88
PID 2016 wrote to memory of 2956	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	89
PID 2016 wrote to memory of 2956	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	89
PID 2016 wrote to memory of 2956	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	89
PID 2016 wrote to memory of 2928	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	90
PID 2016 wrote to memory of 2928	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	90
PID 2016 wrote to memory of 2928	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	90
PID 2016 wrote to memory of 1076	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	91
PID 2016 wrote to memory of 1076	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	91
PID 2016 wrote to memory of 1076	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	91
PID 2016 wrote to memory of 2228	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	100
PID 2016 wrote to memory of 2228	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	100
PID 2016 wrote to memory of 2228	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	100
PID 2016 wrote to memory of 2268	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	104
PID 2016 wrote to memory of 2268	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	104
PID 2016 wrote to memory of 2268	2016	c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe	104
PID 2268 wrote to memory of 2288	2268	OSPPSVC.exe	105
PID 2268 wrote to memory of 2288	2268	OSPPSVC.exe	105
PID 2268 wrote to memory of 2288	2268	OSPPSVC.exe	105
PID 2268 wrote to memory of 2684	2268	OSPPSVC.exe	106
PID 2268 wrote to memory of 2684	2268	OSPPSVC.exe	106
PID 2268 wrote to memory of 2684	2268	OSPPSVC.exe	106
PID 2288 wrote to memory of 580	2288	WScript.exe	107
PID 2288 wrote to memory of 580	2288	WScript.exe	107
PID 2288 wrote to memory of 580	2288	WScript.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe
"C:\Users\Admin\AppData\Local\Temp\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1128
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2896
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2956
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Users\Admin\PrintHood\OSPPSVC.exe
  "C:\Users\Admin\PrintHood\OSPPSVC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\acb7e593-2bee-42fd-8ca8-4c36da0bdc07.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\Users\Admin\PrintHood\OSPPSVC.exe
      C:\Users\Admin\PrintHood\OSPPSVC.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:580
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4891bca8-2f2f-4946-aff8-786bc9af7b05.vbs"
    3⤵
    PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\SoftwareDistribution\EventCache\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\EventCache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\EventCache\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\PrintHood\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\PrintHood\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9cc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9cc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\My Documents\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Links\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Links\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Links\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\twain_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9cc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\it-IT\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9cc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\it-IT\c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
1.7MB

MD5
0d536efbcafcfbb63301899b1d1de61f

SHA1
c747724eecf0d2fdf1e5e0020c492fcc63afb9a5

SHA256
67fd044e4edd48079617fcdcc384f671630938d94558dc0a6a7559cdd828a824

SHA512
c65f7bf751b9d48472ba79986501135f80d0e457a74710f161866c7c7999974abf3d9dda7361a00600122682ba5ce40d24de41e6ccdde4f3ab1d7a3c8fd2d91e

Download Submit
C:\Program Files (x86)\Uninstall Information\System.exe

Filesize
1.7MB

MD5
a1979044f10c06f78cbbe8e1c5a932a3

SHA1
8dcff12fa5fbfe836c3bcc17c1ba1807af446c4c

SHA256
b7ba283e27df99a17e5df0c425b88ada36ed8a39a448f07bae3d26579a1f410a

SHA512
2c8fb8335dc10bd87b40492d652700b897f75ca9cdc504c6cc0d1ca33d262c8320c2c805452f40b16298cd8802e99480751874604d2051aeba5128205cfdbe8c

Download Submit
C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe

Filesize
1.7MB

MD5
fbaec8855ca42e234c2e513e589f0b95

SHA1
6a9b7cb77d7a9fac29b0b932cc6136c72024edfd

SHA256
ca426816c3b1f1453b67282f3b47fd7d068ad1aaff551442d2294e346fde9d45

SHA512
274be1da1bda48180860d7a065a7b462325d38b17638fe5198f4c39ad11ee9453526a0273fd29e2ae9c0fb989f259afae2f4037bf54b76ab1c9dcc1477f354e5

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe

Filesize
1.7MB

MD5
4f75597738cd353a6889438786801bf6

SHA1
63e5b961a8b77dedc46d8420cc78bb2df52c50ba

SHA256
c4decd18a009ee291ef55f6d98cd5bd4ee6daf8de9f2c82f6ec92889fc896e9c

SHA512
3d04a02dbda7b4ef1cee2316ffd19ed83970f7d11efcc7ee3c7c51f6c188fff06d93796caf5172293f27e7ad9cd7e56ef9fcf0378416d7b8caa99f96bfd064c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4891bca8-2f2f-4946-aff8-786bc9af7b05.vbs

Filesize
488B

MD5
e4252e4e07fca4ca2c0776b638b297dd

SHA1
92a29f5ad08c809805699b5151cfe17261dd0b03

SHA256
049fec8b48666c7742714a7b2384a76b3313a89a328cf4c5bde4d7d75e5de1d8

SHA512
1032b428f3c7ba3ef6dcdb6eb43877cd94d6510cfdd3dc18144df9df4cc54f08ee7bd615d0574b1a266e8cb1d7a2535019fc22e025188f544fc3e53307b9b3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\acb7e593-2bee-42fd-8ca8-4c36da0bdc07.vbs

Filesize
712B

MD5
86a2e89472c7ad498a1d9686cf98c0bc

SHA1
1552616440e6da4c97e4e99e8df0f50cc4d56ddb

SHA256
d9133d17d977deddc4e39343eebd9aef16dc0c8b99d599ff5181d91e7876af27

SHA512
04e543bed813f3993b71950178ac86efd32b7dbca9a6b948a285e3824a36fcb8eda56b6a8662cb3fe603ee12f6510a9bb8a077e291f86d61d67c76ebf60be858

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2bb71267081d485e8e5cb200fc7593b0

SHA1
8291a54ab76443b274bcc05c897e45edb43d2b89

SHA256
34271fdec41a5b9f1707b36b95248907be3c756e726f7c8182532890426a3477

SHA512
c06e840eb4c3d7cebeb046a370caf00a19c6bcd821f8ea0792b0ec74e825edb50f3b450b8bc644043463e444cac7f4c83a00a0d366c83fd16b46a52b60419999

Download Submit
C:\Users\Default\Links\explorer.exe

Filesize
1.7MB

MD5
c50d28763d21a9c0d8515e4e41773988

SHA1
8a77521a02f5c21f794eb54b7faa869f8d96ee68

SHA256
c912e99c79576d507c252e93c303b032787b9b3ab30fd52dd284dc2a21dcf54c

SHA512
25826339f5c0828578b6edbec655dd24d8c2c9ae41d0f818b4ebc3a69b15b27f66ffae1cfb6082b61d30bed2140bfe621c5fc0bc4ca643f1c30152af623f0638

Download Submit
C:\Windows\SoftwareDistribution\EventCache\explorer.exe

Filesize
1.7MB

MD5
f455893eb428a56185c578e7c99e9ce4

SHA1
ee1e3e99bdcc016bba87143255cd84d795593263

SHA256
7f22698b9197db3f1f5d49793b682ba68711a8523bd03d7e2f203adf2fa3f495

SHA512
28754338f19fc8e3c7bf5c97062616d04fb825ec8b3131214e992fbdcda164ee6cbb3ee1be5c56e33611a6b838fb7c6e0cc2ca87bc8bcda7eb5c7e638081fbbf

Download Submit
C:\Windows\twain_32\csrss.exe

Filesize
1.7MB

MD5
30c49a959e29698b0e876170a36e26a7

SHA1
e4dc46fc1cb2effba34097491f9c409240944485

SHA256
e24324cb1d53ce42ca0a6b9fa63e3a1f484450167d6c4ad8d0231c5bf6797159

SHA512
3ff29edb65111b87e79d74ca147c89df01d651fec90dcf436c39596c9d83d2d4a5f7c5cc32def6639ab109957b7c17e9fe5736d97abaf21478fba23c4e7a378c

Download Submit
memory/580-312-0x0000000000250000-0x0000000000406000-memory.dmp

Filesize
1.7MB

Download
memory/2016-9-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2016-6-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2016-16-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2016-15-0x0000000000B00000-0x0000000000B08000-memory.dmp

Filesize
32KB

Download
memory/2016-14-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/2016-17-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/2016-20-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2016-12-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2016-10-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2016-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2016-8-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2016-7-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/2016-181-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/2016-13-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2016-5-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2016-204-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2016-227-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2016-1-0x0000000000EF0000-0x00000000010A6000-memory.dmp

Filesize
1.7MB

Download
memory/2016-4-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/2016-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2016-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2016-300-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/2036-266-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/2268-301-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2268-289-0x0000000001040000-0x00000000011F6000-memory.dmp

Filesize
1.7MB

Download
memory/2420-236-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download