dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
58s
max time network
64s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Size

1.6MB
MD5

517861702fe0a89aa5e3af35d9f96661
SHA1

50101d8bff153320694baf54bc7b68e585720d4d
SHA256

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4
SHA512

da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2264	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2264	schtasks.exe	30

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/2236-1-0x0000000000FB0000-0x0000000001152000-memory.dmp	dcrat
behavioral11/files/0x0005000000019f3f-25.dat	dcrat
behavioral11/files/0x000700000001a495-80.dat	dcrat
behavioral11/files/0x0008000000019f3f-124.dat	dcrat
behavioral11/files/0x000d00000001a300-173.dat	dcrat
behavioral11/files/0x000900000001a415-196.dat	dcrat
behavioral11/memory/2828-280-0x00000000003F0000-0x0000000000592000-memory.dmp	dcrat
behavioral11/memory/1924-291-0x0000000000020000-0x00000000001C2000-memory.dmp	dcrat
behavioral11/memory/2272-303-0x0000000001310000-0x00000000014B2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2528	powershell.exe
1628	powershell.exe
1596	powershell.exe
2948	powershell.exe
2888	powershell.exe
1832	powershell.exe
2800	powershell.exe
2672	powershell.exe
1632	powershell.exe
2788	powershell.exe
2920	powershell.exe
1488	powershell.exe
800	powershell.exe
2336	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
2828	WmiPrvSE.exe
1924	WmiPrvSE.exe
2272	WmiPrvSE.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\69ddcba757bf72	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXBFA7.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\RCXC1AD.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Common Files\smss.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Windows Media Player\fr-FR\Idle.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\Idle.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Common Files\smss.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Offline\RCXC1AC.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\6203df4a6bafc7	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXB03F.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXCA4C.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Common Files\RCXCABA.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Windows Media Player\fr-FR\6ccacd8608530f	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Google\Update\Offline\24dbde2999530e	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\RCXB03E.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXB6BA.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\en-US\RCXB6BB.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXBFA8.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\69ddcba757bf72	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LiveKernelReports\RCXC3B1.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXC5B6.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\LiveKernelReports\wininit.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\PolicyDefinitions\sppsvc.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\lsass.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\RemotePackages\RemoteApps\lsass.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\RemotePackages\RemoteApps\6203df4a6bafc7	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\PolicyDefinitions\0a1fd5f707cd16	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCXB8C0.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXC3B2.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\PolicyDefinitions\sppsvc.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\LiveKernelReports\56085415360792	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCXB8BF.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\LiveKernelReports\wininit.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXC624.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1724	schtasks.exe
1976	schtasks.exe
2944	schtasks.exe
2960	schtasks.exe
2036	schtasks.exe
2680	schtasks.exe
1980	schtasks.exe
2156	schtasks.exe
1992	schtasks.exe
1688	schtasks.exe
3004	schtasks.exe
600	schtasks.exe
2056	schtasks.exe
1504	schtasks.exe
1524	schtasks.exe
960	schtasks.exe
2884	schtasks.exe
2564	schtasks.exe
2192	schtasks.exe
1760	schtasks.exe
2108	schtasks.exe
1152	schtasks.exe
2984	schtasks.exe
1668	schtasks.exe
2296	schtasks.exe
2664	schtasks.exe
2304	schtasks.exe
2852	schtasks.exe
2320	schtasks.exe
2080	schtasks.exe
3048	schtasks.exe
1868	schtasks.exe
2828	schtasks.exe
2728	schtasks.exe
2012	schtasks.exe
624	schtasks.exe
1652	schtasks.exe
1920	schtasks.exe
2172	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
2800	powershell.exe
1632	powershell.exe
1596	powershell.exe
2788	powershell.exe
1628	powershell.exe
2336	powershell.exe
2948	powershell.exe
1832	powershell.exe
1488	powershell.exe
2920	powershell.exe
2888	powershell.exe
2672	powershell.exe
2528	powershell.exe
800	powershell.exe
2828	WmiPrvSE.exe
1924	WmiPrvSE.exe
2272	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	2828	WmiPrvSE.exe
Token: SeDebugPrivilege	1924	WmiPrvSE.exe
Token: SeDebugPrivilege	2272	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2800	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	70
PID 2236 wrote to memory of 2800	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	70
PID 2236 wrote to memory of 2800	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	70
PID 2236 wrote to memory of 2672	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	71
PID 2236 wrote to memory of 2672	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	71
PID 2236 wrote to memory of 2672	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	71
PID 2236 wrote to memory of 1632	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	72
PID 2236 wrote to memory of 1632	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	72
PID 2236 wrote to memory of 1632	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	72
PID 2236 wrote to memory of 2920	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	73
PID 2236 wrote to memory of 2920	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	73
PID 2236 wrote to memory of 2920	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	73
PID 2236 wrote to memory of 2788	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	75
PID 2236 wrote to memory of 2788	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	75
PID 2236 wrote to memory of 2788	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	75
PID 2236 wrote to memory of 2888	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	77
PID 2236 wrote to memory of 2888	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	77
PID 2236 wrote to memory of 2888	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	77
PID 2236 wrote to memory of 2948	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	78
PID 2236 wrote to memory of 2948	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	78
PID 2236 wrote to memory of 2948	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	78
PID 2236 wrote to memory of 1628	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	79
PID 2236 wrote to memory of 1628	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	79
PID 2236 wrote to memory of 1628	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	79
PID 2236 wrote to memory of 800	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	80
PID 2236 wrote to memory of 800	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	80
PID 2236 wrote to memory of 800	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	80
PID 2236 wrote to memory of 1488	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	81
PID 2236 wrote to memory of 1488	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	81
PID 2236 wrote to memory of 1488	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	81
PID 2236 wrote to memory of 2528	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	82
PID 2236 wrote to memory of 2528	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	82
PID 2236 wrote to memory of 2528	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	82
PID 2236 wrote to memory of 1596	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	84
PID 2236 wrote to memory of 1596	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	84
PID 2236 wrote to memory of 1596	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	84
PID 2236 wrote to memory of 2336	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	85
PID 2236 wrote to memory of 2336	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	85
PID 2236 wrote to memory of 2336	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	85
PID 2236 wrote to memory of 1832	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	86
PID 2236 wrote to memory of 1832	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	86
PID 2236 wrote to memory of 1832	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	86
PID 2236 wrote to memory of 2876	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	98
PID 2236 wrote to memory of 2876	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	98
PID 2236 wrote to memory of 2876	2236	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	98
PID 2876 wrote to memory of 624	2876	cmd.exe	100
PID 2876 wrote to memory of 624	2876	cmd.exe	100
PID 2876 wrote to memory of 624	2876	cmd.exe	100
PID 2876 wrote to memory of 2828	2876	cmd.exe	102
PID 2876 wrote to memory of 2828	2876	cmd.exe	102
PID 2876 wrote to memory of 2828	2876	cmd.exe	102
PID 2828 wrote to memory of 668	2828	WmiPrvSE.exe	103
PID 2828 wrote to memory of 668	2828	WmiPrvSE.exe	103
PID 2828 wrote to memory of 668	2828	WmiPrvSE.exe	103
PID 2828 wrote to memory of 3040	2828	WmiPrvSE.exe	104
PID 2828 wrote to memory of 3040	2828	WmiPrvSE.exe	104
PID 2828 wrote to memory of 3040	2828	WmiPrvSE.exe	104
PID 668 wrote to memory of 1924	668	WScript.exe	105
PID 668 wrote to memory of 1924	668	WScript.exe	105
PID 668 wrote to memory of 1924	668	WScript.exe	105
PID 1924 wrote to memory of 2356	1924	WmiPrvSE.exe	106
PID 1924 wrote to memory of 2356	1924	WmiPrvSE.exe	106
PID 1924 wrote to memory of 2356	1924	WmiPrvSE.exe	106
PID 1924 wrote to memory of 2896	1924	WmiPrvSE.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
"C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKrYzMUfk6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:624
- - C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe
    "C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cfa5c8c-7e97-45c7-a23f-005652c5a442.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:668
    - - C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c4eb9a2-2aad-4d79-8bcc-9c900db149e5.vbs"
        6⤵
        
        PID:2356
        
        C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65a3efc6-ee19-44bd-8c41-7a2d0de52bed.vbs"
        8⤵
        
        PID:1728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4c6be8b5-6f8f-4768-8b6f-c442841c9b87.vbs"
        8⤵
        
        PID:3004
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61b26186-5e57-46a2-b354-1a64164845e9.vbs"
        6⤵
        
        PID:2896
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a670a61a-97df-4e7e-984d-542a404ccadd.vbs"
      4⤵
      PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\RemotePackages\RemoteApps\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Update\Offline\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\PolicyDefinitions\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\PolicyDefinitions\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\csrss.exe

Filesize
1.6MB

MD5
d9d3ee27edcb7b8eec0bce96b9f42c02

SHA1
151f1b3b31669ca9ce7b766e5f9b3dc58b6a13b0

SHA256
ad342e1606c1fb7676c55ce856ba367c8dff62c0271e234be49031bacdebc9f3

SHA512
68f9c5fd05b74221c935bb3d613a870a950d34befd815b1b9c73fb9b0951fe6701d2a7ac034fe81192c687f73bd69d8673556329f55fbea04e52c16e5aa4f62c

Download Submit
C:\Program Files (x86)\Common Files\smss.exe

Filesize
1.6MB

MD5
5698cd22f360595409aa0bc594eeebf7

SHA1
afb23c489ac4259f9d15d0aebe62133710577e94

SHA256
a3610d5e4f38e36054809190e4f45af1ca44147f8820c05a2d30835fcbf4a4c6

SHA512
063bbf46d4fff35992dda4957cf73cd9cee1d9778cbba6c094e68ad0f4a4a580aca966b2f880cc7bd43aecf7d2990d6a8f79ebf691d7314197aa279601a03cbe

Download Submit
C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\dwm.exe

Filesize
1.6MB

MD5
b10d894aeee8d9e0f2df590cf75901e0

SHA1
2e64035fea8f30673be4ca84b5e0626c4858ba11

SHA256
da7388767fc341503bf812a0d112b69cf3fc59b242daf034b5f71aa66e249210

SHA512
45b1d6725162cd44af3c1eb9f0065c363863c02da0b4c8dbbffa48ca90dec8e89dd1db148d3675704385cb6b22ac05f46e605737098a44ab8f82092d6588287d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c4eb9a2-2aad-4d79-8bcc-9c900db149e5.vbs

Filesize
733B

MD5
143ab04602575e8dd37154140dc3f5ec

SHA1
e34330fdfb36885dca2d3b131b3fa504de3d8703

SHA256
60f30c62c88124ffb32c7c0c684f75aa15db4cac4f62cf0ead2580b4cb632b9c

SHA512
7eac46b128679f99e653f0d4839ad60fbbf08ac4c1897a42cb5e4031a3d3c28d606b757d729cfe6b3893027bc6d0c2588db21bd680a013e9aaa2356292e84ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfa5c8c-7e97-45c7-a23f-005652c5a442.vbs

Filesize
733B

MD5
f8f6d64f89a15bbc5b402a87f478b30c

SHA1
e6d494797bf4590b5022f301d3892d0d6b699917

SHA256
b1f51eb33ebd36218d7e3c3bd5bb819bba85ad78ef3358f798cf889c41d196e3

SHA512
fc3659ba131308f53a761dea1f24d2ebab53b5fa09ae1e8f4e217446ae948f12d37e437fc456dffef82a804acda1509acee0d9b6d771961b842aa93fcf20c50a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a670a61a-97df-4e7e-984d-542a404ccadd.vbs

Filesize
509B

MD5
6e82e343bedcb0ee0c3b5d71bf1f6e2a

SHA1
82327e64fd3b006fd38befb0424dedfa725051ee

SHA256
7e4b1847d29724bf0b42004b294fd169d7b5a3b499880b3e59775e259e384bb7

SHA512
a006225d7ab4aa8121ab1d1aa6dcd463b7c0532919304a3655274981a010bcd0af0f13d25b7b5177693bfe0c92fed9b839dda6949ab61b421d6ebfbdaec56350

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKrYzMUfk6.bat

Filesize
222B

MD5
0757a4c447b7a045671d061af03b479b

SHA1
c5afaa0455950f71ef4295a2d40e16b95a5e91fa

SHA256
ef141f4575791b04f647d4737275087d24f78542ec807a2be112d555437efbe0

SHA512
a16170facf8f0d22c0171962148325ea65938bf7fd6d9bb6437ac51a54a9406c9bfc277dd54dc673a63a65f6f01b26e91562e0a41b7dfd8d4828c426e3870d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
34e2003ff04fa45b6c96aff4dc9bf1a5

SHA1
598f54a83d720c4dccc0e8faeb880da70c804842

SHA256
0bc7fc60d62f9ed692c658c654fa7106cca56fe6f5b9fd9f06ebec992ed18438

SHA512
d56db4c75c1f010ea0538c64ab650b361773f4606f7a62a14c8be7ea12de59be3bf1a225fcd0adf60552124fb048a37b308015421a97304ea141c623eee48c7d

Download Submit
C:\Windows\PolicyDefinitions\sppsvc.exe

Filesize
1.6MB

MD5
4b9eb037a8c9964d057a43c71c23c01f

SHA1
09048bac818de876371dccad94ac306241e6b581

SHA256
31cc6973bee7e5859fd67874b142d073ca6da25227338cb21faf5b0598fc3dca

SHA512
7fb890495e37c7c426a0e90a1ed960a0cbd063ead0af0ae5ed8778e436499724fdfee76aa848f13b840a9459a1b0fbb35aa952b94faed4bf82fa07971ced6f12

Download Submit
C:\Windows\RemotePackages\RemoteApps\lsass.exe

Filesize
1.6MB

MD5
517861702fe0a89aa5e3af35d9f96661

SHA1
50101d8bff153320694baf54bc7b68e585720d4d

SHA256
1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4

SHA512
da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488

Download Submit
memory/1632-227-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/1924-291-0x0000000000020000-0x00000000001C2000-memory.dmp

Filesize
1.6MB

Download
memory/2236-8-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2236-228-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-12-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/2236-15-0x0000000000BF0000-0x0000000000BFA000-memory.dmp

Filesize
40KB

Download
memory/2236-16-0x0000000000F70000-0x0000000000F7C000-memory.dmp

Filesize
48KB

Download
memory/2236-14-0x0000000000BE0000-0x0000000000BE8000-memory.dmp

Filesize
32KB

Download
memory/2236-11-0x0000000000620000-0x000000000062A000-memory.dmp

Filesize
40KB

Download
memory/2236-10-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2236-9-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2236-0-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

Filesize
4KB

Download
memory/2236-203-0x000007FEF55B3000-0x000007FEF55B4000-memory.dmp

Filesize
4KB

Download
memory/2236-13-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/2236-7-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/2236-1-0x0000000000FB0000-0x0000000001152000-memory.dmp

Filesize
1.6MB

Download
memory/2236-6-0x0000000000170000-0x0000000000178000-memory.dmp

Filesize
32KB

Download
memory/2236-5-0x00000000003A0000-0x00000000003B6000-memory.dmp

Filesize
88KB

Download
memory/2236-2-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

Filesize
9.9MB

Download
memory/2236-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/2236-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/2272-303-0x0000000001310000-0x00000000014B2000-memory.dmp

Filesize
1.6MB

Download
memory/2800-226-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2828-280-0x00000000003F0000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download