dcrat | 7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/10/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

759B333FD8D1EEDB5666FDEA1DA25B25.exe
Size

827KB
MD5

759b333fd8d1eedb5666fdea1da25b25
SHA1

b66fc861196561f793062622b88cdb1065e35459
SHA256

7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e
SHA512

831006157773f5a30dbf07dcbfd484f49a978c077f8e132d33c8e044f8141462bb890c344724b23c3144488c1c406d576b7009c1205772a503ce6cc92692aec3
SSDEEP

12288:M+B2ad7F/Jf2xm1/nNfkOV+0Z3+5DlpAXdet4y5+q:gad7PuxmRn60Zu7xtZp

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1528	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	1528	schtasks.exe	30

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/3068-1-0x0000000001020000-0x00000000010F6000-memory.dmp	dcrat
behavioral1/files/0x0005000000019358-11.dat	dcrat
behavioral1/memory/2288-40-0x00000000010B0000-0x0000000001186000-memory.dmp	dcrat
behavioral1/memory/916-87-0x0000000000D40000-0x0000000000E16000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
916	csrss.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\de-DE\sppsvc.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\dllhost.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files\Windows Photo Viewer\spoolsv.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\69ddcba757bf72	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\audiodg.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\c5b4cb5e9653cc	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\schtasks.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files\Windows Photo Viewer\f3b6ecef712a24	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\24dbde2999530e	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\smss.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\42af1c969fbb7b	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files\Windows Media Player\de-DE\0a1fd5f707cd16	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Internet Explorer\b75386f1303e64	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Windows Defender\5940a34987c991	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\3a6fe29a7ceee6	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\69ddcba757bf72	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\0a1fd5f707cd16	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Internet Explorer\taskhost.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Windows Defender\dllhost.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\spoolsv.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\SchCache\f3b6ecef712a24	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\SoftwareDistribution\AuthCabs\winlogon.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\Migration\WTR\explorer.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\IME\es-ES\csrss.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\f3b6ecef712a24	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\IME\es-ES\886983d96e3d3e	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\Fonts\csrss.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\Offline Web Pages\lsass.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\SoftwareDistribution\AuthCabs\cc11b995f2a76d	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File opened for modification	C:\Windows\Fonts\csrss.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\Fonts\886983d96e3d3e	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\inf\fr-FR\sppsvc.exe	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\inf\fr-FR\0a1fd5f707cd16	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\Migration\WTR\7a0fd90576e088	759B333FD8D1EEDB5666FDEA1DA25B25.exe
File created	C:\Windows\Offline Web Pages\6203df4a6bafc7	759B333FD8D1EEDB5666FDEA1DA25B25.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1984	schtasks.exe
2100	schtasks.exe
2020	schtasks.exe
2716	schtasks.exe
1356	schtasks.exe
2196	schtasks.exe
2164	schtasks.exe
332	schtasks.exe
1624	schtasks.exe
2360	schtasks.exe
1792	schtasks.exe
2132	schtasks.exe
2632	schtasks.exe
1932	schtasks.exe
448	schtasks.exe
1844	schtasks.exe
2228	schtasks.exe
2648	schtasks.exe
600	schtasks.exe
2368	schtasks.exe
540	schtasks.exe
2984	schtasks.exe
2660	schtasks.exe
1364	schtasks.exe
2576	schtasks.exe
2924	schtasks.exe
2492	schtasks.exe
2940	schtasks.exe
2884	schtasks.exe
2000	schtasks.exe
1716	schtasks.exe
2740	schtasks.exe
2804	schtasks.exe
2812	schtasks.exe
2032	schtasks.exe
2612	schtasks.exe
2004	schtasks.exe
1696	schtasks.exe
2168	schtasks.exe
1532	schtasks.exe
2704	schtasks.exe
292	schtasks.exe
2824	schtasks.exe
2024	schtasks.exe
784	schtasks.exe
1580	schtasks.exe
316	schtasks.exe
1656	schtasks.exe
2832	schtasks.exe
1476	schtasks.exe
1976	schtasks.exe
2316	schtasks.exe
2844	schtasks.exe
2716	schtasks.exe
2404	schtasks.exe
476	schtasks.exe
2928	schtasks.exe
872	schtasks.exe
2444	schtasks.exe
1940	schtasks.exe
2952	schtasks.exe
1300	schtasks.exe
2828	schtasks.exe
808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3068	759B333FD8D1EEDB5666FDEA1DA25B25.exe
3068	759B333FD8D1EEDB5666FDEA1DA25B25.exe
3068	759B333FD8D1EEDB5666FDEA1DA25B25.exe
1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
2288	759B333FD8D1EEDB5666FDEA1DA25B25.exe
2288	759B333FD8D1EEDB5666FDEA1DA25B25.exe
2288	759B333FD8D1EEDB5666FDEA1DA25B25.exe
916	csrss.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3068	759B333FD8D1EEDB5666FDEA1DA25B25.exe
Token: SeDebugPrivilege	1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe
Token: SeDebugPrivilege	2288	759B333FD8D1EEDB5666FDEA1DA25B25.exe
Token: SeDebugPrivilege	916	csrss.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1424	3068	759B333FD8D1EEDB5666FDEA1DA25B25.exe	58
PID 3068 wrote to memory of 1424	3068	759B333FD8D1EEDB5666FDEA1DA25B25.exe	58
PID 3068 wrote to memory of 1424	3068	759B333FD8D1EEDB5666FDEA1DA25B25.exe	58
PID 1424 wrote to memory of 1540	1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe	74
PID 1424 wrote to memory of 1540	1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe	74
PID 1424 wrote to memory of 1540	1424	759B333FD8D1EEDB5666FDEA1DA25B25.exe	74
PID 1540 wrote to memory of 344	1540	cmd.exe	76
PID 1540 wrote to memory of 344	1540	cmd.exe	76
PID 1540 wrote to memory of 344	1540	cmd.exe	76
PID 1540 wrote to memory of 2288	1540	cmd.exe	77
PID 1540 wrote to memory of 2288	1540	cmd.exe	77
PID 1540 wrote to memory of 2288	1540	cmd.exe	77
PID 2288 wrote to memory of 916	2288	759B333FD8D1EEDB5666FDEA1DA25B25.exe	135
PID 2288 wrote to memory of 916	2288	759B333FD8D1EEDB5666FDEA1DA25B25.exe	135
PID 2288 wrote to memory of 916	2288	759B333FD8D1EEDB5666FDEA1DA25B25.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\759B333FD8D1EEDB5666FDEA1DA25B25.exe
"C:\Users\Admin\AppData\Local\Temp\759B333FD8D1EEDB5666FDEA1DA25B25.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\759B333FD8D1EEDB5666FDEA1DA25B25.exe
  "C:\Users\Admin\AppData\Local\Temp\759B333FD8D1EEDB5666FDEA1DA25B25.exe"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wGw2lvD9xQ.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:344
  - - C:\Users\Admin\AppData\Local\Temp\759B333FD8D1EEDB5666FDEA1DA25B25.exe
      "C:\Users\Admin\AppData\Local\Temp\759B333FD8D1EEDB5666FDEA1DA25B25.exe"
      4⤵
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SchCache\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\IME\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\AuthCabs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\AuthCabs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Fonts\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Links\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\inf\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\inf\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\inf\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /f
1⤵
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /f
1⤵
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\explorer.exe'" /rl HIGHEST /f
1⤵
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\lsass.exe'" /rl HIGHEST /f
1⤵
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\smss.exe'" /f
1⤵
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\smss.exe'" /rl HIGHEST /f
1⤵
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\smss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\audiodg.exe'" /f
1⤵
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe'" /f
1⤵
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe

Filesize
827KB

MD5
759b333fd8d1eedb5666fdea1da25b25

SHA1
b66fc861196561f793062622b88cdb1065e35459

SHA256
7a1a3397249836cac73c5f104211fb6cbb2317c830c148a65acb709210aadd2e

SHA512
831006157773f5a30dbf07dcbfd484f49a978c077f8e132d33c8e044f8141462bb890c344724b23c3144488c1c406d576b7009c1205772a503ce6cc92692aec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9385A.tmp

Filesize
716B

MD5
6c956109999c3d9e0611aaab6e6ec346

SHA1
a6421005f8fdeca01d3d9e92d380188762507606

SHA256
176a453f2bcb8e1a8c4bb993b03d126797d51e1a9b39c8efbea8071e99079c20

SHA512
f267f9facab05dd8dfc0a8ccf6a6276f4f495d234d686022bd3c78cc82d065390e37054a80f3a13c1a30268ca23525aebb8d2fa3bd7b52599342a6c4ed82bc7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9385A.tmp

Filesize
1KB

MD5
d560f6e4fa951bad912340a688978cd2

SHA1
b48815e647fdba3dae3eb940bd7e7089a6f20549

SHA256
41400465747c5ab1db0428e22c42a2ebe698f93be7937180a8660acdd9e802d8

SHA512
39d1e9b54af4a1051a7a030c2462120354bafb154ff32205b338a07981c918560f9f22fa248346b0cdf5774690ee3ecd67e0ce6e5258060c8431497daf66e7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\wGw2lvD9xQ.bat

Filesize
235B

MD5
d4a0b0dc6243ce8a679a53959adb27d0

SHA1
6f8db02333c68d49065b851940189d6e58ddfc7f

SHA256
3abde54ed2e6bc5d4fae51f90a67113b1c4dbf4f2f1455505a5d056151e1b9eb

SHA512
77979ec39b07a04bcf58291029e44ecf3b229ff6cf43efa21f5427c1b6982fde5b167fd02ca41cbf7f2c4641c4055fcd00da9cc9de2571ff775cce225f791b22

Download Submit
memory/916-87-0x0000000000D40000-0x0000000000E16000-memory.dmp

Filesize
856KB

Download
memory/2288-40-0x00000000010B0000-0x0000000001186000-memory.dmp

Filesize
856KB

Download
memory/3068-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x0000000001020000-0x00000000010F6000-memory.dmp

Filesize
856KB

Download
memory/3068-2-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/3068-22-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download