dcrat | 7e71c79883eb025596762b4e0bf86b447039079dfe510ccf13a383b612575fa6

Analysis

max time kernel
113s
max time network
161s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dfc71cfc45034d671ac0f319bc080bd.exe
Size

885KB
MD5

3dfc71cfc45034d671ac0f319bc080bd
SHA1

7d8a8faccf06d8ec762bdf56e8842dd069ec3801
SHA256

13af700b0453342984055a1e70619698a9163812e7524e4c6c264e29f25fd9a1
SHA512

8c824df6e8976dbf362cc075a1f114d9b86ad16cc0bedd880ef0a6afb7e745b901d957b96b8cf40020cbfb1c52f82874eacd319a9dc905b64d793c953503a00e
SSDEEP

12288:8lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:8lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 60 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2020	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2020	schtasks.exe	30

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral23/memory/1628-1-0x00000000011E0000-0x00000000012C4000-memory.dmp	dcrat
behavioral23/files/0x000500000001a0b6-18.dat	dcrat
behavioral23/files/0x000600000001a457-41.dat	dcrat
behavioral23/memory/1808-289-0x0000000000D60000-0x0000000000E44000-memory.dmp	dcrat
behavioral23/memory/2664-300-0x0000000000E90000-0x0000000000F74000-memory.dmp	dcrat
behavioral23/memory/1796-312-0x0000000001190000-0x0000000001274000-memory.dmp	dcrat
behavioral23/memory/1204-324-0x0000000001300000-0x00000000013E4000-memory.dmp	dcrat
behavioral23/memory/2428-358-0x00000000001C0000-0x00000000002A4000-memory.dmp	dcrat
behavioral23/memory/2596-370-0x0000000001050000-0x0000000001134000-memory.dmp	dcrat
behavioral23/files/0x000500000001a48f-392.dat	dcrat

Executes dropped EXE 7 IoCs

pid	Process
1808	OSPPSVC.exe
2664	OSPPSVC.exe
1796	OSPPSVC.exe
1204	OSPPSVC.exe
2812	OSPPSVC.exe
2460	OSPPSVC.exe
2428	OSPPSVC.exe

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\fr-FR\56085415360792	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXD839.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\0a1fd5f707cd16	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCXD84C.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Windows Mail\fr-FR\services.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Uninstall Information\dwm.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Uninstall Information\6cb0b6c459d5d3	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\wininit.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXE43D.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXD86E.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\24dbde2999530e	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCXE43E.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCXE473.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXE4AC.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Windows Mail\fr-FR\taskhost.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\RCXD7AC.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCXD85C.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCXD932.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\1610b97d3ab4a7	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCXE42C.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXE49B.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCXE476.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Windows Mail\fr-FR\c5b4cb5e9653cc	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files\Windows Mail\fr-FR\b75386f1303e64	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\es-ES\1610b97d3ab4a7	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\es-ES\RCXE42D.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\886983d96e3d3e	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCXD893.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows Mail\fr-FR\RCXD943.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXD86D.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCXD892.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\fr-FR\RCXE462.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\RCXE487.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\RCXE42B.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Windows\Tasks\sppsvc.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Windows\Tasks\sppsvc.exe	3dfc71cfc45034d671ac0f319bc080bd.exe
File created	C:\Windows\Tasks\0a1fd5f707cd16	3dfc71cfc45034d671ac0f319bc080bd.exe
File opened for modification	C:\Windows\Tasks\RCXE40A.tmp	3dfc71cfc45034d671ac0f319bc080bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 60 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
760	schtasks.exe
1132	schtasks.exe
1152	schtasks.exe
3060	schtasks.exe
2304	schtasks.exe
3036	schtasks.exe
2864	schtasks.exe
2524	schtasks.exe
2572	schtasks.exe
1552	schtasks.exe
1660	schtasks.exe
1016	schtasks.exe
2480	schtasks.exe
2828	schtasks.exe
1500	schtasks.exe
2872	schtasks.exe
2484	schtasks.exe
1152	schtasks.exe
2316	schtasks.exe
1348	schtasks.exe
2320	schtasks.exe
2016	schtasks.exe
2860	schtasks.exe
3004	schtasks.exe
916	schtasks.exe
2396	schtasks.exe
1288	schtasks.exe
1984	schtasks.exe
1436	schtasks.exe
1548	schtasks.exe
2896	schtasks.exe
2832	schtasks.exe
1352	schtasks.exe
1652	schtasks.exe
3028	schtasks.exe
2908	schtasks.exe
980	schtasks.exe
2972	schtasks.exe
1108	schtasks.exe
2444	schtasks.exe
1804	schtasks.exe
2032	schtasks.exe
2800	schtasks.exe
1084	schtasks.exe
1028	schtasks.exe
2636	schtasks.exe
1668	schtasks.exe
1348	schtasks.exe
3052	schtasks.exe
2356	schtasks.exe
2100	schtasks.exe
2936	schtasks.exe
1040	schtasks.exe
2884	schtasks.exe
2664	schtasks.exe
544	schtasks.exe
2932	schtasks.exe
2192	schtasks.exe
1400	schtasks.exe
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
1628	3dfc71cfc45034d671ac0f319bc080bd.exe
1204	3dfc71cfc45034d671ac0f319bc080bd.exe
1204	3dfc71cfc45034d671ac0f319bc080bd.exe
1204	3dfc71cfc45034d671ac0f319bc080bd.exe
1204	3dfc71cfc45034d671ac0f319bc080bd.exe
1204	3dfc71cfc45034d671ac0f319bc080bd.exe
1204	3dfc71cfc45034d671ac0f319bc080bd.exe
1204	3dfc71cfc45034d671ac0f319bc080bd.exe
1808	OSPPSVC.exe
2664	OSPPSVC.exe
1796	OSPPSVC.exe
1204	OSPPSVC.exe
2812	OSPPSVC.exe
2460	OSPPSVC.exe
2428	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1628	3dfc71cfc45034d671ac0f319bc080bd.exe
Token: SeDebugPrivilege	1204	3dfc71cfc45034d671ac0f319bc080bd.exe
Token: SeDebugPrivilege	1808	OSPPSVC.exe
Token: SeDebugPrivilege	2664	OSPPSVC.exe
Token: SeDebugPrivilege	1796	OSPPSVC.exe
Token: SeDebugPrivilege	1204	OSPPSVC.exe
Token: SeDebugPrivilege	2812	OSPPSVC.exe
Token: SeDebugPrivilege	2460	OSPPSVC.exe
Token: SeDebugPrivilege	2428	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 1204	1628	3dfc71cfc45034d671ac0f319bc080bd.exe	58
PID 1628 wrote to memory of 1204	1628	3dfc71cfc45034d671ac0f319bc080bd.exe	58
PID 1628 wrote to memory of 1204	1628	3dfc71cfc45034d671ac0f319bc080bd.exe	58
PID 1204 wrote to memory of 2448	1204	3dfc71cfc45034d671ac0f319bc080bd.exe	92
PID 1204 wrote to memory of 2448	1204	3dfc71cfc45034d671ac0f319bc080bd.exe	92
PID 1204 wrote to memory of 2448	1204	3dfc71cfc45034d671ac0f319bc080bd.exe	92
PID 2448 wrote to memory of 1672	2448	cmd.exe	94
PID 2448 wrote to memory of 1672	2448	cmd.exe	94
PID 2448 wrote to memory of 1672	2448	cmd.exe	94
PID 2448 wrote to memory of 1808	2448	cmd.exe	95
PID 2448 wrote to memory of 1808	2448	cmd.exe	95
PID 2448 wrote to memory of 1808	2448	cmd.exe	95
PID 1808 wrote to memory of 2380	1808	OSPPSVC.exe	96
PID 1808 wrote to memory of 2380	1808	OSPPSVC.exe	96
PID 1808 wrote to memory of 2380	1808	OSPPSVC.exe	96
PID 1808 wrote to memory of 2928	1808	OSPPSVC.exe	97
PID 1808 wrote to memory of 2928	1808	OSPPSVC.exe	97
PID 1808 wrote to memory of 2928	1808	OSPPSVC.exe	97
PID 2380 wrote to memory of 2664	2380	WScript.exe	98
PID 2380 wrote to memory of 2664	2380	WScript.exe	98
PID 2380 wrote to memory of 2664	2380	WScript.exe	98
PID 2664 wrote to memory of 2464	2664	OSPPSVC.exe	99
PID 2664 wrote to memory of 2464	2664	OSPPSVC.exe	99
PID 2664 wrote to memory of 2464	2664	OSPPSVC.exe	99
PID 2664 wrote to memory of 2408	2664	OSPPSVC.exe	100
PID 2664 wrote to memory of 2408	2664	OSPPSVC.exe	100
PID 2664 wrote to memory of 2408	2664	OSPPSVC.exe	100
PID 2464 wrote to memory of 1796	2464	WScript.exe	101
PID 2464 wrote to memory of 1796	2464	WScript.exe	101
PID 2464 wrote to memory of 1796	2464	WScript.exe	101
PID 1796 wrote to memory of 1064	1796	OSPPSVC.exe	102
PID 1796 wrote to memory of 1064	1796	OSPPSVC.exe	102
PID 1796 wrote to memory of 1064	1796	OSPPSVC.exe	102
PID 1796 wrote to memory of 2364	1796	OSPPSVC.exe	103
PID 1796 wrote to memory of 2364	1796	OSPPSVC.exe	103
PID 1796 wrote to memory of 2364	1796	OSPPSVC.exe	103
PID 1064 wrote to memory of 1204	1064	WScript.exe	104
PID 1064 wrote to memory of 1204	1064	WScript.exe	104
PID 1064 wrote to memory of 1204	1064	WScript.exe	104
PID 1204 wrote to memory of 944	1204	OSPPSVC.exe	105
PID 1204 wrote to memory of 944	1204	OSPPSVC.exe	105
PID 1204 wrote to memory of 944	1204	OSPPSVC.exe	105
PID 1204 wrote to memory of 432	1204	OSPPSVC.exe	106
PID 1204 wrote to memory of 432	1204	OSPPSVC.exe	106
PID 1204 wrote to memory of 432	1204	OSPPSVC.exe	106
PID 944 wrote to memory of 2812	944	WScript.exe	107
PID 944 wrote to memory of 2812	944	WScript.exe	107
PID 944 wrote to memory of 2812	944	WScript.exe	107
PID 2812 wrote to memory of 1084	2812	OSPPSVC.exe	108
PID 2812 wrote to memory of 1084	2812	OSPPSVC.exe	108
PID 2812 wrote to memory of 1084	2812	OSPPSVC.exe	108
PID 2812 wrote to memory of 872	2812	OSPPSVC.exe	109
PID 2812 wrote to memory of 872	2812	OSPPSVC.exe	109
PID 2812 wrote to memory of 872	2812	OSPPSVC.exe	109
PID 1084 wrote to memory of 2460	1084	WScript.exe	110
PID 1084 wrote to memory of 2460	1084	WScript.exe	110
PID 1084 wrote to memory of 2460	1084	WScript.exe	110
PID 2460 wrote to memory of 2348	2460	OSPPSVC.exe	111
PID 2460 wrote to memory of 2348	2460	OSPPSVC.exe	111
PID 2460 wrote to memory of 2348	2460	OSPPSVC.exe	111
PID 2460 wrote to memory of 2936	2460	OSPPSVC.exe	112
PID 2460 wrote to memory of 2936	2460	OSPPSVC.exe	112
PID 2460 wrote to memory of 2936	2460	OSPPSVC.exe	112
PID 2348 wrote to memory of 2428	2348	WScript.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3dfc71cfc45034d671ac0f319bc080bd.exe
"C:\Users\Admin\AppData\Local\Temp\3dfc71cfc45034d671ac0f319bc080bd.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\3dfc71cfc45034d671ac0f319bc080bd.exe
  "C:\Users\Admin\AppData\Local\Temp\3dfc71cfc45034d671ac0f319bc080bd.exe"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\klKTn5LH1d.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2448
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:1672
  - - C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe
      "C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1808
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44a12291-4fd9-4cac-89db-156e3fd4ff7b.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
      - C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36072e2f-a03e-4a91-8ad1-b989574d031f.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05e2f1cf-2d1c-49a3-b45a-a563b51f3aec.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\084cdf84-30bf-4cb7-bd50-dc9a794e7db0.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f088a2d7-5ac2-4f77-82e4-626673bbda5e.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c736dac5-fe9d-4015-b25a-05890f06b120.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ccf9cc7-f1e2-4f5d-b814-4c66238ce951.vbs"
        17⤵
        
        PID:1700
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe"
        18⤵
        
        PID:2596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0676829-a52f-471e-9f7b-cf7f6fbd4dd0.vbs"
        19⤵
        
        PID:2932
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe"
        20⤵
        
        PID:2824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2063f892-4e53-488f-853c-140b5d797ff7.vbs"
        21⤵
        
        PID:2784
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe"
        22⤵
        
        PID:1020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e973a9fc-a7c7-446c-95c1-841fac746862.vbs"
        23⤵
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d038f80d-609b-40b2-ae8a-848eb8f5e2d8.vbs"
        23⤵
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94ccff2d-84ea-4f14-b6e9-4a15e9d37cb9.vbs"
        21⤵
        
        PID:1192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5116542c-30b5-4865-9370-558d90c063ac.vbs"
        19⤵
        
        PID:2516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c0e10a56-397a-44ef-b7b4-c51c9b64a206.vbs"
        17⤵
        
        PID:1208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4836a0be-c8a5-464c-9ea1-256f6129196a.vbs"
        15⤵
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9688ce1e-303c-4e39-bfad-7367c1ec5fdd.vbs"
        13⤵
        
        PID:872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5a3f6fb8-2764-44be-b804-c0cf8a4988b8.vbs"
        11⤵
        
        PID:432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\44530c16-9228-4d0e-820c-4978f84ff0d4.vbs"
        9⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8b601a3-c7fa-481e-b3b2-d6ea0d8287a9.vbs"
        7⤵
        
        PID:2408
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f40bf0ea-31f6-46a8-b884-db6883466d4f.vbs"
        5⤵
        
        PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\Sample Music\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\Tasks\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Network Sharing\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\My Documents\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\My Documents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\My Documents\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\csrss.exe

Filesize
885KB

MD5
9d576d3f73080f31f1bdb8122a847941

SHA1
17cd68dc2e70bea9a8be17d9c64f223fa5e58d55

SHA256
680c5e0e62d0785283d53b6192e099a32eb8ed6f8788d49bd81292ba19f23bc9

SHA512
a2f73c25c9ca79d000d9b1226115d8138a19065484d0c024e0b98f40dc47f95b42d166bb6ecc08ea583801fcdcf6bf077cda1025067eefe676b7baa9dbcd7347

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\OSPPSVC.exe

Filesize
880KB

MD5
d15fd3b76873dbabd1ba270fc749862e

SHA1
b584651edfd56f56a5eb0db9aac1e165c52d89f5

SHA256
ffb0fc18ecfdd98dd3a79cd2f6eb70f307e065f67bf7f429c0cc00cabe58ddcb

SHA512
cb052af74c42bc2276cb4a48afed08518b08ed4eced938171e683531104dabb6599f020102953671dd69476f99fe4f10acd5d94cac2873ab57c810f5ba8853b6

Download Submit
C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe

Filesize
885KB

MD5
3dfc71cfc45034d671ac0f319bc080bd

SHA1
7d8a8faccf06d8ec762bdf56e8842dd069ec3801

SHA256
13af700b0453342984055a1e70619698a9163812e7524e4c6c264e29f25fd9a1

SHA512
8c824df6e8976dbf362cc075a1f114d9b86ad16cc0bedd880ef0a6afb7e745b901d957b96b8cf40020cbfb1c52f82874eacd319a9dc905b64d793c953503a00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\05e2f1cf-2d1c-49a3-b45a-a563b51f3aec.vbs

Filesize
741B

MD5
a7553c9ce76eec00e9f7c9c5cf32fb87

SHA1
14c4676b5ef2ceca84a9392477815e7958991e68

SHA256
a41cf3aa02208aea5735e38f29544e3e9b9dc827dce6a01a90f0eb6661f0d535

SHA512
faa3d49ac142528b979127fb019568fcc7af16b61e35d1bcbf760170d9b4249281dbe2c61731f4727f47ef21ca974e48579163b038fe308781c54172dea13b79

Download Submit
C:\Users\Admin\AppData\Local\Temp\084cdf84-30bf-4cb7-bd50-dc9a794e7db0.vbs

Filesize
741B

MD5
b2a1d8d1622ac30092d12d41fa73f12b

SHA1
c47c203c89420e51100bbd2ea5ba8d01a72eb50f

SHA256
a7a0a85422ce3a026328ac02c8daeaeaed15157221599c4564c097d9a5b4135b

SHA512
d70801cb8e84f866407026ed30a15fb9baae6c1433a2b0aefcf7adb39a25dab15dd3b9814cdff4e303e0267345196030a3b6d769ec481ca6eeb4dfb3ea2efed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ccf9cc7-f1e2-4f5d-b814-4c66238ce951.vbs

Filesize
741B

MD5
08f3cbfb8d637b3e4d4cfba13c9772e8

SHA1
e2514c956ac14e287641eea4cc6478cb9043bee5

SHA256
0f22399bf69f2d00f452d124cf02319fa1713b573585d759a16a3259b6c3c8a6

SHA512
73a4c95dbabdc61e930685511b06629e375f4dc0c6d4cda309808299b9e428ed3514d25dd48bfdcebf0629223a0dc9459ee86ff7158293ac012816da7deef65c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2063f892-4e53-488f-853c-140b5d797ff7.vbs

Filesize
741B

MD5
1eecfa4a81340d07381908598821bd15

SHA1
94b1f820a219a58b3bdc97d35ca3e1cca5e3178e

SHA256
b36f8a1d4767d57fedec8fce02b35628b54df70abf7022d4ea0f9809ca0a7843

SHA512
b90d047317a95bf975d16a8fabe37cc3e171a96539e576ea48dee6eef8bad3a5bccac8dd616ff4ac46f6fb2ff4f7b5aa82ab9e3a260a393c9b30c4565563f121

Download Submit
C:\Users\Admin\AppData\Local\Temp\36072e2f-a03e-4a91-8ad1-b989574d031f.vbs

Filesize
741B

MD5
c78b7d2818a8c72582ed500d9b15bed8

SHA1
87464edcdf3c7f61d17c4d630f59667072a1259d

SHA256
766d51218d9bd83fc6c2aeb1fe8fd16d54ac888fa43fe35abe6857baf0d4b4bd

SHA512
7b4925f857e3f145f49b20c1d36011a8b4ffff3978c7046405acbc9299a6f37a6285f9c5acaef6991b7ba51c7b6253ca94ec52f6138f94a647c0d3d86838326e

Download Submit
C:\Users\Admin\AppData\Local\Temp\44a12291-4fd9-4cac-89db-156e3fd4ff7b.vbs

Filesize
741B

MD5
db76b34711c9ef7cdc4e86343fb00d66

SHA1
e91695d2cb47196becf8f43bc91be5587ae9f092

SHA256
2e3833fd99572f8b105c36ee4d8654a91b86bc91152174ae99e24b1e06259d04

SHA512
19b678bc3437f0841512c63195e67eb9243efd8e2cf47b2e28a11884ead73ea7e9624b4b1de6272ca6bf06cd37de5a6ee4b5b2025e80a9cf5b830dfa5e60f122

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0676829-a52f-471e-9f7b-cf7f6fbd4dd0.vbs

Filesize
741B

MD5
9cef12eb6bbce1feda64d2c3d3a3bafa

SHA1
76fab0a0801e3bc570ea48e0b1088a27f54d6674

SHA256
73a68b1fdd04585c8678cf2441f77a3345c17c429854d7019ebd9a2b6bb2c728

SHA512
d1541840f515647e69b1637bd3fdfd870305602b96a0590e640dec08164c564c7b99ccff8a7ea17018ad75cf53511bdda9f6a1dfa36319574be23101d7eea347

Download Submit
C:\Users\Admin\AppData\Local\Temp\c736dac5-fe9d-4015-b25a-05890f06b120.vbs

Filesize
741B

MD5
2c0a4b98fb1f6f8cd1bdb3e61dd3254b

SHA1
fbb105c22d5f9b6bf2ef801b950389d67ad0868b

SHA256
36433884ff0b5f92817669a712f07857ef2eb07241f3ac4baa2339cffe63004b

SHA512
b5a2355e589ed5d69c0d277a393c92d3b89f384010f680d8eea222b4a3fd8738ac05a11e4c6e987880f0b677d182198cfe4d5072dccbc41ab032f749cc857434

Download Submit
C:\Users\Admin\AppData\Local\Temp\e973a9fc-a7c7-446c-95c1-841fac746862.vbs

Filesize
741B

MD5
218b56ef7d096781f5c9681f65c92664

SHA1
1a22261ac4f77577a2acca5a5cfc350b89c61187

SHA256
69f1bc4c34f2eaedf19f2d33ee53788a128d10ea05e6c4e4165fec3e2ef121d3

SHA512
e56a0f672128e1031390528eaeb4086e79195dcbacd800e6e1094fcf2d2af9e943fef4032eb6d8f48c97e8b2e7759433f298ef19474e145a807b7d237cf850c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f088a2d7-5ac2-4f77-82e4-626673bbda5e.vbs

Filesize
741B

MD5
255be8bcb072a1d7d43d7b8af0b4b31a

SHA1
60a3855f2d0be5e6cc4d1a16c2e5d8f9c3b3c970

SHA256
acc76c4263964c4647b05a0e20866eb0314ffc0d54a12d38777658d40d9c43db

SHA512
e65c3c1e56ea241c3565c4ba18ffb46f2e02258351953753bd8a00d72cad0faca2e8509e0305844495bbaee1b31f7521feaa4f6ca22b254b8d48aa0f4e03c05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f40bf0ea-31f6-46a8-b884-db6883466d4f.vbs

Filesize
517B

MD5
f0719776e3c10c842913de66237ec27e

SHA1
83e92d88bdb4d832d57bd44f7be3b9ff7a85f370

SHA256
9790213bbc147596b9605909ba44a55b2a6a1632b27c0265526d7a354adf65e1

SHA512
fad4592e24b959ad57ad2f8699e0b4d3b2cf13a96ca10446033c6f0cc6acc332b355f14bc1430b07ec01f49f6477e12191433d0aef4d9743cbd83be9f1233ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\klKTn5LH1d.bat

Filesize
230B

MD5
702dcb934ad994561ac0790649d54fdc

SHA1
c3fab122a8f10cbb71f1a4befabfa3f86724bff8

SHA256
fbb4a28c6ae93dbbe6b43115e1d8666090b2cb324c34743553da97e758bc78ed

SHA512
8eb36c973889faed1a861d9ae673f13bb54d02bee6fa6a5a7f79bf2544dd2a8646b3fd33c686a3a57518545958a17243f7e794929f670d650970109b081e099f

Download Submit
memory/1204-324-0x0000000001300000-0x00000000013E4000-memory.dmp

Filesize
912KB

Download
memory/1628-8-0x0000000000A60000-0x0000000000A68000-memory.dmp

Filesize
32KB

Download
memory/1628-7-0x0000000000A50000-0x0000000000A5E000-memory.dmp

Filesize
56KB

Download
memory/1628-132-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-1-0x00000000011E0000-0x00000000012C4000-memory.dmp

Filesize
912KB

Download
memory/1628-9-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/1628-0-0x000007FEF5A63000-0x000007FEF5A64000-memory.dmp

Filesize
4KB

Download
memory/1628-2-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

Filesize
9.9MB

Download
memory/1628-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1628-6-0x00000000004A0000-0x00000000004AA000-memory.dmp

Filesize
40KB

Download
memory/1628-4-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/1628-5-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/1796-312-0x0000000001190000-0x0000000001274000-memory.dmp

Filesize
912KB

Download
memory/1808-289-0x0000000000D60000-0x0000000000E44000-memory.dmp

Filesize
912KB

Download
memory/2428-358-0x00000000001C0000-0x00000000002A4000-memory.dmp

Filesize
912KB

Download
memory/2596-370-0x0000000001050000-0x0000000001134000-memory.dmp

Filesize
912KB

Download
memory/2664-300-0x0000000000E90000-0x0000000000F74000-memory.dmp

Filesize
912KB

Download