dcrat | 35916e8b40ec27b8f3a931566a94f5a464dc9e5783c7fca1bdd194e7193bf0d7

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Size

1.6MB
MD5

d6e2e288705c6ca37ed2968b4ff7e7ca
SHA1

8f716b10bcfbb3adde8630ac0b4753068d3acf3b
SHA256

9d2b3033c9a5a32d0f15fd62edf41ee48ae15b47db8b7e0ef3208e5e5a7a3bef
SHA512

164fc15637eb15d663a6e436203fb9982ee7a8a867c2653f9505434424011cf13cee96008bcd6c0fee1650e713ac5a3a6bfc3a74798bf56f661cbe1d2c612743
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2768	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2768	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral23/memory/2760-1-0x0000000000ED0000-0x0000000001072000-memory.dmp	dcrat
behavioral23/files/0x000500000001960c-25.dat	dcrat
behavioral23/files/0x000600000001a3f8-69.dat	dcrat
behavioral23/files/0x000900000001960c-129.dat	dcrat
behavioral23/files/0x00090000000197fd-152.dat	dcrat
behavioral23/files/0x0007000000019bf6-163.dat	dcrat
behavioral23/files/0x0006000000019fd4-196.dat	dcrat
behavioral23/memory/2996-296-0x0000000000200000-0x00000000003A2000-memory.dmp	dcrat
behavioral23/memory/3008-307-0x0000000000A10000-0x0000000000BB2000-memory.dmp	dcrat
behavioral23/memory/580-330-0x0000000000CE0000-0x0000000000E82000-memory.dmp	dcrat
behavioral23/memory/2552-342-0x00000000010E0000-0x0000000001282000-memory.dmp	dcrat
behavioral23/memory/2024-365-0x0000000000230000-0x00000000003D2000-memory.dmp	dcrat
behavioral23/memory/1492-377-0x0000000001350000-0x00000000014F2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1336	powershell.exe
1148	powershell.exe
928	powershell.exe
328	powershell.exe
548	powershell.exe
1236	powershell.exe
1376	powershell.exe
3004	powershell.exe
1292	powershell.exe
1668	powershell.exe
1308	powershell.exe
1536	powershell.exe
2460	powershell.exe
2548	powershell.exe
336	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2996	csrss.exe
3008	csrss.exe
2540	csrss.exe
580	csrss.exe
2552	csrss.exe
1728	csrss.exe
2024	csrss.exe
1492	csrss.exe
1772	csrss.exe
2996	csrss.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\1610b97d3ab4a7	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\dwm.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files\Windows Photo Viewer\lsass.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCX87E2.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCX87D2.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX89F6.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\886983d96e3d3e	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCX969E.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\lsass.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Windows Defender\c5b4cb5e9653cc	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX80EA.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\services.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files\Windows Photo Viewer\6203df4a6bafc7	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RCX7E0A.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\RCX80CA.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\dwm.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCX968D.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Windows Defender\services.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCX8A74.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6cb0b6c459d5d3	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\RCX7EB6.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX82FD.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCX830E.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\smss.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Windows\Offline Web Pages\69ddcba757bf72	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File created	C:\Windows\rescache\wip\WmiPrvSE.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Windows\Offline Web Pages\RCX8512.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Windows\Offline Web Pages\RCX859F.tmp	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
File opened for modification	C:\Windows\Offline Web Pages\smss.exe	d6e2e288705c6ca37ed2968b4ff7e7ca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2964	schtasks.exe
2984	schtasks.exe
2100	schtasks.exe
2168	schtasks.exe
1700	schtasks.exe
1852	schtasks.exe
2344	schtasks.exe
1992	schtasks.exe
2356	schtasks.exe
1304	schtasks.exe
2636	schtasks.exe
2652	schtasks.exe
2580	schtasks.exe
2932	schtasks.exe
2892	schtasks.exe
2136	schtasks.exe
952	schtasks.exe
2404	schtasks.exe
1904	schtasks.exe
2540	schtasks.exe
2680	schtasks.exe
760	schtasks.exe
1320	schtasks.exe
908	schtasks.exe
2424	schtasks.exe
2224	schtasks.exe
1492	schtasks.exe
1900	schtasks.exe
676	schtasks.exe
1868	schtasks.exe
2348	schtasks.exe
2476	schtasks.exe
872	schtasks.exe
880	schtasks.exe
2716	schtasks.exe
1796	schtasks.exe
2008	schtasks.exe
548	schtasks.exe
2996	schtasks.exe
1760	schtasks.exe
1628	schtasks.exe
1952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
1376	powershell.exe
1292	powershell.exe
548	powershell.exe
1308	powershell.exe
3004	powershell.exe
1148	powershell.exe
1536	powershell.exe
2460	powershell.exe
2548	powershell.exe
1236	powershell.exe
1336	powershell.exe
328	powershell.exe
1668	powershell.exe
928	powershell.exe
336	powershell.exe
2996	csrss.exe
3008	csrss.exe
2540	csrss.exe
580	csrss.exe
2552	csrss.exe
1728	csrss.exe
2024	csrss.exe
1492	csrss.exe
1772	csrss.exe
2996	csrss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeDebugPrivilege	2996	csrss.exe
Token: SeDebugPrivilege	3008	csrss.exe
Token: SeDebugPrivilege	2540	csrss.exe
Token: SeDebugPrivilege	580	csrss.exe
Token: SeDebugPrivilege	2552	csrss.exe
Token: SeDebugPrivilege	1728	csrss.exe
Token: SeDebugPrivilege	2024	csrss.exe
Token: SeDebugPrivilege	1492	csrss.exe
Token: SeDebugPrivilege	1772	csrss.exe
Token: SeDebugPrivilege	2996	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 2460	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	73
PID 2760 wrote to memory of 2460	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	73
PID 2760 wrote to memory of 2460	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	73
PID 2760 wrote to memory of 1536	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	74
PID 2760 wrote to memory of 1536	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	74
PID 2760 wrote to memory of 1536	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	74
PID 2760 wrote to memory of 1336	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	75
PID 2760 wrote to memory of 1336	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	75
PID 2760 wrote to memory of 1336	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	75
PID 2760 wrote to memory of 1376	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	77
PID 2760 wrote to memory of 1376	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	77
PID 2760 wrote to memory of 1376	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	77
PID 2760 wrote to memory of 3004	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	79
PID 2760 wrote to memory of 3004	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	79
PID 2760 wrote to memory of 3004	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	79
PID 2760 wrote to memory of 328	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	80
PID 2760 wrote to memory of 328	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	80
PID 2760 wrote to memory of 328	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	80
PID 2760 wrote to memory of 928	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	81
PID 2760 wrote to memory of 928	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	81
PID 2760 wrote to memory of 928	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	81
PID 2760 wrote to memory of 2548	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	82
PID 2760 wrote to memory of 2548	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	82
PID 2760 wrote to memory of 2548	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	82
PID 2760 wrote to memory of 1292	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	83
PID 2760 wrote to memory of 1292	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	83
PID 2760 wrote to memory of 1292	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	83
PID 2760 wrote to memory of 1148	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	84
PID 2760 wrote to memory of 1148	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	84
PID 2760 wrote to memory of 1148	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	84
PID 2760 wrote to memory of 336	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	85
PID 2760 wrote to memory of 336	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	85
PID 2760 wrote to memory of 336	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	85
PID 2760 wrote to memory of 1668	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	94
PID 2760 wrote to memory of 1668	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	94
PID 2760 wrote to memory of 1668	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	94
PID 2760 wrote to memory of 1308	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	96
PID 2760 wrote to memory of 1308	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	96
PID 2760 wrote to memory of 1308	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	96
PID 2760 wrote to memory of 548	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	97
PID 2760 wrote to memory of 548	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	97
PID 2760 wrote to memory of 548	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	97
PID 2760 wrote to memory of 1236	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	100
PID 2760 wrote to memory of 1236	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	100
PID 2760 wrote to memory of 1236	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	100
PID 2760 wrote to memory of 936	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	103
PID 2760 wrote to memory of 936	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	103
PID 2760 wrote to memory of 936	2760	d6e2e288705c6ca37ed2968b4ff7e7ca.exe	103
PID 936 wrote to memory of 1592	936	cmd.exe	105
PID 936 wrote to memory of 1592	936	cmd.exe	105
PID 936 wrote to memory of 1592	936	cmd.exe	105
PID 936 wrote to memory of 2996	936	cmd.exe	106
PID 936 wrote to memory of 2996	936	cmd.exe	106
PID 936 wrote to memory of 2996	936	cmd.exe	106
PID 2996 wrote to memory of 648	2996	csrss.exe	107
PID 2996 wrote to memory of 648	2996	csrss.exe	107
PID 2996 wrote to memory of 648	2996	csrss.exe	107
PID 2996 wrote to memory of 3040	2996	csrss.exe	108
PID 2996 wrote to memory of 3040	2996	csrss.exe	108
PID 2996 wrote to memory of 3040	2996	csrss.exe	108
PID 648 wrote to memory of 3008	648	WScript.exe	109
PID 648 wrote to memory of 3008	648	WScript.exe	109
PID 648 wrote to memory of 3008	648	WScript.exe	109
PID 3008 wrote to memory of 320	3008	csrss.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d6e2e288705c6ca37ed2968b4ff7e7ca.exe
"C:\Users\Admin\AppData\Local\Temp\d6e2e288705c6ca37ed2968b4ff7e7ca.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d6e2e288705c6ca37ed2968b4ff7e7ca.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:928
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GQh003RWFi.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1592
- - C:\MSOCache\All Users\csrss.exe
    "C:\MSOCache\All Users\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0bed971b-3df6-4814-92c1-ffa0faaea9c0.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:648
    - - C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b7058ddb-84ea-47c1-8f30-9a3fd3005a54.vbs"
        6⤵
        
        PID:320
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7906ce86-fddc-4093-8557-b383fd15ba2d.vbs"
        8⤵
        
        PID:2972
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\060e8cc8-f1a4-420b-8392-c6545b2138c6.vbs"
        10⤵
        
        PID:2232
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d2e5fec-c535-4234-bc64-eadbc47c3200.vbs"
        12⤵
        
        PID:1256
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b021e3cb-365b-48c5-a0ee-734fef691da0.vbs"
        14⤵
        
        PID:2756
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\094f71d6-d776-4ced-bc93-f9edd93afeca.vbs"
        16⤵
        
        PID:1928
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\989ef517-1885-4cb7-91a7-e22874fbe3ed.vbs"
        18⤵
        
        PID:2876
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c931e944-ec5f-4d89-9050-e4a82ed439f4.vbs"
        20⤵
        
        PID:2104
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5351c396-492f-4f57-924e-6685def32a81.vbs"
        22⤵
        
        PID:1272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f699a43f-2793-4720-b661-616a43b6e84f.vbs"
        22⤵
        
        PID:1184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\124701eb-94fa-4a8b-95e1-589106076755.vbs"
        20⤵
        
        PID:2264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04e6b4f1-1280-462b-881d-d9d051c07673.vbs"
        18⤵
        
        PID:2092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\96264c68-364f-4d6e-9f7d-4d1d4988dbe6.vbs"
        16⤵
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1798c085-d1f3-4fb9-9e88-cf0d63a5cc9d.vbs"
        14⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7b23103-30f1-41ce-a708-7f5ec530204a.vbs"
        12⤵
        
        PID:592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a16fe6e0-9e21-40fb-8c96-420ffc78fb88.vbs"
        10⤵
        
        PID:2324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d9502913-f8bb-4af0-8255-246aca1da6de.vbs"
        8⤵
        
        PID:2952
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\197d5c08-7201-449c-984f-6503a0686d84.vbs"
        6⤵
        
        PID:824
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4df6ecc7-d7c7-4f59-96e5-50c0be052cea.vbs"
      4⤵
      PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Offline Web Pages\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Music\Sample Music\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\audiodg.exe

Filesize
1.6MB

MD5
46a7f00314bcb324cfcd1c1d99459df4

SHA1
bc81545c0aa4efe75fb5a77c3fa8ddcd007b2709

SHA256
9813a542ccdb9d04ece98bf6fc31c8b2e156781e3d6d24cd3fa0f342b1ca3be6

SHA512
3f891c9e895e92627ff9f4f0dc72738fc23eaf6777ab75e037a6c70d7d8bf94c075f943afe15e32d7862b5c800697f39c8ef42d920b5361c16e37a88efc4a072

Download Submit
C:\MSOCache\All Users\csrss.exe

Filesize
1.6MB

MD5
6a8d223fbecfd24a9380ffbaae057363

SHA1
738fb0d35173b6c242aa2ee5c6c22469550319b8

SHA256
92211d5b362e25ccae7bcec3201bfca7417229a2cc61728e488002cc0f70cb57

SHA512
b8bb8979012b3ba4efcb190b48b5e085a36d00f7c11d94e88069785c031860defc4e6cde4f5cb6f42d3d59c44c7f67dd24e976ac2a9e0b208a34de4705cc99a5

Download Submit
C:\Program Files (x86)\Microsoft Analysis Services\csrss.exe

Filesize
1.6MB

MD5
63a339b0316babe3d2c61b8577477770

SHA1
c4b4109fcde2923418dc4b9017f6e3a6e3d34d9b

SHA256
212d4fe7ae5e9b09ab882eab3b1a8f15d20fd9fcc8540bdf57c1f2e928b375f9

SHA512
56ec7e56de000ad23dd7424dae0bccfb34e3ceae8ccf55936f4c539263347ccc59d2fa512d3e26ec68da78729b15c45864ccc3c73ddb6f133f6814e64e4f48fb

Download Submit
C:\Program Files (x86)\Windows Portable Devices\dwm.exe

Filesize
1.6MB

MD5
d9cd57a8062d6dcc968d2876e5acf27a

SHA1
1bd35be0c34365d391b0f76cbae63564fce7d85b

SHA256
b473a37f815161c5dcecfadea7d64a2999e7ff9e4090d0c74af3605d95bd6e0d

SHA512
1cf071ccfb7e984e98d0215c863dfef6643debad08740e4b3166abbdcc2b6a827efebc100f0715ba9cf821be463c081cd0f05e9a8c469040a0333a8e0aebf3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\060e8cc8-f1a4-420b-8392-c6545b2138c6.vbs

Filesize
706B

MD5
9fbd8940e47c8c7ee94e1d50dd9f3d0a

SHA1
780dbd7a741d2b1fc212d6b1930d5afb9ee2aed9

SHA256
3a4f5c2da69f77c70e5ebc2b7c0078cd7600c88331ec7fabab5369d68d5cd1e3

SHA512
55c23a7761c64bdbffa576dbce8d93322e621a1b80ef4d3bb6fce4bd3cd205e9a80e084851f64cc29f0419532bd9e631a698857242eaf2f82f78e9d4603ecec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\094f71d6-d776-4ced-bc93-f9edd93afeca.vbs

Filesize
707B

MD5
cca3ff383b91b5ab00cacb5aa9c9dc21

SHA1
95783a08ed3fa964d54d0465606e039df95b8d41

SHA256
d7a0636671c0969441b4b1012bc797947647edb44686e004b3e25f018433884a

SHA512
660fba22adfd37dbecc055ba66e0d1cfcf3d46abadb810fe693224f40eb912d8867e9e1e209adb64e5a3be1b6166ce867d1ff6487941f667d23290b891481dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\0bed971b-3df6-4814-92c1-ffa0faaea9c0.vbs

Filesize
707B

MD5
ff100ba61c8e7eabd270d448d7f154c9

SHA1
76d5521fa7f05c9c358cae7ae246e29aaaa991c9

SHA256
7c73bc4692edcab8b5f1c3498677417ec5a87c8ca2fa85555c9f55d2e38a91dc

SHA512
898b81b4bb7eb2889db27116d2c05307f370785eb01005482c55314f692fd0e55a48732272a0841e3696df871513f6e8f20e08461a5bb8600c1a6750e53456a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d2e5fec-c535-4234-bc64-eadbc47c3200.vbs

Filesize
707B

MD5
e1475f807678d5945240313e5a037061

SHA1
496c6b51bab2869c81f65cba0d67b1fe2495320d

SHA256
c140548233db4a0fd3df41134bb09e1d4d7c556a193698df43326bf4bdfb3a00

SHA512
e46c196dd368e2da7fc439cc9c7619eb2ba368edd714b63cb39b178fa622dcbaec69db091073459f39d8283c849babba310b06eda946c6842ff7f1513753fbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4df6ecc7-d7c7-4f59-96e5-50c0be052cea.vbs

Filesize
483B

MD5
20285b436373c81acfef1e6a03906092

SHA1
443beca06cc7ceaf65959b72f5d34b55e12dc249

SHA256
0aedb033d85ec8d729d84b2f04a7b51094022ec1d68f9943eb69b3de4e1a7c44

SHA512
0fcb95cd1cb8a158ba313c2b19a7354c8243368c1a0c3dd07edd97f53df92597ace5d8e6c1b14ed1f6793381cdbc8705050571514fef7089817e7ca1943c7f32

Download Submit
C:\Users\Admin\AppData\Local\Temp\7906ce86-fddc-4093-8557-b383fd15ba2d.vbs

Filesize
707B

MD5
51eb2abc40583f9c58d73cceab44c97c

SHA1
5e9c2f05d461e1b8dcb12ad8be5fafe321b3d7c6

SHA256
5c3f4ab440cf967717d863e93fa0d1d248f44ded452362a6eead5c527c25d48c

SHA512
89294c4c4ae7aa7b7dc002eb638270412697ef65838bbddcd2e0a672c89a7754f8da93b9626ddc33cfb6e37f4a48608ba7f3623d21e188cb82011841c360ae34

Download Submit
C:\Users\Admin\AppData\Local\Temp\989ef517-1885-4cb7-91a7-e22874fbe3ed.vbs

Filesize
707B

MD5
8c5b742fe8150cd25144101c5615068f

SHA1
bfbe4eaf33420c2098872a57540609221cbf7bfa

SHA256
1e7c14a2c0005299ba184af3740baf391914530df1c8d9edb8a36b6230f6d801

SHA512
8ff43a00d47e252323f47d76ca4a926b16b5d3cdbc30d4ce8f5504954c0abe1cab6cd3ab9bf88b13de2fdc818a7b18459fdc4ce43d2dcd7c5466cabc35cc26d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\GQh003RWFi.bat

Filesize
196B

MD5
153bdf6333a827579cd51239b1b2031c

SHA1
cadffcd471a04cc25bd5ff37a6ffbb327be401c4

SHA256
1c2fbf448c7c83589ce480e3c1e8ab92b8775ee0dbcba332ba6be910d557d662

SHA512
671da5b3d3f8f0c4dddc2a6f0d8e57d58f39728907532713a33a038e36bec9c9287c68a3e9ec77ec828f9d31f25eba50e503bfca0b55b9436c4fe0963448ea09

Download Submit
C:\Users\Admin\AppData\Local\Temp\b021e3cb-365b-48c5-a0ee-734fef691da0.vbs

Filesize
707B

MD5
ff391ac1796957de4aca25ab35538202

SHA1
55437ff3481c733222e9049b17e999676e3c44cf

SHA256
d162f94e14a2f3bcf25f02de2c819fab540aef0eca1e14e44a37cf7d6c9db6a4

SHA512
acae2e2c5d28bf2953f7ef24279b8072369fe852957342b651ef60305661c95834bdc0ced30d21eb4daec27f7753e628d4c002024aea3a9a3fd956c70c179af8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7058ddb-84ea-47c1-8f30-9a3fd3005a54.vbs

Filesize
707B

MD5
2b740f0a6658f1a1eb9cab7203205fd3

SHA1
b4edc7a98977370101ca0855ba698a88bde6ce74

SHA256
a990ddcc6e98fdb836f436b8608d7fa368d8de457b754224c20ab672c489220d

SHA512
eebd2f983004b91df4b30b472304ac0fa7d0c19bcdbe608b2e3acd92091383b9fc1a9e6f890f77f3676fd364a44d4b828853c09f9aa128b9d1469751f1849d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\c931e944-ec5f-4d89-9050-e4a82ed439f4.vbs

Filesize
707B

MD5
528d986e45afc79d77509b8cd5efc294

SHA1
93b14bacfc91c90b4d5709c18b4977114f730463

SHA256
4171a18718c8d725a7d9a78e4e6943a48f379bc4a61b40330746d53c6e34db17

SHA512
d4873f97720c3133f843b787e1b57e6abc0ff20a2fdfac433013075093292cf1325c03520890655d91ec617afd64a223280d29d3144d5787136bc7a28ecb676c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
eee26cda5982a36bc9ea0777d692a22e

SHA1
db9057636f5639d8137b1fba63f7956394e37725

SHA256
02d5cb38d70e5b783230df3701b2693628f5aa3a0c4b31b2f30dce610890f7e9

SHA512
dc32734f55bb3debac88f7809056596a24baae1c94a1d8b797c3607a92c2c23b3776012e456dc8386cb3e18cb402a2ed60c338423694b122267f4fb766c9083b

Download Submit
C:\Users\Public\Recorded TV\Sample Media\Idle.exe

Filesize
1.6MB

MD5
8d3e9cbe0da72100b7f4f2b20c211e5b

SHA1
a010b2f5f790f26f46b7b6577d83757f043f1caf

SHA256
2585f779812e3ae407ed86e0b2f14f116c5e37c2c147816c49e4d02e6e96ef21

SHA512
380aca7af89a6eeb1818d81f7f3cc5da8c31cc0bb112a206005264331dbfe546bb7c531231e29be7d0b20652a37fd99caf50bb325f26aa306d5c2c904727b971

Download Submit
C:\Windows\Offline Web Pages\smss.exe

Filesize
1.6MB

MD5
d6e2e288705c6ca37ed2968b4ff7e7ca

SHA1
8f716b10bcfbb3adde8630ac0b4753068d3acf3b

SHA256
9d2b3033c9a5a32d0f15fd62edf41ee48ae15b47db8b7e0ef3208e5e5a7a3bef

SHA512
164fc15637eb15d663a6e436203fb9982ee7a8a867c2653f9505434424011cf13cee96008bcd6c0fee1650e713ac5a3a6bfc3a74798bf56f661cbe1d2c612743

Download Submit
memory/580-330-0x0000000000CE0000-0x0000000000E82000-memory.dmp

Filesize
1.6MB

Download
memory/1376-263-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1492-377-0x0000000001350000-0x00000000014F2000-memory.dmp

Filesize
1.6MB

Download
memory/2024-365-0x0000000000230000-0x00000000003D2000-memory.dmp

Filesize
1.6MB

Download
memory/2460-262-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2552-342-0x00000000010E0000-0x0000000001282000-memory.dmp

Filesize
1.6MB

Download
memory/2760-11-0x00000000005F0000-0x00000000005FA000-memory.dmp

Filesize
40KB

Download
memory/2760-6-0x0000000000390000-0x0000000000398000-memory.dmp

Filesize
32KB

Download
memory/2760-72-0x000007FEF6503000-0x000007FEF6504000-memory.dmp

Filesize
4KB

Download
memory/2760-16-0x0000000000C00000-0x0000000000C0C000-memory.dmp

Filesize
48KB

Download
memory/2760-268-0x000007FEF6500000-0x000007FEF6EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-15-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2760-1-0x0000000000ED0000-0x0000000001072000-memory.dmp

Filesize
1.6MB

Download
memory/2760-14-0x0000000000B60000-0x0000000000B68000-memory.dmp

Filesize
32KB

Download
memory/2760-13-0x0000000000B50000-0x0000000000B58000-memory.dmp

Filesize
32KB

Download
memory/2760-2-0x000007FEF6500000-0x000007FEF6EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-12-0x0000000000600000-0x000000000060E000-memory.dmp

Filesize
56KB

Download
memory/2760-0-0x000007FEF6503000-0x000007FEF6504000-memory.dmp

Filesize
4KB

Download
memory/2760-10-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2760-9-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2760-8-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/2760-7-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/2760-97-0x000007FEF6500000-0x000007FEF6EEC000-memory.dmp

Filesize
9.9MB

Download
memory/2760-5-0x00000000002F0000-0x0000000000306000-memory.dmp

Filesize
88KB

Download
memory/2760-4-0x0000000000240000-0x0000000000250000-memory.dmp

Filesize
64KB

Download
memory/2760-3-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2996-296-0x0000000000200000-0x00000000003A2000-memory.dmp

Filesize
1.6MB

Download
memory/3008-307-0x0000000000A10000-0x0000000000BB2000-memory.dmp

Filesize
1.6MB

Download