dcrat | b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-02-2025 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
Size

1.7MB
MD5

9c3b15ccc76653e0ce7efceb6682bcf3
SHA1

05a048dc3218e5cce7211a32a7d489c9d4a633a7
SHA256

b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422
SHA512

92bebc96768766fe74a5e00b46c701d60ed8ce760b077363f4a4f19a4950edc96bee66ec27feb79f999e54654dbbd8b5dee45aead361ca72b30436eea0899330
SSDEEP

49152:z+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:eTHUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2216	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2216	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3048-1-0x0000000000980000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/files/0x000500000001952f-27.dat	dcrat
behavioral1/files/0x0008000000012119-71.dat	dcrat
behavioral1/files/0x000b00000001922c-94.dat	dcrat
behavioral1/files/0x000600000001952f-106.dat	dcrat
behavioral1/files/0x000700000001952f-116.dat	dcrat
behavioral1/files/0x00070000000195e6-127.dat	dcrat
behavioral1/files/0x0008000000019622-149.dat	dcrat
behavioral1/files/0x0009000000019627-172.dat	dcrat
behavioral1/files/0x00070000000196c0-184.dat	dcrat
behavioral1/memory/1604-264-0x0000000000F70000-0x0000000001130000-memory.dmp	dcrat
behavioral1/memory/1464-294-0x0000000001010000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/2464-307-0x00000000001E0000-0x00000000003A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2608	powershell.exe
1580	powershell.exe
2492	powershell.exe
2672	powershell.exe
2832	powershell.exe
1716	powershell.exe
2132	powershell.exe
2884	powershell.exe
2328	powershell.exe
2768	powershell.exe
2772	powershell.exe
1840	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe

Executes dropped EXE 3 IoCs

pid	Process
1604	csrss.exe
1464	csrss.exe
2464	csrss.exe

Drops file in Program Files directory 35 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\c5b4cb5e9653cc	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files\Internet Explorer\886983d96e3d3e	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\spoolsv.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCXD0F7.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\RCXDCD3.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\spoolsv.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\dllhost.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\5940a34987c991	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files (x86)\Google\Idle.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXCA0E.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files (x86)\Google\6ccacd8608530f	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Google\RCXCC80.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXD5DB.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files\Internet Explorer\csrss.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\RCXDCD2.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\cc11b995f2a76d	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files\Internet Explorer\csrss.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files\Common Files\System\Ole DB\ja-JP\f3b6ecef712a24	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\RCXC51A.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\dllhost.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXCE84.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXCEF2.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCXD0F6.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\services.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Google\RCXCC12.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Google\Idle.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXC9A0.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files\Internet Explorer\RCXD5DA.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\RCXC519.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\services.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Common\wininit.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Windows\AppCompat\Programs\csrss.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File created	C:\Windows\AppCompat\Programs\886983d96e3d3e	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXDEE7.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Windows\AppCompat\Programs\RCXDEE8.tmp	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
File opened for modification	C:\Windows\AppCompat\Programs\csrss.exe	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1276	schtasks.exe
2040	schtasks.exe
920	schtasks.exe
2900	schtasks.exe
2580	schtasks.exe
2344	schtasks.exe
2736	schtasks.exe
1724	schtasks.exe
2136	schtasks.exe
2640	schtasks.exe
1200	schtasks.exe
1844	schtasks.exe
1624	schtasks.exe
2308	schtasks.exe
2744	schtasks.exe
2888	schtasks.exe
700	schtasks.exe
2824	schtasks.exe
2680	schtasks.exe
1604	schtasks.exe
1788	schtasks.exe
328	schtasks.exe
3020	schtasks.exe
3040	schtasks.exe
1264	schtasks.exe
2336	schtasks.exe
2896	schtasks.exe
1664	schtasks.exe
304	schtasks.exe
1592	schtasks.exe
1360	schtasks.exe
1736	schtasks.exe
2088	schtasks.exe
2544	schtasks.exe
2456	schtasks.exe
2264	schtasks.exe
2672	schtasks.exe
2000	schtasks.exe
2964	schtasks.exe
1868	schtasks.exe
2220	schtasks.exe
2844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
1716	powershell.exe
2884	powershell.exe
1580	powershell.exe
2492	powershell.exe
2328	powershell.exe
2608	powershell.exe
1840	powershell.exe
2768	powershell.exe
2132	powershell.exe
2672	powershell.exe
2832	powershell.exe
2772	powershell.exe
1604	csrss.exe
1604	csrss.exe
1604	csrss.exe
1604	csrss.exe
1604	csrss.exe
1604	csrss.exe
1604	csrss.exe
1604	csrss.exe
1604	csrss.exe
1604	csrss.exe
1604	csrss.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1604	csrss.exe
Token: SeDebugPrivilege	1464	csrss.exe
Token: SeDebugPrivilege	2464	csrss.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 1716	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	74
PID 3048 wrote to memory of 1716	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	74
PID 3048 wrote to memory of 1716	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	74
PID 3048 wrote to memory of 2492	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	75
PID 3048 wrote to memory of 2492	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	75
PID 3048 wrote to memory of 2492	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	75
PID 3048 wrote to memory of 2132	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	77
PID 3048 wrote to memory of 2132	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	77
PID 3048 wrote to memory of 2132	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	77
PID 3048 wrote to memory of 1580	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	78
PID 3048 wrote to memory of 1580	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	78
PID 3048 wrote to memory of 1580	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	78
PID 3048 wrote to memory of 1840	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	79
PID 3048 wrote to memory of 1840	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	79
PID 3048 wrote to memory of 1840	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	79
PID 3048 wrote to memory of 2832	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	80
PID 3048 wrote to memory of 2832	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	80
PID 3048 wrote to memory of 2832	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	80
PID 3048 wrote to memory of 2672	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	81
PID 3048 wrote to memory of 2672	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	81
PID 3048 wrote to memory of 2672	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	81
PID 3048 wrote to memory of 2772	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	82
PID 3048 wrote to memory of 2772	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	82
PID 3048 wrote to memory of 2772	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	82
PID 3048 wrote to memory of 2768	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	83
PID 3048 wrote to memory of 2768	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	83
PID 3048 wrote to memory of 2768	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	83
PID 3048 wrote to memory of 2328	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	84
PID 3048 wrote to memory of 2328	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	84
PID 3048 wrote to memory of 2328	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	84
PID 3048 wrote to memory of 2884	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	85
PID 3048 wrote to memory of 2884	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	85
PID 3048 wrote to memory of 2884	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	85
PID 3048 wrote to memory of 2608	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	86
PID 3048 wrote to memory of 2608	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	86
PID 3048 wrote to memory of 2608	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	86
PID 3048 wrote to memory of 1604	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	98
PID 3048 wrote to memory of 1604	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	98
PID 3048 wrote to memory of 1604	3048	b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe	98
PID 1604 wrote to memory of 2348	1604	csrss.exe	99
PID 1604 wrote to memory of 2348	1604	csrss.exe	99
PID 1604 wrote to memory of 2348	1604	csrss.exe	99
PID 1604 wrote to memory of 2452	1604	csrss.exe	100
PID 1604 wrote to memory of 2452	1604	csrss.exe	100
PID 1604 wrote to memory of 2452	1604	csrss.exe	100
PID 2348 wrote to memory of 1464	2348	WScript.exe	101
PID 2348 wrote to memory of 1464	2348	WScript.exe	101
PID 2348 wrote to memory of 1464	2348	WScript.exe	101
PID 1464 wrote to memory of 1648	1464	csrss.exe	102
PID 1464 wrote to memory of 1648	1464	csrss.exe	102
PID 1464 wrote to memory of 1648	1464	csrss.exe	102
PID 1464 wrote to memory of 3024	1464	csrss.exe	103
PID 1464 wrote to memory of 3024	1464	csrss.exe	103
PID 1464 wrote to memory of 3024	1464	csrss.exe	103
PID 1648 wrote to memory of 2464	1648	WScript.exe	104
PID 1648 wrote to memory of 2464	1648	WScript.exe	104
PID 1648 wrote to memory of 2464	1648	WScript.exe	104
PID 2464 wrote to memory of 1212	2464	csrss.exe	105
PID 2464 wrote to memory of 1212	2464	csrss.exe	105
PID 2464 wrote to memory of 1212	2464	csrss.exe	105
PID 2464 wrote to memory of 2148	2464	csrss.exe	106
PID 2464 wrote to memory of 2148	2464	csrss.exe	106
PID 2464 wrote to memory of 2148	2464	csrss.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe
"C:\Users\Admin\AppData\Local\Temp\b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Program Files\Internet Explorer\csrss.exe
  "C:\Program Files\Internet Explorer\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1604
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\53785830-d9bf-462c-b256-8d6b8bc76648.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Program Files\Internet Explorer\csrss.exe
      "C:\Program Files\Internet Explorer\csrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a009607-99f0-45bf-97b2-7fc56b1dbb9f.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Program Files\Internet Explorer\csrss.exe
        
        "C:\Program Files\Internet Explorer\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a02f5d78-1959-4ad4-947e-527839f64656.vbs"
        7⤵
        
        PID:1212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1eb328f8-1d11-4b47-a901-3685e98b8e1c.vbs"
        7⤵
        
        PID:2148
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\30f96d3f-1836-4406-b1a5-f63f69d28a6b.vbs"
        5⤵
        
        PID:3024
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8c07500d-2078-4f20-89de-a3a0f22fe21a.vbs"
    3⤵
    PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Checkers\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\Checkers\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Multiplayer\Checkers\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\Ole DB\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\Ole DB\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\System\Ole DB\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\sppsvc.exe

Filesize
1.7MB

MD5
9595ea5602cb0ec99e4efb28ad0c3932

SHA1
1594131a9aff73da089423cb61e3b48676cab6d1

SHA256
d51b17e440e58398eae29f9b736cd345e9adffc33d1f9900cc12c2dbc40bd906

SHA512
0a46428b32f474b339b48276588b56503576725865cd6c6c52271d15ad9e6181dff604cb8035d37ef171fbbf507337bef0ce1cf9d2766eb42c91b1ad1f345671

Download Submit
C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\dwm.exe

Filesize
1.7MB

MD5
77a3e3b840e34e8f7056dc3391b95300

SHA1
62b54e79f85482c2261971e9103da59de58967e4

SHA256
506cea2b2e3d81fe958cde7167d6de3de3fc384a88468fad63c18ce0abdb473e

SHA512
eefc9dafa2bb27a847ed98490327fd379f9899827483fa9de82d5fd82018960a5459b4030d2cd9c17ed46aa7e3172bb0c882ff59a7f59012871457a574b5d6fd

Download Submit
C:\Program Files (x86)\Google\Idle.exe

Filesize
1.7MB

MD5
799635dc989ad27de654d160365e0a75

SHA1
d70fa090e677cf84f2cece4305766742d83ce923

SHA256
c0cea6cdc116ca6806b1c06c2b8ec120e016e675557881747d66b1258611d6ff

SHA512
316ae1b89882d42375b26319caae63715eadf2949c76e4a81d5426c5c4887835520232411b59372e47de6c9fecf41d75d6d33b9d5e3b767bba67644ae2cf656d

Download Submit
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXCA0E.tmp

Filesize
1.7MB

MD5
2e54dccdbd076c09150a174e152f017c

SHA1
9b313c2f7b44f67eb81103c7c50f2ad55ed6bf02

SHA256
eaf436dd6ac56b175f46fddcc6ef7557e706e7dea5a69ad858a85478059e8db9

SHA512
43b9f46a02facd5ed7e66e1f4d4923b1ddf0873623d53f6e191de594b0c028db0f631a5e3988d82d22337b7a3d599d93fc8c9c085e1afd850427375ac3f211db

Download Submit
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\winlogon.exe

Filesize
1.7MB

MD5
9c3b15ccc76653e0ce7efceb6682bcf3

SHA1
05a048dc3218e5cce7211a32a7d489c9d4a633a7

SHA256
b3af3926d7a9983542594e9483797ba474d37804fd383b1a41506be803912422

SHA512
92bebc96768766fe74a5e00b46c701d60ed8ce760b077363f4a4f19a4950edc96bee66ec27feb79f999e54654dbbd8b5dee45aead361ca72b30436eea0899330

Download Submit
C:\Program Files (x86)\Windows Portable Devices\audiodg.exe

Filesize
1.7MB

MD5
7c54a6ebb34838b19ce10bc326508514

SHA1
412cc5fb879b8fab80ca5ad0507750ff6e276661

SHA256
749923efb1726002309e8735da4140c8e62ea58db896903cd9a95e38a31e3869

SHA512
b876dea58ceac48b251d9b35b7dcfc4cafcd526afd3846712c89e80247a9b98933eac01e1c5b25795dff83ff59cd08618acd6a4798f69536cc810654d53f2e02

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\explorer.exe

Filesize
1.7MB

MD5
62df3ec0e42c1bcbd6e85b7393e18de0

SHA1
103c2cc246b0115512756def5043a725fb7c35f9

SHA256
9227a780d0c005e918b7e0b396e57b0f3bd0569ad3c54ec0ef75082f825b620d

SHA512
c4f09e0f97da366e66d5f2c8ddf1217cd2e509b667818f54312a8628506add6f5d1cc32a5bbfe02e47a6c556853e40eab0252840184a133fc79388bf4d07ced8

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe

Filesize
1.7MB

MD5
44161aa87f6c20a00e0001626ca0ce56

SHA1
6b5a4a66ccdbdcfda3edd8e73414a6ee546c1dae

SHA256
6d95dbb7fbdc52f6f9c041074be8557291086d47526fe7c2c27f0c499f0d2fc0

SHA512
2c8e5aec0de2d879f71a3b3bc156f29cbfd11567eb9947b6a0150cc9a1f69ba3b317c4246913966182b60181a61118b9255fb8061e89f1546a3aa9cc12c83493

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a009607-99f0-45bf-97b2-7fc56b1dbb9f.vbs

Filesize
720B

MD5
6cd7726a3e2618c4200d2864801e6da9

SHA1
13569e8a8ceff22ca7e95cb84ef314b61ffb26bf

SHA256
5623eeb5a5ed2aa742c8c5921a95437119056443ed06dd041157ddcfd13fc9aa

SHA512
adb3bd97c61b337f1d8f0d9c94fa9864770b53e850f59ebf6bd5d498cb9d70e15b27cb8a72c62a749eb430452e25bd116ec68719702b2ae45a7088b64ac39278

Download Submit
C:\Users\Admin\AppData\Local\Temp\53785830-d9bf-462c-b256-8d6b8bc76648.vbs

Filesize
720B

MD5
87afa42f4e3dce1996b677503e1d04ee

SHA1
4eb00791dfa4240065875ee704495ed3533ac33e

SHA256
257864035d1896d5579b30f863c40af9ff49ca167454925591745f38b127f301

SHA512
9d987b219a83efbc1a0960fbbf276ea84fb3007b96db678539ea048e6fcbd533d7d1b2833db1616138942df3057108861142110982a9536d3f511773a727fe94

Download Submit
C:\Users\Admin\AppData\Local\Temp\8c07500d-2078-4f20-89de-a3a0f22fe21a.vbs

Filesize
496B

MD5
fc5b570d6d5664e11de3bf524f2f1044

SHA1
6b33992c9b760a4f2c806102d7d23888bccb942d

SHA256
f6edb16f4aa33c78d89d94e8623d35786cb16a246184d17d4a896cd80ec43098

SHA512
17d0a567302a4cfe2f894e05da35cd34c506583bf294c097a126e3e36fbeac166d150506d15177c45191d0c52152bed15d81cbe518eea3c5b94b5a51aea65cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a02f5d78-1959-4ad4-947e-527839f64656.vbs

Filesize
720B

MD5
c24c4c7eec7c92413d7731a679184f5f

SHA1
3b8da1ee9c258fe9f1f3b93321ca743efd81fe2d

SHA256
461f86de537f966d61910b8f09ec8db0b04cf5bb4366f574a90862bd5444ba37

SHA512
2fb6f86dcb35cd237d0b79c8d9a600fa59f35612ad5b40124c997796b2f1fa05bd23d9e32823af12f4b090fa779cf5064e08b66babd3d6ad21c12c72a5bc66ae

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b2f0cb1c8e8c92212b56a855c26a3d24

SHA1
67d53d084a32c4fa9757c04d34ef10184733b8fc

SHA256
2555e1a73c891fd725b15cf6f4afe09df59598503e334f9ee53076c0d0eb6b2d

SHA512
a59e491602cbc7d758e30f606f33f701318059687b98e33ac8e351023f8d7cc72fd79c294bfacf38518a9c4b07a1b7a14df20b48f05118275e941ffa2938eb1a

Download Submit
C:\Users\Public\Documents\spoolsv.exe

Filesize
1.7MB

MD5
04a820b9b9e44042c73853d74269f82f

SHA1
6b6b7459d2768c85f2d198a57d07dec900653045

SHA256
21c30d8df16101cca4322e2080746dfc7fd397995e5c992e28fad93adb02f116

SHA512
efbbbdc56141e0cd08ee2ae4d901881c88d45b8472e2954229b41345dd86dbb14babc0bee05addfc163b3e425cfda4737a525efb5ca59c8d97d78f42f2462c67

Download Submit
memory/1464-294-0x0000000001010000-0x00000000011D0000-memory.dmp

Filesize
1.8MB

Download
memory/1464-295-0x0000000000C10000-0x0000000000C22000-memory.dmp

Filesize
72KB

Download
memory/1604-264-0x0000000000F70000-0x0000000001130000-memory.dmp

Filesize
1.8MB

Download
memory/1604-283-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/1716-243-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1716-231-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2464-307-0x00000000001E0000-0x00000000003A0000-memory.dmp

Filesize
1.8MB

Download
memory/3048-11-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/3048-12-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/3048-17-0x000000001A830000-0x000000001A83C000-memory.dmp

Filesize
48KB

Download
memory/3048-15-0x000000001A810000-0x000000001A818000-memory.dmp

Filesize
32KB

Download
memory/3048-16-0x000000001A820000-0x000000001A82C000-memory.dmp

Filesize
48KB

Download
memory/3048-175-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/3048-13-0x000000001A7F0000-0x000000001A7FA000-memory.dmp

Filesize
40KB

Download
memory/3048-199-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-14-0x000000001A800000-0x000000001A80E000-memory.dmp

Filesize
56KB

Download
memory/3048-282-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-276-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-18-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

Filesize
4KB

Download
memory/3048-9-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/3048-8-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/3048-7-0x0000000000540000-0x0000000000550000-memory.dmp

Filesize
64KB

Download
memory/3048-6-0x0000000000520000-0x0000000000536000-memory.dmp

Filesize
88KB

Download
memory/3048-5-0x0000000000490000-0x00000000004A0000-memory.dmp

Filesize
64KB

Download
memory/3048-4-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/3048-3-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/3048-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Filesize
9.9MB

Download
memory/3048-1-0x0000000000980000-0x0000000000B40000-memory.dmp

Filesize
1.8MB

Download