dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
60s
max time network
64s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0343adab1970d928320ce2aa587fd3.exe
Size

1.6MB
MD5

1f0343adab1970d928320ce2aa587fd3
SHA1

e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8
SHA256

9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4
SHA512

c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2532	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2532	schtasks.exe	30

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral19/memory/3048-1-0x00000000011E0000-0x0000000001382000-memory.dmp	dcrat
behavioral19/files/0x000500000001961b-25.dat	dcrat
behavioral19/files/0x000800000001961b-151.dat	dcrat
behavioral19/files/0x000b000000019f3f-198.dat	dcrat
behavioral19/files/0x000600000001a495-216.dat	dcrat
behavioral19/files/0x000700000001a495-234.dat	dcrat
behavioral19/memory/620-391-0x00000000001C0000-0x0000000000362000-memory.dmp	dcrat
behavioral19/memory/1100-402-0x0000000001260000-0x0000000001402000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1724	powershell.exe
656	powershell.exe
1760	powershell.exe
1940	powershell.exe
560	powershell.exe
2524	powershell.exe
2180	powershell.exe
2812	powershell.exe
1632	powershell.exe
1300	powershell.exe
1144	powershell.exe
2236	powershell.exe
2200	powershell.exe
820	powershell.exe
628	powershell.exe
1264	powershell.exe
888	powershell.exe
1692	powershell.exe
2860	powershell.exe
2096	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
620	csrss.exe
1100	csrss.exe
1060	csrss.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\fonts\1610b97d3ab4a7	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Windows Portable Devices\dllhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Adobe\explorer.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files (x86)\Adobe\7a0fd90576e088	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Uninstall Information\wininit.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXE40C.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Windows Portable Devices\dllhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCXEC8B.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\RCXEC8C.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXF3B2.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Adobe\explorer.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF829.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXE40B.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Windows Portable Devices\5940a34987c991	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Uninstall Information\wininit.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\0a1fd5f707cd16	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Program Files\Uninstall Information\56085415360792	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXD2FB.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files (x86)\Adobe\RCXF3B3.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXF82A.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\RCXD2FA.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe	1f0343adab1970d928320ce2aa587fd3.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0015\wininit.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Vss\Writers\Application\taskhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Performance\WinSAT\DataStore\101b941d020240	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\CSC\WmiPrvSE.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\lsm.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXEA19.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Globalization\Sorting\RCXF5B8.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Globalization\Sorting\886983d96e3d3e	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Vss\Writers\Application\taskhost.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCXDD7F.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\PolicyDefinitions\explorer.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\schemas\RCXDF85.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0015\RCXE189.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\PolicyDefinitions\explorer.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\inf\SMSvcHost 4.0.0.0\0015\wininit.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\RCXDD80.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Globalization\Sorting\RCXF5B7.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\CSC\RCXDB0D.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Globalization\Sorting\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0015\RCXE1F7.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Vss\Writers\Application\b75386f1303e64	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\CSC\WmiPrvSE.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\CSC\24dbde2999530e	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\schemas\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCXD500.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Performance\WinSAT\DataStore\lsm.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCXD4FF.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\CSC\RCXDB0E.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\schemas\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\PolicyDefinitions\RCXEA87.tmp	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\Globalization\Sorting\csrss.exe	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\schemas\886983d96e3d3e	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\inf\SMSvcHost 4.0.0.0\0015\56085415360792	1f0343adab1970d928320ce2aa587fd3.exe
File created	C:\Windows\PolicyDefinitions\7a0fd90576e088	1f0343adab1970d928320ce2aa587fd3.exe
File opened for modification	C:\Windows\schemas\RCXDF84.tmp	1f0343adab1970d928320ce2aa587fd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
852	schtasks.exe
2072	schtasks.exe
2800	schtasks.exe
1324	schtasks.exe
2968	schtasks.exe
2368	schtasks.exe
1056	schtasks.exe
768	schtasks.exe
2292	schtasks.exe
1796	schtasks.exe
656	schtasks.exe
2500	schtasks.exe
552	schtasks.exe
1448	schtasks.exe
792	schtasks.exe
2936	schtasks.exe
1708	schtasks.exe
1524	schtasks.exe
2820	schtasks.exe
2808	schtasks.exe
2876	schtasks.exe
2668	schtasks.exe
2260	schtasks.exe
740	schtasks.exe
560	schtasks.exe
2104	schtasks.exe
1244	schtasks.exe
380	schtasks.exe
2988	schtasks.exe
940	schtasks.exe
2760	schtasks.exe
1492	schtasks.exe
2728	schtasks.exe
1980	schtasks.exe
484	schtasks.exe
2804	schtasks.exe
2328	schtasks.exe
2576	schtasks.exe
1180	schtasks.exe
1580	schtasks.exe
820	schtasks.exe
3056	schtasks.exe
1612	schtasks.exe
2376	schtasks.exe
1996	schtasks.exe
2708	schtasks.exe
1696	schtasks.exe
1032	schtasks.exe
1636	schtasks.exe
1144	schtasks.exe
2880	schtasks.exe
628	schtasks.exe
1264	schtasks.exe
2476	schtasks.exe
876	schtasks.exe
2736	schtasks.exe
1744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3048	1f0343adab1970d928320ce2aa587fd3.exe
3048	1f0343adab1970d928320ce2aa587fd3.exe
3048	1f0343adab1970d928320ce2aa587fd3.exe
3048	1f0343adab1970d928320ce2aa587fd3.exe
3048	1f0343adab1970d928320ce2aa587fd3.exe
1144	powershell.exe
1760	powershell.exe
1940	powershell.exe
2860	powershell.exe
2096	powershell.exe
2236	powershell.exe
888	powershell.exe
820	powershell.exe
2200	powershell.exe
2180	powershell.exe
2812	powershell.exe
1724	powershell.exe
1300	powershell.exe
2524	powershell.exe
628	powershell.exe
1692	powershell.exe
656	powershell.exe
1632	powershell.exe
1264	powershell.exe
560	powershell.exe
620	csrss.exe
1100	csrss.exe
1060	csrss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	1f0343adab1970d928320ce2aa587fd3.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	620	csrss.exe
Token: SeDebugPrivilege	1100	csrss.exe
Token: SeDebugPrivilege	1060	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2524	3048	1f0343adab1970d928320ce2aa587fd3.exe	89
PID 3048 wrote to memory of 2524	3048	1f0343adab1970d928320ce2aa587fd3.exe	89
PID 3048 wrote to memory of 2524	3048	1f0343adab1970d928320ce2aa587fd3.exe	89
PID 3048 wrote to memory of 1760	3048	1f0343adab1970d928320ce2aa587fd3.exe	90
PID 3048 wrote to memory of 1760	3048	1f0343adab1970d928320ce2aa587fd3.exe	90
PID 3048 wrote to memory of 1760	3048	1f0343adab1970d928320ce2aa587fd3.exe	90
PID 3048 wrote to memory of 1144	3048	1f0343adab1970d928320ce2aa587fd3.exe	91
PID 3048 wrote to memory of 1144	3048	1f0343adab1970d928320ce2aa587fd3.exe	91
PID 3048 wrote to memory of 1144	3048	1f0343adab1970d928320ce2aa587fd3.exe	91
PID 3048 wrote to memory of 1940	3048	1f0343adab1970d928320ce2aa587fd3.exe	92
PID 3048 wrote to memory of 1940	3048	1f0343adab1970d928320ce2aa587fd3.exe	92
PID 3048 wrote to memory of 1940	3048	1f0343adab1970d928320ce2aa587fd3.exe	92
PID 3048 wrote to memory of 2860	3048	1f0343adab1970d928320ce2aa587fd3.exe	93
PID 3048 wrote to memory of 2860	3048	1f0343adab1970d928320ce2aa587fd3.exe	93
PID 3048 wrote to memory of 2860	3048	1f0343adab1970d928320ce2aa587fd3.exe	93
PID 3048 wrote to memory of 2236	3048	1f0343adab1970d928320ce2aa587fd3.exe	94
PID 3048 wrote to memory of 2236	3048	1f0343adab1970d928320ce2aa587fd3.exe	94
PID 3048 wrote to memory of 2236	3048	1f0343adab1970d928320ce2aa587fd3.exe	94
PID 3048 wrote to memory of 628	3048	1f0343adab1970d928320ce2aa587fd3.exe	95
PID 3048 wrote to memory of 628	3048	1f0343adab1970d928320ce2aa587fd3.exe	95
PID 3048 wrote to memory of 628	3048	1f0343adab1970d928320ce2aa587fd3.exe	95
PID 3048 wrote to memory of 2096	3048	1f0343adab1970d928320ce2aa587fd3.exe	96
PID 3048 wrote to memory of 2096	3048	1f0343adab1970d928320ce2aa587fd3.exe	96
PID 3048 wrote to memory of 2096	3048	1f0343adab1970d928320ce2aa587fd3.exe	96
PID 3048 wrote to memory of 820	3048	1f0343adab1970d928320ce2aa587fd3.exe	98
PID 3048 wrote to memory of 820	3048	1f0343adab1970d928320ce2aa587fd3.exe	98
PID 3048 wrote to memory of 820	3048	1f0343adab1970d928320ce2aa587fd3.exe	98
PID 3048 wrote to memory of 2812	3048	1f0343adab1970d928320ce2aa587fd3.exe	99
PID 3048 wrote to memory of 2812	3048	1f0343adab1970d928320ce2aa587fd3.exe	99
PID 3048 wrote to memory of 2812	3048	1f0343adab1970d928320ce2aa587fd3.exe	99
PID 3048 wrote to memory of 2200	3048	1f0343adab1970d928320ce2aa587fd3.exe	101
PID 3048 wrote to memory of 2200	3048	1f0343adab1970d928320ce2aa587fd3.exe	101
PID 3048 wrote to memory of 2200	3048	1f0343adab1970d928320ce2aa587fd3.exe	101
PID 3048 wrote to memory of 2180	3048	1f0343adab1970d928320ce2aa587fd3.exe	103
PID 3048 wrote to memory of 2180	3048	1f0343adab1970d928320ce2aa587fd3.exe	103
PID 3048 wrote to memory of 2180	3048	1f0343adab1970d928320ce2aa587fd3.exe	103
PID 3048 wrote to memory of 560	3048	1f0343adab1970d928320ce2aa587fd3.exe	104
PID 3048 wrote to memory of 560	3048	1f0343adab1970d928320ce2aa587fd3.exe	104
PID 3048 wrote to memory of 560	3048	1f0343adab1970d928320ce2aa587fd3.exe	104
PID 3048 wrote to memory of 1724	3048	1f0343adab1970d928320ce2aa587fd3.exe	105
PID 3048 wrote to memory of 1724	3048	1f0343adab1970d928320ce2aa587fd3.exe	105
PID 3048 wrote to memory of 1724	3048	1f0343adab1970d928320ce2aa587fd3.exe	105
PID 3048 wrote to memory of 1632	3048	1f0343adab1970d928320ce2aa587fd3.exe	106
PID 3048 wrote to memory of 1632	3048	1f0343adab1970d928320ce2aa587fd3.exe	106
PID 3048 wrote to memory of 1632	3048	1f0343adab1970d928320ce2aa587fd3.exe	106
PID 3048 wrote to memory of 656	3048	1f0343adab1970d928320ce2aa587fd3.exe	107
PID 3048 wrote to memory of 656	3048	1f0343adab1970d928320ce2aa587fd3.exe	107
PID 3048 wrote to memory of 656	3048	1f0343adab1970d928320ce2aa587fd3.exe	107
PID 3048 wrote to memory of 1300	3048	1f0343adab1970d928320ce2aa587fd3.exe	108
PID 3048 wrote to memory of 1300	3048	1f0343adab1970d928320ce2aa587fd3.exe	108
PID 3048 wrote to memory of 1300	3048	1f0343adab1970d928320ce2aa587fd3.exe	108
PID 3048 wrote to memory of 1264	3048	1f0343adab1970d928320ce2aa587fd3.exe	110
PID 3048 wrote to memory of 1264	3048	1f0343adab1970d928320ce2aa587fd3.exe	110
PID 3048 wrote to memory of 1264	3048	1f0343adab1970d928320ce2aa587fd3.exe	110
PID 3048 wrote to memory of 888	3048	1f0343adab1970d928320ce2aa587fd3.exe	111
PID 3048 wrote to memory of 888	3048	1f0343adab1970d928320ce2aa587fd3.exe	111
PID 3048 wrote to memory of 888	3048	1f0343adab1970d928320ce2aa587fd3.exe	111
PID 3048 wrote to memory of 1692	3048	1f0343adab1970d928320ce2aa587fd3.exe	112
PID 3048 wrote to memory of 1692	3048	1f0343adab1970d928320ce2aa587fd3.exe	112
PID 3048 wrote to memory of 1692	3048	1f0343adab1970d928320ce2aa587fd3.exe	112
PID 3048 wrote to memory of 620	3048	1f0343adab1970d928320ce2aa587fd3.exe	129
PID 3048 wrote to memory of 620	3048	1f0343adab1970d928320ce2aa587fd3.exe	129
PID 3048 wrote to memory of 620	3048	1f0343adab1970d928320ce2aa587fd3.exe	129
PID 620 wrote to memory of 2256	620	csrss.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe
"C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f0343adab1970d928320ce2aa587fd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\CSC\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\SMSvcHost 4.0.0.0\0015\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Sorting\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1264
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\1f0343adab1970d928320ce2aa587fd3.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1692
- C:\Windows\schemas\csrss.exe
  "C:\Windows\schemas\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45e8e88c-d21f-47eb-b6b5-596a0e8757ce.vbs"
    3⤵
    PID:2256
  - - C:\Windows\schemas\csrss.exe
      C:\Windows\schemas\csrss.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1100
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fb42ad2-8570-4fb9-8e72-efe469496780.vbs"
        5⤵
        
        PID:744
      - C:\Windows\schemas\csrss.exe
        
        C:\Windows\schemas\csrss.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0576b2ec-cae9-4603-b4ae-5d653fb3ac5f.vbs"
        7⤵
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd5ce27d-e97a-489f-8c9f-2b3daca1c744.vbs"
        7⤵
        
        PID:1032
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4820057d-860d-488e-8528-765e715f1c97.vbs"
        5⤵
        
        PID:2012
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b76dccbf-f3e8-4caf-a9e7-7b6c346092af.vbs"
    3⤵
    PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\CSC\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\CSC\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\CSC\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\inf\SMSvcHost 4.0.0.0\0015\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\inf\SMSvcHost 4.0.0.0\0015\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\SMSvcHost 4.0.0.0\0015\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\Sorting\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f0343adab1970d928320ce2aa587fd31" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\1f0343adab1970d928320ce2aa587fd3.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f0343adab1970d928320ce2aa587fd3" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\1f0343adab1970d928320ce2aa587fd3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1f0343adab1970d928320ce2aa587fd31" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Local Settings\1f0343adab1970d928320ce2aa587fd3.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\RCXEEFD.tmp

Filesize
1.6MB

MD5
3fd3db77a9ae2c66977d1bcb18c4d4d9

SHA1
abd84f226995ce955cc463b58398d3ac7e60420f

SHA256
7a84acf357da519cd27fa289ffa5abd8f5668989060c1eba65ec2393eb10b058

SHA512
fce4f7aa1c98c1c5894672bf0976403fc84eab9c98016079899cc5082f21920fa678f201d2921f75fbe9d4336d3f2cb11e1531628e525e43abbf294fde9b55c5

Download Submit
C:\Recovery\8490d022-e5e1-11ef-8fd8-4a893fa2fe1c\lsm.exe

Filesize
1.6MB

MD5
df7e25eb10082239709be884aec727ad

SHA1
40baa05e23d7204ac1593269b6a0bd03f4272042

SHA256
18871b1d505320903894b7da1f82e81d062eefe74e57a35dacf42f3d548b862c

SHA512
f927a9139b900d943325eae562e56960a2010a66b26122dfca8efe9fb44518f165b818f9fe4eb29a6b3fe5a0506bda0cb0ba9fea8a4027798b56ae6e9503d183

Download Submit
C:\Users\Admin\AppData\Local\Temp\0576b2ec-cae9-4603-b4ae-5d653fb3ac5f.vbs

Filesize
704B

MD5
41944c7e56f1d9ad2700fc1f44800297

SHA1
31914882d0408718d64304fd049bd7d7b320d987

SHA256
43c47964160508e4488ea2952ca3775b0dacebc6e7995ae500528dc21724beb4

SHA512
9f7dfe11ce932ecac96a69e8233ef99ef0fd7cd9716b3835ccb0f88053f6c10341c35626c6d282eeb00a06a06432f76465762aacbb042ab0c797fdd1206ddcd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\45e8e88c-d21f-47eb-b6b5-596a0e8757ce.vbs

Filesize
703B

MD5
fc7d031d8137ea87e106955cf91eb1b3

SHA1
718f3af58334dd7d3a36969ee1024b326677d179

SHA256
485c2bd95f51956f123b06becabea5cc36630693cc342ae0f92d451e078ea083

SHA512
a81a89ebbad6b978f1dca0eaba84b4c52e2f1f1210c8a640f8c4831fe7919039a483ed917933e372ffb62eb3c1b6a4202a1d5dd4090ea7e3012db22edee73180

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fb42ad2-8570-4fb9-8e72-efe469496780.vbs

Filesize
704B

MD5
43da924806f98c1a43294d629cec2de9

SHA1
c8eca76c1567dffee5979fa4d2cd32c4ad385042

SHA256
a25d26f122a9b306018794cdc54ec7f2812d00f3249bad879550dffecbe37517

SHA512
8ede34f6d674506caaa1329df4549f67469c12e6bf4bfb0c38870a79a0e190eb88f1351e9a87e48e95c8855b0231cb266f87090831c076ff3f043a3a9ca125f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\b76dccbf-f3e8-4caf-a9e7-7b6c346092af.vbs

Filesize
480B

MD5
212907b5ffb87812e53d93d15a6be22c

SHA1
9616e8921bd90fa28dec99f4807c269949b4d2a0

SHA256
a1f323b33e0d8248ab747806b4de5cc6caef35357e353453a7648a82a7ed783d

SHA512
bef8a016ffaa227d016c38f830d29109dc4d00a0c440bac258d4c315c9dac37515adb24e841b3a4608e158b8d8039f09dfe3d0d77a2d4a84a233a6d438f5d7ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
51393c9dd52c7b1edf4ae98704ab70a0

SHA1
b0921daa8f3462813e05722812ddb3df2c20a139

SHA256
079030cefc37f0389980fedbc36cd686fefde9ab4412f7e2e845d655146caa7e

SHA512
f14c5d7e9c8d455220ae0524262c90e3a6294b878eef9a381be05c95c62f3fd7fadd43c1baabc0910d89b4860acd698c3b79a9910419599aae673613ab80594a

Download Submit
C:\Windows\CSC\WmiPrvSE.exe

Filesize
1.6MB

MD5
1f0343adab1970d928320ce2aa587fd3

SHA1
e9ba72eefebbc990b9d87fdc6c900ba0ab4160b8

SHA256
9543bb2076f9b8c0d465689514dfc89f7cddc872620b5158cff2e2fa270963c4

SHA512
c6ae66f4ee2e2307da2176d9ea1e8a57ee96c59a15c633d8ca618cc4c167744063fa189d03eb134e1789ad544cef426e1b6da8c61dd1785888b204f84cdc316c

Download Submit
C:\Windows\PolicyDefinitions\explorer.exe

Filesize
1.6MB

MD5
ca526ac200a1fe09088f9d0270d6c690

SHA1
c951aa1cf69cc4954d83479e841fc823ba85b353

SHA256
e903716df1b769454c4716b14da1b0ce5a6a6a4c4d387bf9aceb51166b284ea3

SHA512
22baba7a5029b995109bf726e259d4d7c95bafce802f7065516b6c03fc7576b9e89fe8a3e8f0ea0bb8e806bd1bb3add67d891a21d4da967c07e07fe240185bc3

Download Submit
C:\Windows\inf\SMSvcHost 4.0.0.0\0015\wininit.exe

Filesize
1.6MB

MD5
1fc752db3f90373867bed7bacad350ed

SHA1
cd4ee5c3f7ba816603bd675623852882818a32df

SHA256
1d7cca6991e192a7ed0dd97b605d75c29cd62e7a419cfeaab2eb3b44e6149480

SHA512
05660395163729afcc24c2958a83d1c1870b09d3769b9e314737b2ee5cbdcab7995c1b631c3e7d1fc7cac412ef04dc1368fafb9031ffa3727a9e91c8cb970c39

Download Submit
memory/620-391-0x00000000001C0000-0x0000000000362000-memory.dmp

Filesize
1.6MB

Download
memory/1100-402-0x0000000001260000-0x0000000001402000-memory.dmp

Filesize
1.6MB

Download
memory/1144-308-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1760-291-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/3048-8-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/3048-10-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/3048-16-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/3048-13-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/3048-14-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download
memory/3048-12-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/3048-212-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

Filesize
4KB

Download
memory/3048-11-0x0000000000680000-0x000000000068A000-memory.dmp

Filesize
40KB

Download
memory/3048-232-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/3048-15-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/3048-9-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/3048-0-0x000007FEF5C13000-0x000007FEF5C14000-memory.dmp

Filesize
4KB

Download
memory/3048-7-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/3048-390-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/3048-6-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/3048-5-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/3048-4-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/3048-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/3048-2-0x000007FEF5C10000-0x000007FEF65FC000-memory.dmp

Filesize
9.9MB

Download
memory/3048-1-0x00000000011E0000-0x0000000001382000-memory.dmp

Filesize
1.6MB

Download