dcrat | c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25/01/2025, 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
Size

1.7MB
MD5

15f0518755f69a45d4bbee4601eca73e
SHA1

880798aa715fdf93d1554ec4e8859ea25cb79d48
SHA256

c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff
SHA512

ee28371ff0e4b4c55e66e1c2797b78ba0c6e349c7f74cd4f35aba3c4ec694cbdd8e2490285dfe5067209ac23a986948a453304e623ca32f0b37777c96774207f
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKvK:eTHUxUoh1IF9gl2d

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	3052	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3052	schtasks.exe	31

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2544-1-0x00000000012B0000-0x0000000001470000-memory.dmp	dcrat
behavioral1/files/0x00050000000194ef-29.dat	dcrat
behavioral1/files/0x000500000001a47b-90.dat	dcrat
behavioral1/files/0x000700000001a309-114.dat	dcrat
behavioral1/files/0x000b0000000194ef-157.dat	dcrat
behavioral1/files/0x00120000000194ef-249.dat	dcrat
behavioral1/memory/2180-322-0x0000000000B20000-0x0000000000CE0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1184	powershell.exe
2616	powershell.exe
1908	powershell.exe
2144	powershell.exe
828	powershell.exe
1364	powershell.exe
2960	powershell.exe
1600	powershell.exe
1064	powershell.exe
1932	powershell.exe
1628	powershell.exe
324	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe

Executes dropped EXE 2 IoCs

pid	Process
2180	OSPPSVC.exe
1636	OSPPSVC.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\lsass.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\RCXC5B.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\Idle.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files\DVD Maker\RCX23F7.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Program Files\Windows Journal\it-IT\Idle.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Program Files\Windows Journal\it-IT\6ccacd8608530f	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX10A3.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Program Files\DVD Maker\System.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\RCX97B.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Program Files\DVD Maker\27d1bcfc3c54e0	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\RCX97C.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files (x86)\MSBuild\lsass.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files\DVD Maker\System.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\f3b6ecef712a24	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Program Files (x86)\MSBuild\6203df4a6bafc7	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\RCXBDD.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX1092.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files\DVD Maker\RCX2379.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\de-DE\smss.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Windows\SoftwareDistribution\ScanFile\services.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Windows\de-DE\69ddcba757bf72	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Windows\de-DE\RCX1B18.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Windows\de-DE\RCX1B19.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Windows\SoftwareDistribution\ScanFile\RCX2C1.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Windows\SoftwareDistribution\ScanFile\RCX2C2.tmp	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File opened for modification	C:\Windows\SoftwareDistribution\ScanFile\services.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Windows\SoftwareDistribution\ScanFile\c5b4cb5e9653cc	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Windows\Speech\Common\ja-JP\wininit.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
File created	C:\Windows\de-DE\smss.exe	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1952	schtasks.exe
3044	schtasks.exe
1160	schtasks.exe
2460	schtasks.exe
1068	schtasks.exe
1552	schtasks.exe
1984	schtasks.exe
884	schtasks.exe
2472	schtasks.exe
2732	schtasks.exe
1744	schtasks.exe
1292	schtasks.exe
2468	schtasks.exe
2008	schtasks.exe
2224	schtasks.exe
2328	schtasks.exe
2192	schtasks.exe
2664	schtasks.exe
692	schtasks.exe
320	schtasks.exe
2220	schtasks.exe
2504	schtasks.exe
1444	schtasks.exe
2888	schtasks.exe
1196	schtasks.exe
1296	schtasks.exe
1112	schtasks.exe
1016	schtasks.exe
2976	schtasks.exe
1320	schtasks.exe
2796	schtasks.exe
2688	schtasks.exe
2616	schtasks.exe
2536	schtasks.exe
1764	schtasks.exe
1968	schtasks.exe
1948	schtasks.exe
1456	schtasks.exe
1464	schtasks.exe
1480	schtasks.exe
2248	schtasks.exe
1368	schtasks.exe
3064	schtasks.exe
908	schtasks.exe
3016	schtasks.exe
2752	schtasks.exe
2428	schtasks.exe
3008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
1932	powershell.exe
1064	powershell.exe
1908	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2180	OSPPSVC.exe
Token: SeDebugPrivilege	1636	OSPPSVC.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1600	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	80
PID 2544 wrote to memory of 1600	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	80
PID 2544 wrote to memory of 1600	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	80
PID 2544 wrote to memory of 2960	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	81
PID 2544 wrote to memory of 2960	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	81
PID 2544 wrote to memory of 2960	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	81
PID 2544 wrote to memory of 324	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	82
PID 2544 wrote to memory of 324	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	82
PID 2544 wrote to memory of 324	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	82
PID 2544 wrote to memory of 1628	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	83
PID 2544 wrote to memory of 1628	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	83
PID 2544 wrote to memory of 1628	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	83
PID 2544 wrote to memory of 1364	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	85
PID 2544 wrote to memory of 1364	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	85
PID 2544 wrote to memory of 1364	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	85
PID 2544 wrote to memory of 828	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	87
PID 2544 wrote to memory of 828	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	87
PID 2544 wrote to memory of 828	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	87
PID 2544 wrote to memory of 2144	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	88
PID 2544 wrote to memory of 2144	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	88
PID 2544 wrote to memory of 2144	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	88
PID 2544 wrote to memory of 1932	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	90
PID 2544 wrote to memory of 1932	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	90
PID 2544 wrote to memory of 1932	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	90
PID 2544 wrote to memory of 1064	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	91
PID 2544 wrote to memory of 1064	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	91
PID 2544 wrote to memory of 1064	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	91
PID 2544 wrote to memory of 1908	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	93
PID 2544 wrote to memory of 1908	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	93
PID 2544 wrote to memory of 1908	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	93
PID 2544 wrote to memory of 2616	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	95
PID 2544 wrote to memory of 2616	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	95
PID 2544 wrote to memory of 2616	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	95
PID 2544 wrote to memory of 1184	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	96
PID 2544 wrote to memory of 1184	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	96
PID 2544 wrote to memory of 1184	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	96
PID 2544 wrote to memory of 1992	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	104
PID 2544 wrote to memory of 1992	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	104
PID 2544 wrote to memory of 1992	2544	c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe	104
PID 1992 wrote to memory of 1736	1992	cmd.exe	106
PID 1992 wrote to memory of 1736	1992	cmd.exe	106
PID 1992 wrote to memory of 1736	1992	cmd.exe	106
PID 1992 wrote to memory of 2180	1992	cmd.exe	107
PID 1992 wrote to memory of 2180	1992	cmd.exe	107
PID 1992 wrote to memory of 2180	1992	cmd.exe	107
PID 2180 wrote to memory of 1320	2180	OSPPSVC.exe	108
PID 2180 wrote to memory of 1320	2180	OSPPSVC.exe	108
PID 2180 wrote to memory of 1320	2180	OSPPSVC.exe	108
PID 2180 wrote to memory of 1948	2180	OSPPSVC.exe	109
PID 2180 wrote to memory of 1948	2180	OSPPSVC.exe	109
PID 2180 wrote to memory of 1948	2180	OSPPSVC.exe	109
PID 1320 wrote to memory of 1636	1320	WScript.exe	110
PID 1320 wrote to memory of 1636	1320	WScript.exe	110
PID 1320 wrote to memory of 1636	1320	WScript.exe	110
PID 1636 wrote to memory of 2696	1636	OSPPSVC.exe	111
PID 1636 wrote to memory of 2696	1636	OSPPSVC.exe	111
PID 1636 wrote to memory of 2696	1636	OSPPSVC.exe	111
PID 1636 wrote to memory of 1912	1636	OSPPSVC.exe	112
PID 1636 wrote to memory of 1912	1636	OSPPSVC.exe	112
PID 1636 wrote to memory of 1912	1636	OSPPSVC.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe
"C:\Users\Admin\AppData\Local\Temp\c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2fowLyLl2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1736
- - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
    "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eaa4f68b-644e-449f-889a-da9581236426.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c32257f-61b4-4b10-9230-378688f12543.vbs"
        6⤵
        
        PID:2696
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12f33819-c337-48d9-b509-063aeae7dc5d.vbs"
        6⤵
        
        PID:1912
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b98d482-4cb0-41bd-ae4a-f8c0be17f2cc.vbs"
      4⤵
      PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\SoftwareDistribution\ScanFile\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\ScanFile\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Public\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Temp\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\Temp\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\NetHood\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\RCX14DA.tmp

Filesize
1.7MB

MD5
ccf75f90c47fd9b850200f34cd1f1448

SHA1
0fa93ac7061918ba9aee1c8ae032a021f1aae868

SHA256
78acd3dc41ba8685b9fbc1e2bd077cced3d8b1749025ca284c32408225d536f5

SHA512
0c3c9674c6923e0c6ec8a4178218943c71e2f9b389f998b15450ee918be3b90265ff8fe3818a4514e801d78f8777e66e421496301dc4f7942ed29bf67f27e025

Download Submit
C:\Program Files\DVD Maker\System.exe

Filesize
1.7MB

MD5
fb118dfae90e470236b04d6728b9be67

SHA1
eba257a4fd81a4abd56723e864dd4d59284a6b37

SHA256
faa4f588aea7ac0b54267414b0bd0dcacae13fbd82845aaa9b1bfea7811a442b

SHA512
a24e69a888fa7a912205ff749431ddc1450425c04ade89f31955781d58e9914fd67de53b2a10f651d606d5a1e1671e44b06cbbf8ed409114e474329d41b9fa27

Download Submit
C:\Program Files\Windows Journal\it-IT\Idle.exe

Filesize
1.7MB

MD5
15f0518755f69a45d4bbee4601eca73e

SHA1
880798aa715fdf93d1554ec4e8859ea25cb79d48

SHA256
c73993ff9d747b12a905e1d6eed572d1500bb3c8bda0f707f94abb6ef35ffbff

SHA512
ee28371ff0e4b4c55e66e1c2797b78ba0c6e349c7f74cd4f35aba3c4ec694cbdd8e2490285dfe5067209ac23a986948a453304e623ca32f0b37777c96774207f

Download Submit
C:\Program Files\Windows Journal\it-IT\Idle.exe

Filesize
1.7MB

MD5
e0e97ec82b722cbfba7293da185a3658

SHA1
5f57f237ef547b55d8831957f1406304c2e8bf94

SHA256
1f3a4e204ecec2cb8accfb5a2cb7e41fdfed404ae30936cebfabb418b8ad3f6a

SHA512
50c7608b1c6d6c46c1d66db7c1e79323fee38cd8f05916a51f892094c09b36f0300f2881084cafd2384079ae4403ae1b6d8731bb33253615eb6cc376c1e56672

Download Submit
C:\Users\Admin\AppData\Local\Temp\12f33819-c337-48d9-b509-063aeae7dc5d.vbs

Filesize
512B

MD5
e2bf5d8e42d054c5f449acc937d3a261

SHA1
690c7b73155a7df121c4dbec9599d1f5ddad6f32

SHA256
9787ed4bd4427e557aba8a5e9893efbbcfc4a375a14af3d0482a10df59448632

SHA512
9772232f917318665cafc9627b31d00cef3a7c5ab07ce7198cc1ff5614ea8dad2768572d26ce6944034ef0bff0fd34fea1d2b72fee7842e71e4bf6c195260f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c32257f-61b4-4b10-9230-378688f12543.vbs

Filesize
736B

MD5
a47e7d1230ca034222899565b5495b32

SHA1
085fa7363d17ee7feba19922d40ba8898bd597e0

SHA256
51551ab08f8863a82b6629137e06a297f2931a2e80510550e4cf22eb69b53cdd

SHA512
cb040e58e81ecf140ead2a0842082e682c402aa045542bb34f1b7e870b41dbdf7f851fe5822410fc426ed8a772077e6fe97e38cb62e53163723299ede3fa0a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\eaa4f68b-644e-449f-889a-da9581236426.vbs

Filesize
736B

MD5
428efef6a4cfbbc2fb5725c8d98386af

SHA1
e76ed2adb8b8a27fdd004c4c62d49cd7ecad1cbf

SHA256
5616ee0cc8b5371292cf8a25f297626762522490eca4ffa9259c44d7b703e298

SHA512
764cc0a0f3361447844ed9df047a94678dddfa791a8a4c8c3669e7f4db31daf85250a654bba1b128e8d07f7326381ec129290940668fc3f15f13d882882a0938

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2fowLyLl2.bat

Filesize
225B

MD5
c3a4206ac14ed56f8274c314ede752cc

SHA1
016be39f538c2f0f030e64b2c6384e08345e6af9

SHA256
6ffb72cceb04ff6693eabdf031381b37c32d98b576a3c284a73811bf7e134864

SHA512
6fcc26269a0eeb11c56cce0df0e77ea9c64eea739eb621850ca51ee5bae892d0bfaec124b450cf37e1ccd4c4605c053ef03231bf669678580ce1c9923afb5db2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b25143e959da75cc73fe043c89ea31fd

SHA1
d588458df2bcb85f3edf593b491bbd7d3cfd2959

SHA256
1fa8f4901ba3a099cbbeb9651c65299ae724d8fc054566f75de4e96f126df697

SHA512
42a995da374cc025a63d00e7e4a3f584c470d84b92918b5664b2769317dd5b4213def2268adc5f62793c083b38f3b804359f7ae3da066ce592f261cc7465b195

Download Submit
C:\Users\Public\lsm.exe

Filesize
1.7MB

MD5
e99b6c7b531d3c10a4ebeadf5e00facb

SHA1
ccd4b455ce8ab5abb4cc92eff71da46a28f4557b

SHA256
096c0ddcecc6ba2c2b702f8d2e0915575a585febf1dabc10964c00fad90e48dd

SHA512
e79e90e9a6f7bd407dbff01fb52a944183001fc8c2175605e96d33d55d66f605f7ff58ea663441de127e4f9da4fd6a24f4c9ad7e99fab0b6ddc6412ffc57d6cc

Download Submit
memory/1636-333-0x00000000021C0000-0x00000000021D2000-memory.dmp

Filesize
72KB

Download
memory/1908-278-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/1908-266-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/2180-323-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2180-322-0x0000000000B20000-0x0000000000CE0000-memory.dmp

Filesize
1.8MB

Download
memory/2544-7-0x0000000000B10000-0x0000000000B20000-memory.dmp

Filesize
64KB

Download
memory/2544-228-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-20-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-23-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-24-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-8-0x0000000000B20000-0x0000000000B2C000-memory.dmp

Filesize
48KB

Download
memory/2544-16-0x0000000000D00000-0x0000000000D0C000-memory.dmp

Filesize
48KB

Download
memory/2544-101-0x000007FEF60D3000-0x000007FEF60D4000-memory.dmp

Filesize
4KB

Download
memory/2544-6-0x0000000000A00000-0x0000000000A16000-memory.dmp

Filesize
88KB

Download
memory/2544-117-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-9-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2544-166-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-203-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-17-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/2544-5-0x00000000009F0000-0x0000000000A00000-memory.dmp

Filesize
64KB

Download
memory/2544-0-0x000007FEF60D3000-0x000007FEF60D4000-memory.dmp

Filesize
4KB

Download
memory/2544-15-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2544-14-0x0000000000CE0000-0x0000000000CEE000-memory.dmp

Filesize
56KB

Download
memory/2544-293-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-4-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/2544-13-0x00000000006A0000-0x00000000006AA000-memory.dmp

Filesize
40KB

Download
memory/2544-12-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2544-3-0x0000000000850000-0x000000000086C000-memory.dmp

Filesize
112KB

Download
memory/2544-11-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/2544-2-0x000007FEF60D0000-0x000007FEF6ABC000-memory.dmp

Filesize
9.9MB

Download
memory/2544-1-0x00000000012B0000-0x0000000001470000-memory.dmp

Filesize
1.8MB

Download