dcrat | 7ddbec7fac00ec5624f45da5879ebfa97d95b21c7842cbaa1058daa46a47bd41

Analysis

max time kernel
59s
max time network
58s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 19:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
Size

1.6MB
MD5

5355cb64d0008d7ed7267cebea8f9bc4
SHA1

4f8fc970efa45c2f547e8583b49eb543b778f001
SHA256

c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f
SHA512

cd662e6d9f215b18867056fe70d9b04b2eaf7090577546d038218dfe8716379654cb6e5f1c6ca3672e8bd1844d5e7810486164cf8fe99054305a89eb51b4bac6
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2880	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2880	schtasks.exe	30

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral25/memory/328-1-0x0000000001340000-0x00000000014E2000-memory.dmp	dcrat
behavioral25/files/0x000500000001961b-25.dat	dcrat
behavioral25/files/0x000600000001953a-93.dat	dcrat
behavioral25/files/0x000700000001961b-104.dat	dcrat
behavioral25/files/0x0007000000019625-115.dat	dcrat
behavioral25/memory/2552-250-0x0000000001270000-0x0000000001412000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2668	powershell.exe
1888	powershell.exe
1868	powershell.exe
3060	powershell.exe
1448	powershell.exe
2820	powershell.exe
1552	powershell.exe
2360	powershell.exe
2904	powershell.exe
2704	powershell.exe
2028	powershell.exe
1896	powershell.exe
852	powershell.exe
1604	powershell.exe
2788	powershell.exe
2204	powershell.exe
2120	powershell.exe
1000	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
2552	csrss.exe
2312	csrss.exe
1216	csrss.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\et-EE\dwm.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Windows\SysWOW64\et-EE\6cb0b6c459d5d3	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\SysWOW64\et-EE\dwm.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\taskhost.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\services.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\RCXC3AF.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\smss.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\RCXCA98.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\Uninstall Information\69ddcba757bf72	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\OSPPSVC.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\RCXD1ED.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\services.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\b75386f1303e64	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files\Reference Assemblies\WmiPrvSE.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\RCXC3B0.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXC622.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files\Microsoft Games\Mahjong\dllhost.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\Uninstall Information\smss.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\Common Files\Services\1610b97d3ab4a7	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\1610b97d3ab4a7	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXC621.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\OSPPSVC.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files\Reference Assemblies\24dbde2999530e	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\c5b4cb5e9653cc	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files\Microsoft Games\Mahjong\5940a34987c991	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\RCXCA97.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Help\RCXD25C.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\dllhost.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\taskhost.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Program Files\Reference Assemblies\WmiPrvSE.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\886983d96e3d3e	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\Prefetch\RCXCD09.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\Prefetch\RCXCD78.tmp	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\Prefetch\csrss.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Windows\security\ApplicationId\sppsvc.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Windows\security\ApplicationId\0a1fd5f707cd16	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File opened for modification	C:\Windows\security\ApplicationId\sppsvc.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
File created	C:\Windows\Prefetch\csrss.exe	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2724	schtasks.exe
2824	schtasks.exe
2384	schtasks.exe
1984	schtasks.exe
1860	schtasks.exe
1192	schtasks.exe
1444	schtasks.exe
1644	schtasks.exe
2708	schtasks.exe
276	schtasks.exe
1948	schtasks.exe
2620	schtasks.exe
1100	schtasks.exe
892	schtasks.exe
2452	schtasks.exe
2112	schtasks.exe
768	schtasks.exe
1960	schtasks.exe
1284	schtasks.exe
1588	schtasks.exe
2148	schtasks.exe
1988	schtasks.exe
2068	schtasks.exe
1704	schtasks.exe
2172	schtasks.exe
2944	schtasks.exe
1480	schtasks.exe
1052	schtasks.exe
2316	schtasks.exe
2848	schtasks.exe
2792	schtasks.exe
2608	schtasks.exe
2584	schtasks.exe
1844	schtasks.exe
1808	schtasks.exe
1268	schtasks.exe
2016	schtasks.exe
2780	schtasks.exe
2644	schtasks.exe
1356	schtasks.exe
1204	schtasks.exe
1456	schtasks.exe
2284	schtasks.exe
2232	schtasks.exe
2636	schtasks.exe
1300	schtasks.exe
2032	schtasks.exe
2292	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
1888	powershell.exe
1448	powershell.exe
2204	powershell.exe
1552	powershell.exe
2120	powershell.exe
2360	powershell.exe
2028	powershell.exe
3060	powershell.exe
1896	powershell.exe
1868	powershell.exe
1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
2704	powershell.exe
2668	powershell.exe
2820	powershell.exe
1604	powershell.exe
2904	powershell.exe
852	powershell.exe
2788	powershell.exe
1000	powershell.exe
2552	csrss.exe
2312	csrss.exe
1216	csrss.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2552	csrss.exe
Token: SeDebugPrivilege	2312	csrss.exe
Token: SeDebugPrivilege	1216	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 1552	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	59
PID 328 wrote to memory of 1552	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	59
PID 328 wrote to memory of 1552	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	59
PID 328 wrote to memory of 2204	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	60
PID 328 wrote to memory of 2204	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	60
PID 328 wrote to memory of 2204	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	60
PID 328 wrote to memory of 1888	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	61
PID 328 wrote to memory of 1888	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	61
PID 328 wrote to memory of 1888	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	61
PID 328 wrote to memory of 2028	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	62
PID 328 wrote to memory of 2028	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	62
PID 328 wrote to memory of 2028	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	62
PID 328 wrote to memory of 2120	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	63
PID 328 wrote to memory of 2120	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	63
PID 328 wrote to memory of 2120	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	63
PID 328 wrote to memory of 1448	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	66
PID 328 wrote to memory of 1448	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	66
PID 328 wrote to memory of 1448	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	66
PID 328 wrote to memory of 2360	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	67
PID 328 wrote to memory of 2360	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	67
PID 328 wrote to memory of 2360	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	67
PID 328 wrote to memory of 3060	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	68
PID 328 wrote to memory of 3060	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	68
PID 328 wrote to memory of 3060	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	68
PID 328 wrote to memory of 1868	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	70
PID 328 wrote to memory of 1868	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	70
PID 328 wrote to memory of 1868	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	70
PID 328 wrote to memory of 1896	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	71
PID 328 wrote to memory of 1896	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	71
PID 328 wrote to memory of 1896	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	71
PID 328 wrote to memory of 2192	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	77
PID 328 wrote to memory of 2192	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	77
PID 328 wrote to memory of 2192	328	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	77
PID 2192 wrote to memory of 2124	2192	cmd.exe	81
PID 2192 wrote to memory of 2124	2192	cmd.exe	81
PID 2192 wrote to memory of 2124	2192	cmd.exe	81
PID 2192 wrote to memory of 1192	2192	cmd.exe	82
PID 2192 wrote to memory of 1192	2192	cmd.exe	82
PID 2192 wrote to memory of 1192	2192	cmd.exe	82
PID 1192 wrote to memory of 2820	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	104
PID 1192 wrote to memory of 2820	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	104
PID 1192 wrote to memory of 2820	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	104
PID 1192 wrote to memory of 2788	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	105
PID 1192 wrote to memory of 2788	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	105
PID 1192 wrote to memory of 2788	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	105
PID 1192 wrote to memory of 2704	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	106
PID 1192 wrote to memory of 2704	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	106
PID 1192 wrote to memory of 2704	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	106
PID 1192 wrote to memory of 1000	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	109
PID 1192 wrote to memory of 1000	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	109
PID 1192 wrote to memory of 1000	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	109
PID 1192 wrote to memory of 1604	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	110
PID 1192 wrote to memory of 1604	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	110
PID 1192 wrote to memory of 1604	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	110
PID 1192 wrote to memory of 852	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	111
PID 1192 wrote to memory of 852	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	111
PID 1192 wrote to memory of 852	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	111
PID 1192 wrote to memory of 2668	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	112
PID 1192 wrote to memory of 2668	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	112
PID 1192 wrote to memory of 2668	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	112
PID 1192 wrote to memory of 2904	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	113
PID 1192 wrote to memory of 2904	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	113
PID 1192 wrote to memory of 2904	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	113
PID 1192 wrote to memory of 2552	1192	c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
"C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Mahjong\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Visualizations\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Help\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1896
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DlW2r31bST.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2124
- - C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe
    "C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2820
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\ApplicationId\sppsvc.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\taskhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\et-EE\dwm.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1604
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\WmiPrvSE.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2668
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2904
  - - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
      "C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2552
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\014dc808-24ff-49e6-a1c0-2949ddd5e129.vbs"
        5⤵
        
        PID:1892
      - C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\936734df-7c88-4a2f-bf33-3e7762176c34.vbs"
        7⤵
        
        PID:2196
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        
        C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\478c3c23-d4e7-44cf-83e1-3ff6e42c24a8.vbs"
        9⤵
        
        PID:2688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15d4b369-feb0-486a-ad99-1a6ac1950c97.vbs"
        9⤵
        
        PID:1948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4bccd383-730e-455f-8088-b2f297011c4c.vbs"
        7⤵
        
        PID:2544
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4fc03f9-149c-4f44-966a-187b959c7d45.vbs"
        5⤵
        
        PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Mahjong\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Mahjong\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Games\Mahjong\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Prefetch\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Prefetch\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\security\ApplicationId\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\security\ApplicationId\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\security\ApplicationId\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\et-EE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\SysWOW64\et-EE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\et-EE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Adobe\Help\services.exe

Filesize
1.6MB

MD5
458624e14f5c9ee6a2c745bc78be52d3

SHA1
11a08725cc1a7b3ea9810e800cf037f52cef85fb

SHA256
37f2fbefc4d855ad74d8a8ca3c19fbb1c12e21130f1d14a5bb8b83a9505a0e39

SHA512
a0db4bac01ec7df3ef841d7caf67dc8cbd7f0111f1bbc30b3a6df7bbd2999b47116c8ef540e62d18b82cb5e5419ede8baf992492e2bff863a89008bc7c4c2201

Download Submit
C:\ProgramData\lsass.exe

Filesize
1.6MB

MD5
b60f92c20575a02bb6abd553aeaff319

SHA1
48447a0fe55a12a9bf1dccca7319f3b8f7822b2b

SHA256
3e6ab99a81041e1c0e9c569f4771bcb1df7a202318c4a43e5e0b41c18c957599

SHA512
7688e909defff603aa53fae9a624ffe171840dd87e6c75dc44734a7f0a881f815caca65a65ddf3963608823add6d2b14bbbd95043610bc98d3924bf14c2b5643

Download Submit
C:\Users\Admin\AppData\Local\Temp\014dc808-24ff-49e6-a1c0-2949ddd5e129.vbs

Filesize
734B

MD5
7c58b990ced39590eae596f8af345948

SHA1
344f5c1716c61e68a1add2a10d115edb094e22b0

SHA256
270a9278f104c72af839f07aad9abecca5740aaadb405e4345070b32a909b6a9

SHA512
ec631fae9e38262558d2407812003a44e31ff778c0fb3b056e77e953963cdbef0a66d322b373e7029bbd21f59040b920dedb279f1c19a5987a99742306855e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\478c3c23-d4e7-44cf-83e1-3ff6e42c24a8.vbs

Filesize
734B

MD5
d4acf3a5bb2dc7b6139c7c395f484351

SHA1
525044a8591883249a4cc5a375b4c40f63a2359c

SHA256
312973ccef10dc5b0e595c97c2e80fc4c2335a77459421f8c3ad80ba00379e71

SHA512
6098b05300629c877f8b450cb06337ebbc2dc5cdeb09f2e37668b369e5437f1d7ab79287d3967cec828594891f8a97af29fb8661a0dfccf7814b312889373763

Download Submit
C:\Users\Admin\AppData\Local\Temp\936734df-7c88-4a2f-bf33-3e7762176c34.vbs

Filesize
734B

MD5
3564c7463899af4adf091f8f5c620a2c

SHA1
b30b7509bd23e6871ff499045ea3c173fc916e8c

SHA256
1d25f25d089b348c0e4fc7e442c925dae9bd45fd78148c1136b88f9a808d8c0f

SHA512
c6ff9d987af5eca03e11355d13b0c19980a0ead79e56b1689cf338bab22b701a3993d803beb3368990cc0082c71819bb51ee0aa711d1da7899cd5bba65dda4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\DlW2r31bST.bat

Filesize
267B

MD5
dee6cb14a79b7154887f4a7efef484d0

SHA1
a4b1706942962135f4732dfab042d2cf5d44ec9e

SHA256
f13d0ea3fb972fadbbebbb8e6a9e9b0bc4c38790e6ad7f1474cf88b1ae88e113

SHA512
70d7e856110c3ce1b7748652d5c007493667bf1d25603f8ab05a8a48fddbbd14f1eb3751cbb546a93430fb4881073e842f65d6652b0cbcf55733d65311d52711

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4fc03f9-149c-4f44-966a-187b959c7d45.vbs

Filesize
510B

MD5
f3b82eca93ab8ec2f3bb9cf3dcf5c23d

SHA1
5e23dbaabe5e38e515378cdf554a1bf98f2a5c4c

SHA256
2c984199a8341bd1c348d97d0e1f6d1c224ae6b34d3c0e78e6e8ad2e87770658

SHA512
1d2d2af84b2caf0d3d26ac088c4d051353d92456895197d3044dfa22e35acfbe7e22f96913befa73ed17b257b833e008394f1d64ffbfded62aaf8d9ed7c6e30b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
62ffd25b96bf2b8f6f2db5b6f99ef5a2

SHA1
52c6c7c40ccc78a913dd20dd6a19050533ae2165

SHA256
20bdfa157cb34011970b74075267bc1e981b39b4fdcd42fa2c90951fa0633eb6

SHA512
3024a045ddb24a524fb51ee43cc093109f7d64a6d63b135d18d9f4fd96695103063e58f821905e26ef5161d8a5dbfb53d696e8a709fdcf7076fc86b59fee5c10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
22e993097afaba17f0ccab02d45d4bf9

SHA1
15f580d8c9439acac7712ab83075a17d5a0012bd

SHA256
45c4702cb51bf109ba203ee7769267a69b4491dd523c3306895279a5f994553d

SHA512
432f5a3e8076bfa3436bbdb7737a0d089823e9f553b3c13c2c4afd862fd1275cb5431b90cd9b88b11f95e45fcb75087a05944c597876d333547bebff0e409f97

Download Submit
C:\Windows\Prefetch\csrss.exe

Filesize
1.6MB

MD5
5355cb64d0008d7ed7267cebea8f9bc4

SHA1
4f8fc970efa45c2f547e8583b49eb543b778f001

SHA256
c50b94cf52f9ee1ec307059e727995fc0e98c8003570e368508d911debf3cd6f

SHA512
cd662e6d9f215b18867056fe70d9b04b2eaf7090577546d038218dfe8716379654cb6e5f1c6ca3672e8bd1844d5e7810486164cf8fe99054305a89eb51b4bac6

Download Submit
C:\Windows\Prefetch\csrss.exe

Filesize
1.6MB

MD5
a93f4df4dd26118711a9b8d99a48b88e

SHA1
34091b28f88d98ee94a418bd7c5d78c756a57f1d

SHA256
82ed1ea5b5542726004fdfeb6e20aa094480a7a1bd641cd8c221caa226c9002e

SHA512
ef06e3f058cffe912e6aeaa48adf85215e2b4b18719e51e0ad6f1e0e028ed37de8050140c8761a60d332294ca887efaa5807488cb40e55ca38a185a7741ae02a

Download Submit
memory/328-16-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/328-7-0x00000000004A0000-0x00000000004B0000-memory.dmp

Filesize
64KB

Download
memory/328-14-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/328-13-0x00000000006E0000-0x00000000006E8000-memory.dmp

Filesize
32KB

Download
memory/328-15-0x0000000000700000-0x000000000070A000-memory.dmp

Filesize
40KB

Download
memory/328-0-0x000007FEF5EC3000-0x000007FEF5EC4000-memory.dmp

Filesize
4KB

Download
memory/328-11-0x00000000006C0000-0x00000000006CA000-memory.dmp

Filesize
40KB

Download
memory/328-10-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/328-9-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/328-8-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/328-147-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/328-12-0x00000000006D0000-0x00000000006DE000-memory.dmp

Filesize
56KB

Download
memory/328-5-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/328-1-0x0000000001340000-0x00000000014E2000-memory.dmp

Filesize
1.6MB

Download
memory/328-2-0x000007FEF5EC0000-0x000007FEF68AC000-memory.dmp

Filesize
9.9MB

Download
memory/328-3-0x0000000000140000-0x000000000015C000-memory.dmp

Filesize
112KB

Download
memory/328-4-0x0000000000160000-0x0000000000170000-memory.dmp

Filesize
64KB

Download
memory/328-6-0x0000000000370000-0x0000000000378000-memory.dmp

Filesize
32KB

Download
memory/1888-191-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2204-168-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2552-250-0x0000000001270000-0x0000000001412000-memory.dmp

Filesize
1.6MB

Download
memory/2704-242-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2704-243-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

Filesize
32KB

Download