dcrat | b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9

Analysis

max time kernel
119s
max time network
107s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
Size

1.7MB
MD5

56d660c11eaba52b06b10344f8f01f70
SHA1

0901888a67e7e2ffb61a3ed953c1c38995e941e8
SHA256

b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9
SHA512

847f6ff7c2eda0032c2e5aae696fcc6249760c9b43c404889762caf239317640ce6342d26960947037a5c36604108f9bdb457854b6fffd7ceb0e03564e6a3d02
SSDEEP

49152:j+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:OTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2940	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2940	schtasks.exe	31

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/628-1-0x0000000000E80000-0x0000000001040000-memory.dmp	dcrat
behavioral1/files/0x0005000000019aee-27.dat	dcrat
behavioral1/files/0x000800000001a325-244.dat	dcrat
behavioral1/files/0x000a00000001a48a-268.dat	dcrat
behavioral1/memory/2456-341-0x00000000011C0000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2936-352-0x0000000000120000-0x00000000002E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1364	powershell.exe
2260	powershell.exe
2760	powershell.exe
2988	powershell.exe
2324	powershell.exe
3012	powershell.exe
2624	powershell.exe
2536	powershell.exe
1916	powershell.exe
1604	powershell.exe
2776	powershell.exe
1004	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe

Executes dropped EXE 2 IoCs

pid	Process
2456	taskhost.exe
2936	taskhost.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\fr-FR\services.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXF2B5.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX637.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXAAE.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Google\wininit.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Google\56085415360792	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files\Windows Portable Devices\7a0fd90576e088	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Google\RCXFD4A.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX1C1.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\Idle.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Uninstall Information\56085415360792	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\Idle.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\RCX83C.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RCXAAF.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\services.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCX1C0.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files\Windows Portable Devices\explorer.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files\Windows Portable Devices\explorer.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Uninstall Information\wininit.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6ccacd8608530f	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\RCX8AA.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCXEBCC.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\wininit.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\c5b4cb5e9653cc	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCXEBCD.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXF2B4.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX638.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\6ccacd8608530f	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Google\RCXFD49.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Program Files (x86)\Google\wininit.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCXCB2.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCXD21.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\Speech\b75386f1303e64	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\Vss\Writers\WmiPrvSE.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Speech\taskhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\csrss.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\Speech\taskhost.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Speech\RCXF8C3.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Vss\Writers\WmiPrvSE.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\Vss\Writers\24dbde2999530e	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\Boot\Fonts\csrss.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\Performance\WinSAT\DataStore\csrss.exe	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Vss\Writers\RCXFB45.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File created	C:\Windows\Performance\WinSAT\DataStore\886983d96e3d3e	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Speech\RCXF8C4.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
File opened for modification	C:\Windows\Vss\Writers\RCXFB44.tmp	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe
1860	schtasks.exe
2568	schtasks.exe
1612	schtasks.exe
668	schtasks.exe
2216	schtasks.exe
596	schtasks.exe
1508	schtasks.exe
1616	schtasks.exe
2312	schtasks.exe
1532	schtasks.exe
2656	schtasks.exe
2172	schtasks.exe
2112	schtasks.exe
1960	schtasks.exe
920	schtasks.exe
2996	schtasks.exe
776	schtasks.exe
952	schtasks.exe
2116	schtasks.exe
2316	schtasks.exe
2908	schtasks.exe
2008	schtasks.exe
3032	schtasks.exe
2248	schtasks.exe
936	schtasks.exe
1684	schtasks.exe
2968	schtasks.exe
408	schtasks.exe
2620	schtasks.exe
324	schtasks.exe
684	schtasks.exe
3056	schtasks.exe
1884	schtasks.exe
2792	schtasks.exe
1624	schtasks.exe
3060	schtasks.exe
1848	schtasks.exe
1440	schtasks.exe
2200	schtasks.exe
2508	schtasks.exe
1924	schtasks.exe
1216	schtasks.exe
2624	schtasks.exe
1604	schtasks.exe
1944	schtasks.exe
2140	schtasks.exe
1888	schtasks.exe
1732	schtasks.exe
112	schtasks.exe
1000	schtasks.exe
2452	schtasks.exe
836	schtasks.exe
2400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
2760	powershell.exe
2324	powershell.exe
1604	powershell.exe
2624	powershell.exe
2260	powershell.exe
2776	powershell.exe
1004	powershell.exe
1364	powershell.exe
2536	powershell.exe
3012	powershell.exe
2988	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2456	taskhost.exe
Token: SeDebugPrivilege	2936	taskhost.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 2988	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	86
PID 628 wrote to memory of 2988	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	86
PID 628 wrote to memory of 2988	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	86
PID 628 wrote to memory of 1364	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	87
PID 628 wrote to memory of 1364	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	87
PID 628 wrote to memory of 1364	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	87
PID 628 wrote to memory of 2324	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	88
PID 628 wrote to memory of 2324	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	88
PID 628 wrote to memory of 2324	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	88
PID 628 wrote to memory of 3012	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	89
PID 628 wrote to memory of 3012	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	89
PID 628 wrote to memory of 3012	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	89
PID 628 wrote to memory of 2260	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	90
PID 628 wrote to memory of 2260	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	90
PID 628 wrote to memory of 2260	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	90
PID 628 wrote to memory of 2624	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	91
PID 628 wrote to memory of 2624	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	91
PID 628 wrote to memory of 2624	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	91
PID 628 wrote to memory of 2536	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	92
PID 628 wrote to memory of 2536	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	92
PID 628 wrote to memory of 2536	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	92
PID 628 wrote to memory of 1916	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	93
PID 628 wrote to memory of 1916	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	93
PID 628 wrote to memory of 1916	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	93
PID 628 wrote to memory of 1604	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	94
PID 628 wrote to memory of 1604	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	94
PID 628 wrote to memory of 1604	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	94
PID 628 wrote to memory of 2776	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	95
PID 628 wrote to memory of 2776	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	95
PID 628 wrote to memory of 2776	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	95
PID 628 wrote to memory of 1004	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	96
PID 628 wrote to memory of 1004	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	96
PID 628 wrote to memory of 1004	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	96
PID 628 wrote to memory of 2760	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	98
PID 628 wrote to memory of 2760	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	98
PID 628 wrote to memory of 2760	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	98
PID 628 wrote to memory of 1608	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	110
PID 628 wrote to memory of 1608	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	110
PID 628 wrote to memory of 1608	628	b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe	110
PID 1608 wrote to memory of 568	1608	cmd.exe	112
PID 1608 wrote to memory of 568	1608	cmd.exe	112
PID 1608 wrote to memory of 568	1608	cmd.exe	112
PID 1608 wrote to memory of 2456	1608	cmd.exe	113
PID 1608 wrote to memory of 2456	1608	cmd.exe	113
PID 1608 wrote to memory of 2456	1608	cmd.exe	113
PID 2456 wrote to memory of 1416	2456	taskhost.exe	114
PID 2456 wrote to memory of 1416	2456	taskhost.exe	114
PID 2456 wrote to memory of 1416	2456	taskhost.exe	114
PID 2456 wrote to memory of 2296	2456	taskhost.exe	115
PID 2456 wrote to memory of 2296	2456	taskhost.exe	115
PID 2456 wrote to memory of 2296	2456	taskhost.exe	115
PID 1416 wrote to memory of 2936	1416	WScript.exe	116
PID 1416 wrote to memory of 2936	1416	WScript.exe	116
PID 1416 wrote to memory of 2936	1416	WScript.exe	116
PID 2936 wrote to memory of 2736	2936	taskhost.exe	117
PID 2936 wrote to memory of 2736	2936	taskhost.exe	117
PID 2936 wrote to memory of 2736	2936	taskhost.exe	117
PID 2936 wrote to memory of 1656	2936	taskhost.exe	118
PID 2936 wrote to memory of 1656	2936	taskhost.exe	118
PID 2936 wrote to memory of 1656	2936	taskhost.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe
"C:\Users\Admin\AppData\Local\Temp\b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2760
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d3MaXLcoXq.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:568
- - C:\Windows\Speech\taskhost.exe
    "C:\Windows\Speech\taskhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2456
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c2882c8-da74-4c43-af9b-a35b3742d51e.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Windows\Speech\taskhost.exe
        
        C:\Windows\Speech\taskhost.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\851c6361-c285-411f-ba38-905735dfb9c2.vbs"
        6⤵
        
        PID:2736
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6de4aa9e-4652-4062-b9e5-e50596145791.vbs"
        6⤵
        
        PID:1656
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94bc7c9d-575f-403a-89a3-6cce9745ac29.vbs"
      4⤵
      PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Speech\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Speech\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Windows\Speech\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\Vss\Writers\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\Idle.exe

Filesize
1.7MB

MD5
8c0f0da57ca15f17d0613dec4e55ab60

SHA1
c40e0018ce997378440d8d86aa16cad77dae4ece

SHA256
352a95c55f779b8e44d90ef5b7e53b82a311f86082d63ec4ac44a1f1c5004306

SHA512
c830f9cd7154f0b50715aabd8d3c6e6791270e3e32693242f1166afefb46aeb06a511d82f2543d9b821cfe0e84af89924bdaf85e0bf2c4952938172774ab8593

Download Submit
C:\Users\Admin\AppData\Local\Temp\2c2882c8-da74-4c43-af9b-a35b3742d51e.vbs

Filesize
706B

MD5
7dbaf6b964e71f2e3eea89eeb4967d1f

SHA1
dff7c754398cff8d9a3ddd9f938733dc398de1b8

SHA256
1f3f8c30621b6ca9fd22bf9a94d6d1687e0fb708472e329f06b9e946ee2e9863

SHA512
df3b51409d9ce388854f8e4c81105f68e873f243f0597e0db82b5e225603be24ad838e938267d85a66c594d11fd33323df604949a486f15b39431be11fe7ab92

Download Submit
C:\Users\Admin\AppData\Local\Temp\851c6361-c285-411f-ba38-905735dfb9c2.vbs

Filesize
706B

MD5
3a5868bfa3c832bc25df48b5c1aa59ff

SHA1
e35a9e58cb9c2a0c39323547536d3034e3f55625

SHA256
12654e1d45182198a4768f2add74977c42299a5bbdb6701ffa267e853f4ed09d

SHA512
586570dfa2e334b60718a2214ee274133a05a29bec728c6bb7c19d193525e210f1d865619e4b53d58e7f369a1ace5306122b96cae541d6b77eaf89095a2f13d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\94bc7c9d-575f-403a-89a3-6cce9745ac29.vbs

Filesize
482B

MD5
27332e02da71fb36dc89075e3d37ac5f

SHA1
039ee6a890a110593bf7e701fea5a104fbc0cb90

SHA256
8e783a0a74422ab281274e3c06d12b748bf4cde06ed4e619cd765ee86b2416cb

SHA512
9af323b72003c1091cb5c714de0f6b9b5288d70f668bbc5efcff4bff4aeef3ebdc83ede5f6e8c595c08963e153d60abcbd79548a753442103e5f43ef710fbbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\d3MaXLcoXq.bat

Filesize
195B

MD5
f9ba59286a1ef85cf251aabce54dfc3c

SHA1
a67543c3ba7c9c1038536824ce881e0a27dafbab

SHA256
33d94e73a16988051e30378d6d41a9822217c5dc5bbdd7b4c73ed67a37ce612a

SHA512
0580b07882e109c3adaf5164acb9cbe4d2c7341d01dff74cf0891bce88c1e264be5b67f5e1d33a127ee76b60446227f28ac8d3a5ef1b4100d4ccc950d95115b4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e42ab47de89c2bf0de0d6155c99e1aa6

SHA1
893092481535679f626b0815cc8da03efa26030f

SHA256
82755f39434436add432cddc105ef30e1fec2c0898beeff1826a5777b0654312

SHA512
aa19a147b7f9fb2be6bfb93362f561c166da3e53ed86ed1ac12ebc9238a4dbf45d4847f48c205a0530d54534964fd76637e086b8a36be528f21e2d89d9183030

Download Submit
C:\Users\Admin\Videos\services.exe

Filesize
1.7MB

MD5
56d660c11eaba52b06b10344f8f01f70

SHA1
0901888a67e7e2ffb61a3ed953c1c38995e941e8

SHA256
b5c6994663af49b9950114a685af96d43d23bf4ac3f0f691169fe280bfd8a6d9

SHA512
847f6ff7c2eda0032c2e5aae696fcc6249760c9b43c404889762caf239317640ce6342d26960947037a5c36604108f9bdb457854b6fffd7ceb0e03564e6a3d02

Download Submit
C:\Windows\Performance\WinSAT\DataStore\csrss.exe

Filesize
1.7MB

MD5
bf2770376c81bb1ced722f2bd14b6df5

SHA1
32cef6f7a8bd039c6ff721c851782326e1768af9

SHA256
ae55af710d1408c2c915340824bec5c8399cb505976844399d9ff5b96f50809b

SHA512
c205964dd89120c8dc6b867ecc9d9765817cdd00e74206771cdda51a319526d836155836a472253b648ea4656d8c0fe76799efc2cdd709233dad1dacb1e25be4

Download Submit
memory/628-17-0x0000000000E10000-0x0000000000E1C000-memory.dmp

Filesize
48KB

Download
memory/628-6-0x0000000000AC0000-0x0000000000AD6000-memory.dmp

Filesize
88KB

Download
memory/628-11-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/628-12-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/628-14-0x0000000000CD0000-0x0000000000CDE000-memory.dmp

Filesize
56KB

Download
memory/628-13-0x0000000000E00000-0x0000000000E0A000-memory.dmp

Filesize
40KB

Download
memory/628-16-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/628-15-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

Filesize
32KB

Download
memory/628-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/628-20-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-8-0x0000000000AE0000-0x0000000000AEC000-memory.dmp

Filesize
48KB

Download
memory/628-199-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

Filesize
4KB

Download
memory/628-223-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-9-0x0000000000AF0000-0x0000000000AF8000-memory.dmp

Filesize
32KB

Download
memory/628-247-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-7-0x0000000000A30000-0x0000000000A40000-memory.dmp

Filesize
64KB

Download
memory/628-276-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-5-0x0000000000410000-0x0000000000420000-memory.dmp

Filesize
64KB

Download
memory/628-1-0x0000000000E80000-0x0000000001040000-memory.dmp

Filesize
1.8MB

Download
memory/628-2-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

Filesize
9.9MB

Download
memory/628-4-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/628-3-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/2324-307-0x0000000001FB0000-0x0000000001FB8000-memory.dmp

Filesize
32KB

Download
memory/2456-341-0x00000000011C0000-0x0000000001380000-memory.dmp

Filesize
1.8MB

Download
memory/2760-297-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2936-352-0x0000000000120000-0x00000000002E0000-memory.dmp

Filesize
1.8MB

Download