dcrat | 000996e02592d6f5216a77464baff2591739b5cb35a8ad930a5424c9099c7e11

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Size

1.6MB
MD5

1e635900f25bb2891a42cf6d65ca80eb
SHA1

0c6e3ec0b571ee3d1504a4769a77405ba9a54edb
SHA256

0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef
SHA512

c3c215add9a07614b4fff768ac3aeea0ebbaa459e85d6f080aa3734d4eb0742536535c4156201299bbcf86f453acdfc961585eb2536790e58cecfd32db5772a8
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2236	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2236	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral29/memory/2824-1-0x0000000000080000-0x0000000000222000-memory.dmp	dcrat
behavioral29/files/0x0005000000019625-25.dat	dcrat
behavioral29/files/0x000c0000000120f6-71.dat	dcrat
behavioral29/files/0x000b00000001961f-106.dat	dcrat
behavioral29/memory/1568-192-0x0000000000DE0000-0x0000000000F82000-memory.dmp	dcrat
behavioral29/memory/1464-214-0x0000000000350000-0x00000000004F2000-memory.dmp	dcrat
behavioral29/memory/1168-226-0x0000000000DC0000-0x0000000000F62000-memory.dmp	dcrat
behavioral29/memory/1724-270-0x0000000001060000-0x0000000001202000-memory.dmp	dcrat
behavioral29/memory/1736-282-0x0000000000070000-0x0000000000212000-memory.dmp	dcrat
behavioral29/memory/1584-294-0x00000000012E0000-0x0000000001482000-memory.dmp	dcrat
behavioral29/memory/2436-306-0x00000000001E0000-0x0000000000382000-memory.dmp	dcrat
behavioral29/memory/2524-318-0x0000000000FC0000-0x0000000001162000-memory.dmp	dcrat
behavioral29/memory/2980-341-0x0000000001320000-0x00000000014C2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2352	powershell.exe
776	powershell.exe
1680	powershell.exe
864	powershell.exe
2496	powershell.exe
376	powershell.exe
304	powershell.exe
2060	powershell.exe
1920	powershell.exe
568	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1568	lsm.exe
1464	lsm.exe
1168	lsm.exe
2352	lsm.exe
1204	lsm.exe
2680	lsm.exe
1724	lsm.exe
1736	lsm.exe
1584	lsm.exe
2436	lsm.exe
2524	lsm.exe
576	lsm.exe
2980	lsm.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\f3b6ecef712a24	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files\DVD Maker\fr-FR\27d1bcfc3c54e0	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\audiodg.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\RCX8FB2.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\RCX8FB3.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files (x86)\Uninstall Information\audiodg.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files (x86)\Reference Assemblies\spoolsv.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files\Windows Media Player\es-ES\winlogon.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX827D.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\spoolsv.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RCX9224.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\RCX9225.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files (x86)\Uninstall Information\42af1c969fbb7b	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files\DVD Maker\fr-FR\System.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\RCX827E.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX84F0.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCX86F4.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\Windows Media Player\es-ES\winlogon.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\6ccacd8608530f	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Program Files\Windows Media Player\es-ES\cc11b995f2a76d	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCX8481.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\RCX86F3.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Program Files\DVD Maker\fr-FR\System.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\TAPI\RCX800C.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Windows\TAPI\WmiPrvSE.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Windows\TAPI\WmiPrvSE.exe	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File created	C:\Windows\TAPI\24dbde2999530e	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
File opened for modification	C:\Windows\TAPI\RCX800B.tmp	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
860	schtasks.exe
484	schtasks.exe
1432	schtasks.exe
1240	schtasks.exe
3044	schtasks.exe
1036	schtasks.exe
2216	schtasks.exe
2672	schtasks.exe
2296	schtasks.exe
2940	schtasks.exe
2968	schtasks.exe
3032	schtasks.exe
1196	schtasks.exe
2640	schtasks.exe
1940	schtasks.exe
1072	schtasks.exe
2976	schtasks.exe
2644	schtasks.exe
2836	schtasks.exe
1840	schtasks.exe
560	schtasks.exe
2368	schtasks.exe
2972	schtasks.exe
468	schtasks.exe
1356	schtasks.exe
2768	schtasks.exe
1784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
304	powershell.exe
2352	powershell.exe
1920	powershell.exe
776	powershell.exe
1680	powershell.exe
376	powershell.exe
864	powershell.exe
568	powershell.exe
2496	powershell.exe
2060	powershell.exe
1568	lsm.exe
1464	lsm.exe
1168	lsm.exe
2352	lsm.exe
1204	lsm.exe
2680	lsm.exe
1724	lsm.exe
1736	lsm.exe
1584	lsm.exe
2436	lsm.exe
2524	lsm.exe
576	lsm.exe
2980	lsm.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1568	lsm.exe
Token: SeDebugPrivilege	1464	lsm.exe
Token: SeDebugPrivilege	1168	lsm.exe
Token: SeDebugPrivilege	2352	lsm.exe
Token: SeDebugPrivilege	1204	lsm.exe
Token: SeDebugPrivilege	2680	lsm.exe
Token: SeDebugPrivilege	1724	lsm.exe
Token: SeDebugPrivilege	1736	lsm.exe
Token: SeDebugPrivilege	1584	lsm.exe
Token: SeDebugPrivilege	2436	lsm.exe
Token: SeDebugPrivilege	2524	lsm.exe
Token: SeDebugPrivilege	576	lsm.exe
Token: SeDebugPrivilege	2980	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 2352	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	58
PID 2824 wrote to memory of 2352	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	58
PID 2824 wrote to memory of 2352	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	58
PID 2824 wrote to memory of 776	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	59
PID 2824 wrote to memory of 776	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	59
PID 2824 wrote to memory of 776	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	59
PID 2824 wrote to memory of 568	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	62
PID 2824 wrote to memory of 568	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	62
PID 2824 wrote to memory of 568	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	62
PID 2824 wrote to memory of 304	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	63
PID 2824 wrote to memory of 304	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	63
PID 2824 wrote to memory of 304	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	63
PID 2824 wrote to memory of 1920	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	64
PID 2824 wrote to memory of 1920	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	64
PID 2824 wrote to memory of 1920	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	64
PID 2824 wrote to memory of 376	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	65
PID 2824 wrote to memory of 376	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	65
PID 2824 wrote to memory of 376	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	65
PID 2824 wrote to memory of 2060	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	66
PID 2824 wrote to memory of 2060	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	66
PID 2824 wrote to memory of 2060	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	66
PID 2824 wrote to memory of 2496	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	67
PID 2824 wrote to memory of 2496	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	67
PID 2824 wrote to memory of 2496	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	67
PID 2824 wrote to memory of 864	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	68
PID 2824 wrote to memory of 864	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	68
PID 2824 wrote to memory of 864	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	68
PID 2824 wrote to memory of 1680	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	69
PID 2824 wrote to memory of 1680	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	69
PID 2824 wrote to memory of 1680	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	69
PID 2824 wrote to memory of 1568	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	78
PID 2824 wrote to memory of 1568	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	78
PID 2824 wrote to memory of 1568	2824	0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe	78
PID 1568 wrote to memory of 408	1568	lsm.exe	79
PID 1568 wrote to memory of 408	1568	lsm.exe	79
PID 1568 wrote to memory of 408	1568	lsm.exe	79
PID 1568 wrote to memory of 2552	1568	lsm.exe	80
PID 1568 wrote to memory of 2552	1568	lsm.exe	80
PID 1568 wrote to memory of 2552	1568	lsm.exe	80
PID 408 wrote to memory of 1464	408	WScript.exe	81
PID 408 wrote to memory of 1464	408	WScript.exe	81
PID 408 wrote to memory of 1464	408	WScript.exe	81
PID 1464 wrote to memory of 2036	1464	lsm.exe	83
PID 1464 wrote to memory of 2036	1464	lsm.exe	83
PID 1464 wrote to memory of 2036	1464	lsm.exe	83
PID 1464 wrote to memory of 2184	1464	lsm.exe	84
PID 1464 wrote to memory of 2184	1464	lsm.exe	84
PID 1464 wrote to memory of 2184	1464	lsm.exe	84
PID 2036 wrote to memory of 1168	2036	WScript.exe	85
PID 2036 wrote to memory of 1168	2036	WScript.exe	85
PID 2036 wrote to memory of 1168	2036	WScript.exe	85
PID 1168 wrote to memory of 2860	1168	lsm.exe	86
PID 1168 wrote to memory of 2860	1168	lsm.exe	86
PID 1168 wrote to memory of 2860	1168	lsm.exe	86
PID 1168 wrote to memory of 3036	1168	lsm.exe	87
PID 1168 wrote to memory of 3036	1168	lsm.exe	87
PID 1168 wrote to memory of 3036	1168	lsm.exe	87
PID 2860 wrote to memory of 2352	2860	WScript.exe	88
PID 2860 wrote to memory of 2352	2860	WScript.exe	88
PID 2860 wrote to memory of 2352	2860	WScript.exe	88
PID 2352 wrote to memory of 2104	2352	lsm.exe	89
PID 2352 wrote to memory of 2104	2352	lsm.exe	89
PID 2352 wrote to memory of 2104	2352	lsm.exe	89
PID 2352 wrote to memory of 1360	2352	lsm.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe
"C:\Users\Admin\AppData\Local\Temp\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2496
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\es-ES\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\fr-FR\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Users\Admin\Saved Games\lsm.exe
  "C:\Users\Admin\Saved Games\lsm.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9700b253-ba88-46ad-a795-201f6c1765c8.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Users\Admin\Saved Games\lsm.exe
      "C:\Users\Admin\Saved Games\lsm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bb7bec4b-f0a7-424d-ab71-cac1ee3dc8ca.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2036
      - C:\Users\Admin\Saved Games\lsm.exe
        
        "C:\Users\Admin\Saved Games\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14b2cabd-38be-4359-8964-4bdd4afc881a.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Users\Admin\Saved Games\lsm.exe
        
        "C:\Users\Admin\Saved Games\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6be7fefd-07d2-4f6a-8f34-b72c28ae5cb7.vbs"
        9⤵
        
        PID:2104
        
        C:\Users\Admin\Saved Games\lsm.exe
        
        "C:\Users\Admin\Saved Games\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6b6ea9a5-43d3-43e0-8e1d-e35a77a09261.vbs"
        11⤵
        
        PID:2888
        
        C:\Users\Admin\Saved Games\lsm.exe
        
        "C:\Users\Admin\Saved Games\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a54aaf32-567d-4c3d-8d39-c378ec63db4a.vbs"
        13⤵
        
        PID:2616
        
        C:\Users\Admin\Saved Games\lsm.exe
        
        "C:\Users\Admin\Saved Games\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea7bd4b0-78ec-4bf0-b274-a0f2cf6135d6.vbs"
        15⤵
        
        PID:2984
        
        C:\Users\Admin\Saved Games\lsm.exe
        
        "C:\Users\Admin\Saved Games\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\99c0e260-e80d-4b14-a088-740ef612c015.vbs"
        17⤵
        
        PID:1436
        
        C:\Users\Admin\Saved Games\lsm.exe
        
        "C:\Users\Admin\Saved Games\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6207612-8f2c-484d-ac88-afe837a0649a.vbs"
        19⤵
        
        PID:1688
        
        C:\Users\Admin\Saved Games\lsm.exe
        
        "C:\Users\Admin\Saved Games\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7df51d1e-cdf7-47a6-b3bc-789168172ee8.vbs"
        21⤵
        
        PID:2172
        
        C:\Users\Admin\Saved Games\lsm.exe
        
        "C:\Users\Admin\Saved Games\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e7066049-8fc0-4dc4-abbb-db59025be946.vbs"
        23⤵
        
        PID:2584
        
        C:\Users\Admin\Saved Games\lsm.exe
        
        "C:\Users\Admin\Saved Games\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d06734f-e09d-48a5-bf40-2db6e542cd25.vbs"
        25⤵
        
        PID:2216
        
        C:\Users\Admin\Saved Games\lsm.exe
        
        "C:\Users\Admin\Saved Games\lsm.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4afc34ed-c6d1-413b-af0d-44a6b0105b18.vbs"
        27⤵
        
        PID:1288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a938bace-08cc-448e-bd13-6b7686110456.vbs"
        27⤵
        
        PID:1496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\60734d0f-ed1c-46c6-813a-85707de93385.vbs"
        25⤵
        
        PID:2992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\645295fe-ea70-4ac7-a0d0-9a6b1fbca9d0.vbs"
        23⤵
        
        PID:1664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f04e24c5-6042-43b3-83b9-c6edabfdf3a3.vbs"
        21⤵
        
        PID:236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9a0541e3-31ae-4637-b7a3-e6bc9bc291ca.vbs"
        19⤵
        
        PID:1084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f98197e2-e46f-4126-b80b-5b28240fd198.vbs"
        17⤵
        
        PID:276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fd542fa-b8b4-47b5-95f3-beecdecf7252.vbs"
        15⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eabfc3a2-3a90-4175-9851-3f54b370352d.vbs"
        13⤵
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a9f155bb-cef5-4dec-85b7-a29a7c10d758.vbs"
        11⤵
        
        PID:1132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e6981729-1ff5-4464-8bb7-b672f331c8cf.vbs"
        9⤵
        
        PID:1360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\66cf17df-900b-41e6-93c8-76b57213606b.vbs"
        7⤵
        
        PID:3036
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4c59099-e77d-4a17-869a-48946bb84319.vbs"
        5⤵
        
        PID:2184
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\610020a7-281f-4506-8de3-09180ceebac1.vbs"
    3⤵
    PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\TAPI\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Saved Games\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Saved Games\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Uninstall Information\audiodg.exe

Filesize
1.6MB

MD5
c73bbee7c31a8629b6e5450885d628e6

SHA1
9de972b520f5fcc565e03b1924e69f5854b78411

SHA256
d4e4b7bbda4c896eb1b3563676b5ac1875a293d7860c9e701ed3a27c57ce593a

SHA512
c1cbdb4d15dff0901ad223e1db22401d6ffaafdd1951e3d5f36e595af64a5c6a607633892e11f31ac045bc89863ec2081193d97e6a4eaaeae06f335ca5c90070

Download Submit
C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\lsass.exe

Filesize
1.6MB

MD5
1e635900f25bb2891a42cf6d65ca80eb

SHA1
0c6e3ec0b571ee3d1504a4769a77405ba9a54edb

SHA256
0ee8580c3e8ccbefcf4d8b060189dd2dadfdb559b420c4a732270d7303fae6ef

SHA512
c3c215add9a07614b4fff768ac3aeea0ebbaa459e85d6f080aa3734d4eb0742536535c4156201299bbcf86f453acdfc961585eb2536790e58cecfd32db5772a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\14b2cabd-38be-4359-8964-4bdd4afc881a.vbs

Filesize
710B

MD5
240b889d6ca38d80030aa4f52d9b7fd9

SHA1
c49c037e89c0823df2cfc3f8a722f154aabb3ff8

SHA256
b9a13afd59aaa94af64e0235af1c3dedd890637472b46c850412e7e74b5fb8c7

SHA512
9575c349d3b77688008b53a3e43addb6bf09815a19fbaaf504281d4ba6b8cdbd3b05bee8886ff37e52f241527a65ee89034c20c0989a7d44fad7cc4f94da82c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\4afc34ed-c6d1-413b-af0d-44a6b0105b18.vbs

Filesize
710B

MD5
22d961c1d29e8f7acd1ae47496054517

SHA1
42e9202688d91d4a32044ea27fb9f009180fba61

SHA256
0837d5bbefbd0cb68f68ecdd440402773c2a9bcb8b9b405b53663bf8fcf49a15

SHA512
30b7641431b53cd2e42192790eb6a622fffe350af7b755b659e35312668c516c59ac38f1df9a37dc3f86bad7e64dd72faa9c92fe2de01a35322473d8259e9200

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d06734f-e09d-48a5-bf40-2db6e542cd25.vbs

Filesize
709B

MD5
ad46d679a302247a4ce8ac72ebf5abf0

SHA1
756081554f01dd022e31a94b0bf518cc99e3f433

SHA256
3df1058c954e2332ad0c963b4645a43b82d00f72a8100392434d42216ee5a666

SHA512
01be0e6a74611ea4bf07b92f67aa1efa07f682606e4d2878820456185958ff9224439bd48dfd101c84c378e565720783141ff7f6e03e69406d97b6d2e215e0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\610020a7-281f-4506-8de3-09180ceebac1.vbs

Filesize
486B

MD5
b1fe5088d0df317d0f4f852c5c28c5a6

SHA1
000b00834f1def991fb6eab08692f107058f68e6

SHA256
bd54764abd6cea30f21510cdec8dbfae98bf2ea64a99ef325b1c2bce7b3ac3c1

SHA512
19544f2ce6ab8702215941752b824b9bcf7f8217000eb393571060f951139fe3cf29d484da04744dfd9f6a285dc55d39d4b6ed0aa14fbceb83f7b67b8c52d44b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6b6ea9a5-43d3-43e0-8e1d-e35a77a09261.vbs

Filesize
710B

MD5
64ce60f1680971a43b61ef633e02b3fd

SHA1
ddc0f6f2aa203f37e848b37b262cd316ee72c694

SHA256
ff62c5a66073cd7bb963b283e2a8f2a21270e66e7e01e03f64949aabe62fbac2

SHA512
f6bb4d7f0753ca13894f01b0924e1f5a4bc6ed6fb33c6ede30b9d4fc4a599543cff9de5360e4e03a7969e942372b0d99628517e14b5ad3c993f88f48fa8b4bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\7df51d1e-cdf7-47a6-b3bc-789168172ee8.vbs

Filesize
710B

MD5
eee4bf948dd7b1fd6a513198aed5fcee

SHA1
a6218ecbef1ddbcf896fa0a74c0a491b54da47dd

SHA256
e0faaf923723dbfbdea2863aedc0fe812db7fa84982345c862e84e79d3210ee8

SHA512
48a5581a4e54672ee45efd83081e80fe3deb28aa68d323082fc2a4ee18041dcc6e47f957608c059f8196d0ed95b8a4ffb5248e40521830c81e60d85e1369c919

Download Submit
C:\Users\Admin\AppData\Local\Temp\9700b253-ba88-46ad-a795-201f6c1765c8.vbs

Filesize
710B

MD5
435a2d8d74c2d06ce67c5339d1d1b5d9

SHA1
f6a750e1368e63fd136a24ed9ecc958ed67eb22e

SHA256
b41f68a647127ccb321619fe8f4ab2bd4e26e1352b7fb6e90e5288ff17a0bacf

SHA512
d70f167233f1acfecc34c97fe0750530f5c0dc0c3d839a850b3c65549a3148725274b5caa06e2c359b57a286f4f215b3e81066aae052ea39d467d9229bab320a

Download Submit
C:\Users\Admin\AppData\Local\Temp\99c0e260-e80d-4b14-a088-740ef612c015.vbs

Filesize
710B

MD5
07213eac0016363dfda62a20ebc33941

SHA1
2d33610a23de827b3d2bc0bf9cc5a2be2009c919

SHA256
611c634beac8baa5c7c540da4e54c0a10f71158d19c367ec05b553f822de9147

SHA512
8123b07f4ad5e2cfdb1dfbb9e2c5884279525d26354928e9c223572bb6ed45aac409a3f6249db36a03eaa5918c0f52e53d47d3a0d29cd507564a7e5d952512e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\a54aaf32-567d-4c3d-8d39-c378ec63db4a.vbs

Filesize
710B

MD5
16aeca8bdb947b6fc51fd23380c8c64d

SHA1
925904e373d5111964e22dd506f848cc17921d68

SHA256
2ef0971bb843f38c4ed0149a4730d4355c9258f8f64eddf0f6f70a78cf6e55c1

SHA512
76ee3ac0243ea40f0cc76e9fc2a9245fd6221806d5135ed52142e2391b648a878f92a7de4e969910b6f4c0a09703ee7dca865c2b4f86c408d77bbec34a14eb12

Download Submit
C:\Users\Admin\AppData\Local\Temp\bb7bec4b-f0a7-424d-ab71-cac1ee3dc8ca.vbs

Filesize
710B

MD5
67695129c7d0fc582e359e40c8cb2dd7

SHA1
d7fc8522985ab09236544fcba0ed2dd975f39878

SHA256
22ab6c941918ce90666dd11ec4964754f0ca52d108674cd0891853e62374f9a3

SHA512
f17b119ffe4017c08d9cb2feadaad41057177f9403e136d5559e8097e95c9ff52b8b82a3bb67ebf14e6da25ada5e559c5d1fb4e6c6b996961ee51770fbd15624

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6207612-8f2c-484d-ac88-afe837a0649a.vbs

Filesize
710B

MD5
2b80ad265c6764d822a3fa63a0eb06b2

SHA1
e6c535cad1e67b42a5f5dabb94bca1ad50127474

SHA256
0b3f70cab26805d4413bc2c8c4c01cf55c456c047add9202687c2c9c0ab72b1a

SHA512
f141488f60d1abf7f96b1e7a8eb742ddbc3346cef58d6be6b128242aa12c816339365c229b44310d4ed395c52e5c329a9ae77088aebc6e7b76b038ceb4519fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e7066049-8fc0-4dc4-abbb-db59025be946.vbs

Filesize
710B

MD5
11764ec9f984de96abc9819619580707

SHA1
7141a85ec9fcc3250b297dba953caaf234d74ce7

SHA256
8f223d0578aea40d926082bcb9f36b88f34229503a08f6458224dda89f8c8258

SHA512
0142d95f77a3103373a705e408b46e190677dd21487bc791d7d10f38b4c49fd7ca9680a7d2e88ab94947fe6348b1fc08635984f6ee3dbd314ebb1549093b7ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea7bd4b0-78ec-4bf0-b274-a0f2cf6135d6.vbs

Filesize
710B

MD5
44a77d077c44c9e3e23a4667c25478ff

SHA1
bc7e8b322eb5a9c420e30cb362f480a424f01540

SHA256
1c0469ef2e6e0db1dc6cb1bd45f05df9b211de50bb5663e491d86b17984d2757

SHA512
155811cc5a8dda3e2210bed57e6bb3907df460ac9d2b582c29c6bc2b3ce31c7976a4d2eb63e8a4471cbea60e48174633a7572c3277686c91dfe63c6f065e02f5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RAAH55XWP3FEWMS5ZE1R.temp

Filesize
7KB

MD5
7a794b8b6fe0abfd82d72105b5cadbae

SHA1
2029a995ee1b36ea2ada1d3f9e198296bfb9074a

SHA256
e6f6852532b839ca51e039605b408b559b69224b824139804e7c1a1a1f710da9

SHA512
632d3e13f7acb910c2300c97c74b739e4d43126ddc43340da25fa851ef1b3be49ba5bb7ebc8832689d8900916030e44b7994eec771c9f6174d8070d9dd0e204c

Download Submit
C:\Users\Default\System.exe

Filesize
1.6MB

MD5
0b4108ecaad10c3db7069e4a427c4798

SHA1
365f6b6aa442724bddc5a3ee80c9b998e3e6671c

SHA256
08c7ed3e264a2c710764eb7caf3b3f88adb3d022782f9d90c30bae295636ac48

SHA512
ea3000cddd28e9b3aea0d13c1583c0b2e694a971482e93a61f2f40ecba1af7a7cd7fa54fce82b6236548039f428705ead1caae6c97869bc7802071eb26ee7ed7

Download Submit
memory/304-181-0x0000000002880000-0x0000000002888000-memory.dmp

Filesize
32KB

Download
memory/776-161-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1168-226-0x0000000000DC0000-0x0000000000F62000-memory.dmp

Filesize
1.6MB

Download
memory/1464-214-0x0000000000350000-0x00000000004F2000-memory.dmp

Filesize
1.6MB

Download
memory/1568-192-0x0000000000DE0000-0x0000000000F82000-memory.dmp

Filesize
1.6MB

Download
memory/1584-294-0x00000000012E0000-0x0000000001482000-memory.dmp

Filesize
1.6MB

Download
memory/1724-270-0x0000000001060000-0x0000000001202000-memory.dmp

Filesize
1.6MB

Download
memory/1736-282-0x0000000000070000-0x0000000000212000-memory.dmp

Filesize
1.6MB

Download
memory/2436-306-0x00000000001E0000-0x0000000000382000-memory.dmp

Filesize
1.6MB

Download
memory/2524-318-0x0000000000FC0000-0x0000000001162000-memory.dmp

Filesize
1.6MB

Download
memory/2824-11-0x0000000002160000-0x000000000216A000-memory.dmp

Filesize
40KB

Download
memory/2824-7-0x0000000002020000-0x0000000002030000-memory.dmp

Filesize
64KB

Download
memory/2824-203-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2824-12-0x0000000002170000-0x000000000217E000-memory.dmp

Filesize
56KB

Download
memory/2824-10-0x0000000002150000-0x000000000215C000-memory.dmp

Filesize
48KB

Download
memory/2824-9-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/2824-0-0x000007FEF5FB3000-0x000007FEF5FB4000-memory.dmp

Filesize
4KB

Download
memory/2824-8-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/2824-14-0x0000000002190000-0x0000000002198000-memory.dmp

Filesize
32KB

Download
memory/2824-15-0x00000000021A0000-0x00000000021AA000-memory.dmp

Filesize
40KB

Download
memory/2824-6-0x00000000005D0000-0x00000000005D8000-memory.dmp

Filesize
32KB

Download
memory/2824-5-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/2824-13-0x0000000002180000-0x0000000002188000-memory.dmp

Filesize
32KB

Download
memory/2824-4-0x00000000003A0000-0x00000000003B0000-memory.dmp

Filesize
64KB

Download
memory/2824-16-0x000000001A740000-0x000000001A74C000-memory.dmp

Filesize
48KB

Download
memory/2824-3-0x0000000000380000-0x000000000039C000-memory.dmp

Filesize
112KB

Download
memory/2824-2-0x000007FEF5FB0000-0x000007FEF699C000-memory.dmp

Filesize
9.9MB

Download
memory/2824-1-0x0000000000080000-0x0000000000222000-memory.dmp

Filesize
1.6MB

Download
memory/2980-341-0x0000000001320000-0x00000000014C2000-memory.dmp

Filesize
1.6MB

Download