dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
41s
max time network
65s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Size

1.6MB
MD5

517861702fe0a89aa5e3af35d9f96661
SHA1

50101d8bff153320694baf54bc7b68e585720d4d
SHA256

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4
SHA512

da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2836	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2836	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/2380-1-0x00000000000B0000-0x0000000000252000-memory.dmp	dcrat
behavioral11/files/0x0005000000019509-25.dat	dcrat
behavioral11/files/0x000500000001a4db-54.dat	dcrat
behavioral11/files/0x000f000000012281-65.dat	dcrat
behavioral11/files/0x000b000000019451-100.dat	dcrat
behavioral11/files/0x0006000000019623-181.dat	dcrat
behavioral11/memory/3056-250-0x0000000000B50000-0x0000000000CF2000-memory.dmp	dcrat
behavioral11/memory/2004-261-0x0000000001280000-0x0000000001422000-memory.dmp	dcrat
behavioral11/memory/2312-284-0x0000000000290000-0x0000000000432000-memory.dmp	dcrat
behavioral11/files/0x0009000000019512-283.dat	dcrat
behavioral11/files/0x000700000001962d-288.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1644	powershell.exe
1820	powershell.exe
1660	powershell.exe
2720	powershell.exe
2864	powershell.exe
3068	powershell.exe
2852	powershell.exe
1680	powershell.exe
980	powershell.exe
2416	powershell.exe
2136	powershell.exe
2660	powershell.exe
2324	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
3056	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
2004	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
2040	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\de-DE\0a1fd5f707cd16	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCXD5C2.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCXDBD1.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\RCXDBD2.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\RCXE049.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\DVD Maker\it-IT\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Windows Defender\de-DE\26a8967c8ba04a	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\101b941d020240	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\DVD Maker\it-IT\26a8967c8ba04a	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\c5b4cb5e9653cc	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXD14C.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\RCXCF48.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\RCXD14B.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\taskhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\Idle.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\RCXD7C7.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Uninstall Information\b75386f1303e64	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Windows Media Player\it-IT\Idle.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Windows Media Player\it-IT\6ccacd8608530f	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\1610b97d3ab4a7	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXCD43.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\RCXCF47.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXDE44.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\services.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXDE43.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Defender\de-DE\RCXE048.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Uninstall Information\taskhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\RCXCCD5.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\services.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\Windows Media Player\it-IT\RCXD5C3.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\DVD Maker\it-IT\RCXD7C8.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\Application\csrss.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\Vss\Writers\Application\886983d96e3d3e	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCXD9CC.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Vss\Writers\Application\RCXD9CD.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Vss\Writers\Application\csrss.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
896	schtasks.exe
1600	schtasks.exe
2932	schtasks.exe
2316	schtasks.exe
2668	schtasks.exe
2208	schtasks.exe
2844	schtasks.exe
1976	schtasks.exe
2760	schtasks.exe
2700	schtasks.exe
2364	schtasks.exe
1796	schtasks.exe
2056	schtasks.exe
2196	schtasks.exe
2460	schtasks.exe
1832	schtasks.exe
2416	schtasks.exe
1096	schtasks.exe
2256	schtasks.exe
1692	schtasks.exe
2648	schtasks.exe
2428	schtasks.exe
2996	schtasks.exe
1936	schtasks.exe
1260	schtasks.exe
2112	schtasks.exe
2356	schtasks.exe
1496	schtasks.exe
2052	schtasks.exe
828	schtasks.exe
2956	schtasks.exe
3064	schtasks.exe
1972	schtasks.exe
2724	schtasks.exe
2804	schtasks.exe
2736	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
2324	powershell.exe
2852	powershell.exe
2864	powershell.exe
2416	powershell.exe
1820	powershell.exe
2660	powershell.exe
1660	powershell.exe
1680	powershell.exe
3068	powershell.exe
1644	powershell.exe
980	powershell.exe
2720	powershell.exe
2136	powershell.exe
3056	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
2004	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
2040	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	3056	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Token: SeDebugPrivilege	2004	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Token: SeDebugPrivilege	2040	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2324	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	68
PID 2380 wrote to memory of 2324	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	68
PID 2380 wrote to memory of 2324	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	68
PID 2380 wrote to memory of 3068	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	69
PID 2380 wrote to memory of 3068	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	69
PID 2380 wrote to memory of 3068	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	69
PID 2380 wrote to memory of 2660	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	70
PID 2380 wrote to memory of 2660	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	70
PID 2380 wrote to memory of 2660	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	70
PID 2380 wrote to memory of 2864	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	71
PID 2380 wrote to memory of 2864	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	71
PID 2380 wrote to memory of 2864	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	71
PID 2380 wrote to memory of 2720	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	73
PID 2380 wrote to memory of 2720	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	73
PID 2380 wrote to memory of 2720	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	73
PID 2380 wrote to memory of 2136	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	74
PID 2380 wrote to memory of 2136	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	74
PID 2380 wrote to memory of 2136	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	74
PID 2380 wrote to memory of 2416	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	76
PID 2380 wrote to memory of 2416	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	76
PID 2380 wrote to memory of 2416	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	76
PID 2380 wrote to memory of 980	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	77
PID 2380 wrote to memory of 980	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	77
PID 2380 wrote to memory of 980	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	77
PID 2380 wrote to memory of 1660	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	78
PID 2380 wrote to memory of 1660	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	78
PID 2380 wrote to memory of 1660	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	78
PID 2380 wrote to memory of 1680	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	79
PID 2380 wrote to memory of 1680	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	79
PID 2380 wrote to memory of 1680	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	79
PID 2380 wrote to memory of 1820	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	80
PID 2380 wrote to memory of 1820	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	80
PID 2380 wrote to memory of 1820	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	80
PID 2380 wrote to memory of 2852	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	81
PID 2380 wrote to memory of 2852	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	81
PID 2380 wrote to memory of 2852	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	81
PID 2380 wrote to memory of 1644	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	82
PID 2380 wrote to memory of 1644	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	82
PID 2380 wrote to memory of 1644	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	82
PID 2380 wrote to memory of 2736	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	94
PID 2380 wrote to memory of 2736	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	94
PID 2380 wrote to memory of 2736	2380	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	94
PID 2736 wrote to memory of 2708	2736	cmd.exe	96
PID 2736 wrote to memory of 2708	2736	cmd.exe	96
PID 2736 wrote to memory of 2708	2736	cmd.exe	96
PID 2736 wrote to memory of 3056	2736	cmd.exe	97
PID 2736 wrote to memory of 3056	2736	cmd.exe	97
PID 2736 wrote to memory of 3056	2736	cmd.exe	97
PID 3056 wrote to memory of 2976	3056	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	98
PID 3056 wrote to memory of 2976	3056	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	98
PID 3056 wrote to memory of 2976	3056	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	98
PID 3056 wrote to memory of 1688	3056	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	99
PID 3056 wrote to memory of 1688	3056	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	99
PID 3056 wrote to memory of 1688	3056	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	99
PID 2976 wrote to memory of 2004	2976	WScript.exe	100
PID 2976 wrote to memory of 2004	2976	WScript.exe	100
PID 2976 wrote to memory of 2004	2976	WScript.exe	100
PID 2004 wrote to memory of 2484	2004	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	101
PID 2004 wrote to memory of 2484	2004	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	101
PID 2004 wrote to memory of 2484	2004	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	101
PID 2004 wrote to memory of 3028	2004	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	102
PID 2004 wrote to memory of 3028	2004	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	102
PID 2004 wrote to memory of 3028	2004	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	102
PID 2484 wrote to memory of 2040	2484	WScript.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
"C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2324
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Hearts\es-ES\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\it-IT\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sIhoPTDM6V.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2708
- - C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
    "C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f0d707c3-4cc7-4b03-a78c-de803c6be5f2.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2976
    - - C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
        
        "C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a0e96d61-f5b6-47ed-ba34-073d6158da7f.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
        
        "C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3470c984-a09a-4a5e-bcba-924ee0af9e24.vbs"
        8⤵
        
        PID:948
        
        C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
        
        "C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
        9⤵
        
        PID:2312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edd17aaf-46d5-416b-a5ae-10e0850a8f7c.vbs"
        10⤵
        
        PID:3032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\22acafb0-20ca-429b-af13-bda7b6b25826.vbs"
        10⤵
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2ea8693d-5f21-4936-9a62-eea17f0c60fb.vbs"
        8⤵
        
        PID:2208
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35a3b5e2-d0a6-4adf-bf2d-69338dcf0f87.vbs"
        6⤵
        
        PID:3028
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02bcdcda-36ec-415b-81f7-a13f03046993.vbs"
      4⤵
      PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Hearts\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Hearts\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default\NetHood\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\it-IT\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\it-IT\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\Application\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Filesize
1.6MB

MD5
8d9fc7a3ad31e1ae7ba0726b98e5bc5e

SHA1
9bcf75e7b28d4d4a9b9fff2ddcd05be090b56608

SHA256
69f7305b64ebd6f10aa3f49a662da371d5f641308e48210f2e3afd0c16acc5a9

SHA512
4e9735ac24f1f50da168af4f36145b2a1f74573b5463a75b79cd2e95bf858117afa9fabf03e582b1effbbbadec3def8d433ec59eb7223f9aabf14713b3b86f41

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\ja-JP\lsm.exe

Filesize
1.6MB

MD5
1ebfb712a8a622deebc8a25c1dc52b61

SHA1
f0c53b4db39e84e9fe0f5cd9af677bfc4ece6324

SHA256
b5071c256bfd01fd23ee3544ea618fc68a6e3406e93b740c87be1c268a17197a

SHA512
303d534ade93021b352317dc18c2d68ef1c975721864688954fed98aaa2a8c4773f5bafc5772cc913976898dc7373635a79145148976998c524a7be5a45c520b

Download Submit
C:\Program Files\Windows Defender\de-DE\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Filesize
716KB

MD5
58f9793c541d10807bec3ab0a4ca0cc3

SHA1
ffa106e40fc3ad5d74fd927abe82f5628bdc3552

SHA256
e8eac0d9545aceac598ae0eeb50517bb649b40d56a02897d10158c536868b9e7

SHA512
e5523cce22546f648ff5ccb47c2e3ec226e43571cc27fbaa7a30635ea788bc0938bec95d01d01e056f17abc631473363e7d8b7f29d71c8e1c13efaf1aa15c63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\02bcdcda-36ec-415b-81f7-a13f03046993.vbs

Filesize
560B

MD5
68d9ffdf35c879ecf89f55bd1536b2ab

SHA1
ab950b351cddc3ab3bbb9a5df56d8805061cf52e

SHA256
044125ac10b3a9ae7911299fd73cbfe42f3e286c6eda43493132b49c2d677743

SHA512
38ade5cdce3690535d57d5daddb693337e26c6187d35940bce79cdf7f52ed18896a8878ea1a167d05e5a2f64f9600c6b49e5a5dd7ba9d3d4e5c9dcbbc6783fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\3470c984-a09a-4a5e-bcba-924ee0af9e24.vbs

Filesize
784B

MD5
9b28457c25065b81240c75c382dc3448

SHA1
1753a462c2ee86109c1822f623f2fce7a4c5d8ba

SHA256
097cd14cac7c41cb0688fc2068fbe7637da7513e69f484874c4c372c4860a54d

SHA512
e8ffdf5f385b176e845d2864ea33c967225b5280933d5f76b30df9206245fb4f85ccd7be549064ebc1138275f3568f6ae146300f95c64c76f685c0fcd15c7564

Download Submit
C:\Users\Admin\AppData\Local\Temp\a0e96d61-f5b6-47ed-ba34-073d6158da7f.vbs

Filesize
784B

MD5
937fdeed97f6552e9b0446d29ba71e4a

SHA1
f368ab0d0d8abc1cb77b71993dac81a9641758fb

SHA256
f96a9af04967519ac686202d04bf58914016c973933589147431504c47a01ed1

SHA512
c324c9b29528f0ad4c0b4c5e83e61a84d5f744bd6ecf8ab2a7f50005c3615e5824a7c8e5e23edf20fe02532a0c6937f010e5828098834b0896c3bc3927fd80f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\aed8e25df82f4ea2ec0de33810a5339b52426169.exe

Filesize
329KB

MD5
4ba147b665e5accf92bd3b205454052b

SHA1
2cbf931d9b7f418d859993832e45ee8453d99c68

SHA256
428fc3a4d3ca7b2a01668522f7f8bd12db7b8d6744f981c12505a95aa81fc4b8

SHA512
996fbcf4701082bb87cda1de86b939a5ad3b2d584735cc08ce22b683359d1875f041da2b716ffa6fe54f947ed64533f1965aa99fa176162cab1c75c0378d3251

Download Submit
C:\Users\Admin\AppData\Local\Temp\edd17aaf-46d5-416b-a5ae-10e0850a8f7c.vbs

Filesize
784B

MD5
65268cc8ae9d78f3cbd9a1d03c7d4efa

SHA1
044614f36d527b0b4fad37563e04b8071e040855

SHA256
0d407fd0e3089b29e078bc7987823e344832d05d653ba1c11ca66f6f191f4fde

SHA512
df2e412e7e880368ae729ecac7c08efbdee919266a71d8e6df4f51511de4b1d24747c0242f116a510c6271251ecea0158abecdd6f5ac6d4b5e909c286b329ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0d707c3-4cc7-4b03-a78c-de803c6be5f2.vbs

Filesize
784B

MD5
f43b8c6ae4e709caa5456151f2798493

SHA1
bba7b2e64cdc5e1b8d25d7320402b8e312220041

SHA256
3fea5d8d1aa332fdf837778422535ab2034109162f5caa3ccac7278d9662163d

SHA512
9c1652557e37c22fa4868301af7c6b43b9a5ffbda425dd7a17db5063a3b121bb51e5cbf276844eeadd56c8c9aa23246829eec63d6eacb377474efe73c11a50e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\sIhoPTDM6V.bat

Filesize
273B

MD5
badfb9cc738bca3f4bc15f7a7a3f03ab

SHA1
faf31fc82ea30276ff4b0498d985ce994bd46129

SHA256
5eb194c9e982b4e587dd5df3da6cf53c76994eabf7a89810ff726087dd1db720

SHA512
bf26a68803c2f1c26b3d173cee1639c683b0f0ae207aeceea02b9d9ee77a902953a1cb98d7730c97ff81ca680fe241c7d1fd4b917715a4aa937e85dfe7633e2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1bd681bf610d3b6e9d4a3c68e828198a

SHA1
e0b344ca1bac41fa3f504124e5093c9ae0ca938c

SHA256
84836617dbf742f3457ee70ad39d78a6adc32b9dd1a60b95bb7249b7205087d5

SHA512
d7a6e6eb67056b4ec3e122def6c4f7de0524bf74214d33d353d06ea9715412789e42c5adc396831ccaef22ef147fb99d848f9e91ca58be9435776cf987073e49

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe

Filesize
1.6MB

MD5
517861702fe0a89aa5e3af35d9f96661

SHA1
50101d8bff153320694baf54bc7b68e585720d4d

SHA256
1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4

SHA512
da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Network Shortcuts\smss.exe

Filesize
1.6MB

MD5
93bd721190cfab14c8dd6809df03038f

SHA1
3c7cb3614d06953ac925d3c61cda9ac32a443de2

SHA256
2039388c746c1ad9b58fa083cdf036adb516833e4feea2507fdc031eb2ba82af

SHA512
cc0f7d6bcb4e7ff4e7fdc3474cc9b71e4af1bf96ed1c3f545806265323792f2c0022ee579f01b971416dee6c896db1a537d9b39e9d3e466a28c6c97879e5bf17

Download Submit
C:\Users\Default\lsm.exe

Filesize
1.6MB

MD5
47bb6018acb93aa113c6a0db717fa140

SHA1
c546ec7bc044ce860e6432aa6d1d98d954ae68fc

SHA256
809f07e769a750a4b7db5199fe96257c3c04c7d94f9fd0e95749d7073b71e34c

SHA512
7ab7175ab3f1d89ee8894d50ec6cbf5e7186058c8efb5fe465522928f307b7e3c9f31f61d9df861de5b259cb2e989b35cc35a14b7de7f4c926ff2a0a35ebd013

Download Submit
memory/2004-261-0x0000000001280000-0x0000000001422000-memory.dmp

Filesize
1.6MB

Download
memory/2312-284-0x0000000000290000-0x0000000000432000-memory.dmp

Filesize
1.6MB

Download
memory/2324-207-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/2324-206-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2380-3-0x0000000000800000-0x000000000081C000-memory.dmp

Filesize
112KB

Download
memory/2380-16-0x0000000002190000-0x000000000219C000-memory.dmp

Filesize
48KB

Download
memory/2380-5-0x0000000000820000-0x0000000000836000-memory.dmp

Filesize
88KB

Download
memory/2380-6-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2380-7-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/2380-198-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/2380-8-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/2380-10-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/2380-11-0x0000000002140000-0x000000000214A000-memory.dmp

Filesize
40KB

Download
memory/2380-1-0x00000000000B0000-0x0000000000252000-memory.dmp

Filesize
1.6MB

Download
memory/2380-12-0x0000000002150000-0x000000000215E000-memory.dmp

Filesize
56KB

Download
memory/2380-13-0x0000000002160000-0x0000000002168000-memory.dmp

Filesize
32KB

Download
memory/2380-15-0x0000000002180000-0x000000000218A000-memory.dmp

Filesize
40KB

Download
memory/2380-0-0x000007FEF53A3000-0x000007FEF53A4000-memory.dmp

Filesize
4KB

Download
memory/2380-14-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/2380-9-0x0000000000860000-0x000000000086C000-memory.dmp

Filesize
48KB

Download
memory/2380-4-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2380-2-0x000007FEF53A0000-0x000007FEF5D8C000-memory.dmp

Filesize
9.9MB

Download
memory/3056-250-0x0000000000B50000-0x0000000000CF2000-memory.dmp

Filesize
1.6MB

Download