dcrat | 44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5

Analysis

max time kernel
117s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-11-2024 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
Size

1.1MB
MD5

25e219d16e556ca28df1ae887c017818
SHA1

751f30629bc2320d4d33e1dc0b2f6cb522bdff8b
SHA256

44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5
SHA512

281fd1a68e828ad98365d6a6a47293d51330deb6a9fb0b9d32045e6f5174cecdb1072846134e333a2b7b544b3d8c54202608a989292a40e1bc4925df88f83fd8
SSDEEP

24576:ZxU376C0skFgqIyXFnbCDQgZ8e7FRsWC9ZRHInh4j1Cf6liXwkOmpdv:EPkVXFGDQoP7FRCZRonh4hfewhmpdv

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2092	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2092	schtasks.exe	32

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2880-21-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2880-19-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2880-17-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2880-13-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat
behavioral1/memory/2880-11-0x0000000000400000-0x000000000052E000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 28 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2068	powershell.exe
1108	powershell.exe
2568	powershell.exe
2796	powershell.exe
2144	powershell.exe
2960	powershell.exe
1028	powershell.exe
1572	powershell.exe
2540	powershell.exe
1640	powershell.exe
2832	powershell.exe
2384	powershell.exe
2644	powershell.exe
1496	powershell.exe
548	powershell.exe
1596	powershell.exe
2544	powershell.exe
2180	powershell.exe
2024	powershell.exe
2120	powershell.exe
1840	powershell.exe
1248	powershell.exe
2468	powershell.exe
752	powershell.exe
3000	powershell.exe
2932	powershell.exe
2268	powershell.exe
2744	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
2964	csrss.exe
2712	csrss.exe
2008	csrss.exe

Loads dropped DLL 5 IoCs

pid	Process
2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
2668	WScript.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\el-GR\csrss.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Windows\SysWOW64\el-GR\886983d96e3d3e	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Windows\SysWOW64\el-GR\RCXB05.tmp	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Windows\SysWOW64\el-GR\RCXB06.tmp	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Windows\SysWOW64\el-GR\csrss.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2096 set thread context of 2880	2096	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	31
PID 2884 set thread context of 1128	2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	76
PID 2964 set thread context of 2712	2964	csrss.exe	171

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\es-ES\24dbde2999530e	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\69ddcba757bf72	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\7a0fd90576e088	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\4302fcb70c1c29	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\explorer.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\explorer.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCX68F.tmp	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\smss.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\b75386f1303e64	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Program Files\Windows Mail\es-ES\RCX68E.tmp	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\0a1fd5f707cd16	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\smss.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\debug\WIA\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Windows\debug\WIA\4302fcb70c1c29	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Windows\IME\fr-FR\lsass.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File opened for modification	C:\Windows\debug\WIA\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Windows\IME\fr-FR\lsass.exe	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
File created	C:\Windows\IME\fr-FR\6203df4a6bafc7	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1076	schtasks.exe
852	schtasks.exe
1148	schtasks.exe
2432	schtasks.exe
1092	schtasks.exe
1776	schtasks.exe
1496	schtasks.exe
3020	schtasks.exe
444	schtasks.exe
2336	schtasks.exe
2872	schtasks.exe
2128	schtasks.exe
3008	schtasks.exe
684	schtasks.exe
1268	schtasks.exe
1152	schtasks.exe
1080	schtasks.exe
2416	schtasks.exe
2880	schtasks.exe
2972	schtasks.exe
1280	schtasks.exe
1892	schtasks.exe
984	schtasks.exe
2832	schtasks.exe
2712	schtasks.exe
744	schtasks.exe
776	schtasks.exe
2340	schtasks.exe
352	schtasks.exe
548	schtasks.exe
2784	schtasks.exe
1964	schtasks.exe
2692	schtasks.exe
828	schtasks.exe
1608	schtasks.exe
2080	schtasks.exe
1796	schtasks.exe
536	schtasks.exe
2392	schtasks.exe
2444	schtasks.exe
536	schtasks.exe
2548	schtasks.exe
1260	schtasks.exe
2876	schtasks.exe
880	schtasks.exe
2968	schtasks.exe
1108	schtasks.exe
2828	schtasks.exe
2024	schtasks.exe
2788	schtasks.exe
2468	schtasks.exe
2296	schtasks.exe
1708	schtasks.exe
2400	schtasks.exe
2308	schtasks.exe
2644	schtasks.exe
2888	schtasks.exe
3056	schtasks.exe
2640	schtasks.exe
692	schtasks.exe
1912	schtasks.exe
2320	schtasks.exe
2700	schtasks.exe
2840	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
2068	powershell.exe
548	powershell.exe
2144	powershell.exe
1496	powershell.exe
2544	powershell.exe
2268	powershell.exe
1572	powershell.exe
1596	powershell.exe
1840	powershell.exe
1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
1248	powershell.exe
1028	powershell.exe
752	powershell.exe
2932	powershell.exe
2180	powershell.exe
2568	powershell.exe
2644	powershell.exe
2832	powershell.exe
2744	powershell.exe
2120	powershell.exe
3000	powershell.exe
2796	powershell.exe
2540	powershell.exe
2024	powershell.exe
1108	powershell.exe
2960	powershell.exe
2384	powershell.exe
1640	powershell.exe
2468	powershell.exe
2712	csrss.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2712	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2880	2096	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	31
PID 2096 wrote to memory of 2880	2096	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	31
PID 2096 wrote to memory of 2880	2096	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	31
PID 2096 wrote to memory of 2880	2096	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	31
PID 2096 wrote to memory of 2880	2096	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	31
PID 2096 wrote to memory of 2880	2096	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	31
PID 2096 wrote to memory of 2880	2096	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	31
PID 2096 wrote to memory of 2880	2096	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	31
PID 2096 wrote to memory of 2880	2096	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	31
PID 2880 wrote to memory of 1496	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	57
PID 2880 wrote to memory of 1496	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	57
PID 2880 wrote to memory of 1496	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	57
PID 2880 wrote to memory of 1496	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	57
PID 2880 wrote to memory of 1840	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	58
PID 2880 wrote to memory of 1840	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	58
PID 2880 wrote to memory of 1840	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	58
PID 2880 wrote to memory of 1840	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	58
PID 2880 wrote to memory of 2068	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	59
PID 2880 wrote to memory of 2068	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	59
PID 2880 wrote to memory of 2068	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	59
PID 2880 wrote to memory of 2068	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	59
PID 2880 wrote to memory of 548	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	60
PID 2880 wrote to memory of 548	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	60
PID 2880 wrote to memory of 548	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	60
PID 2880 wrote to memory of 548	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	60
PID 2880 wrote to memory of 2144	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	63
PID 2880 wrote to memory of 2144	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	63
PID 2880 wrote to memory of 2144	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	63
PID 2880 wrote to memory of 2144	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	63
PID 2880 wrote to memory of 2268	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	64
PID 2880 wrote to memory of 2268	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	64
PID 2880 wrote to memory of 2268	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	64
PID 2880 wrote to memory of 2268	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	64
PID 2880 wrote to memory of 1572	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	66
PID 2880 wrote to memory of 1572	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	66
PID 2880 wrote to memory of 1572	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	66
PID 2880 wrote to memory of 1572	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	66
PID 2880 wrote to memory of 1596	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	68
PID 2880 wrote to memory of 1596	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	68
PID 2880 wrote to memory of 1596	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	68
PID 2880 wrote to memory of 1596	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	68
PID 2880 wrote to memory of 2544	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	70
PID 2880 wrote to memory of 2544	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	70
PID 2880 wrote to memory of 2544	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	70
PID 2880 wrote to memory of 2544	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	70
PID 2880 wrote to memory of 2884	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	75
PID 2880 wrote to memory of 2884	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	75
PID 2880 wrote to memory of 2884	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	75
PID 2880 wrote to memory of 2884	2880	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	75
PID 2884 wrote to memory of 1128	2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	76
PID 2884 wrote to memory of 1128	2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	76
PID 2884 wrote to memory of 1128	2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	76
PID 2884 wrote to memory of 1128	2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	76
PID 2884 wrote to memory of 1128	2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	76
PID 2884 wrote to memory of 1128	2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	76
PID 2884 wrote to memory of 1128	2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	76
PID 2884 wrote to memory of 1128	2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	76
PID 2884 wrote to memory of 1128	2884	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	76
PID 1128 wrote to memory of 1248	1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	132
PID 1128 wrote to memory of 1248	1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	132
PID 1128 wrote to memory of 1248	1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	132
PID 1128 wrote to memory of 1248	1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	132
PID 1128 wrote to memory of 1028	1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	133
PID 1128 wrote to memory of 1028	1128	44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
"C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
  "{path}"
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1496
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2268
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\el-GR\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1596
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\smss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
    "C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe
      "{path}"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1128
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Network Sharing\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\fr-FR\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2964
      - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "{path}"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\09f18057-5fdb-4883-a315-815b0eaa80eb.vbs"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2668
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2008
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ba7e28d-b756-4356-a9e0-6e3699faca36.vbs"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Music\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\SysWOW64\el-GR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SysWOW64\el-GR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\el-GR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Local Settings\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b54" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b54" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Network Sharing\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Network Sharing\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\Network Sharing\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Windows\IME\fr-FR\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\IME\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\IME\fr-FR\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b54" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b54" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b54" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5" /sc ONLOGON /tr "'C:\Windows\debug\WIA\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b54" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5.exe'" /rl HIGHEST /f
1⤵
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe

Filesize
1.1MB

MD5
e12bfbd76f34848c8c80b1d6a9b1065d

SHA1
b59f5565b3bdb8d1632bea01f9a3bf06e4f29a99

SHA256
85fa4b050e77ddbcfa042512f24977a40c87b0f3f02009216dd5fa0a175ebba7

SHA512
62831f2496edd47fb67eb1b88543628dce5c6890193e7f38466e717022654d67a6d2156fcfd981c9442031ae647381f8929ed2aad4b150c05896c139f5b6458d

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe

Filesize
1.1MB

MD5
25e219d16e556ca28df1ae887c017818

SHA1
751f30629bc2320d4d33e1dc0b2f6cb522bdff8b

SHA256
44e15f3bc7ee9a38a3ce73d8f1a787124ccfd30f644a305d096fee27388447b5

SHA512
281fd1a68e828ad98365d6a6a47293d51330deb6a9fb0b9d32045e6f5174cecdb1072846134e333a2b7b544b3d8c54202608a989292a40e1bc4925df88f83fd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\09f18057-5fdb-4883-a315-815b0eaa80eb.vbs

Filesize
748B

MD5
7511a3a82feff66539967a8353c2bdfa

SHA1
a526cf27918f125c91cf5d3e4b2074fd3f34b234

SHA256
547e0b8558dd90f6fd9d40fd55e8d10f7e29b8529adcc15535bc043d0c3398e1

SHA512
1015fec8ee3fb84b7fbf87b512a6b3225a5cf9732f9aae268814d43df2e36a171cc5deb884819cc7d32738b7e0773cdfe236d239b5f56613c43e4c84e5e0cd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ba7e28d-b756-4356-a9e0-6e3699faca36.vbs

Filesize
524B

MD5
341c9600cc4b6df781217e5d20b01862

SHA1
102ab874dc5928e6efdaa3c35b3756522dd4a98d

SHA256
ba0feda61b6bca530bd75e89d8f94a562410c89a2b2b6a2e52c7298a83da27c8

SHA512
67078855c6b1f70cffb82e701c3f333ff4d2983be2c4f0c382ca7e1702f4d1eabff978d6abd480d2172a817a1903ddfa13c451c7c6fa506585f0e3a8a8360f7f

Download Submit
C:\Users\Admin\AppData\Local\smss.exe

Filesize
1.1MB

MD5
a4ed84f6bc9a15477f7c540ffce75ed0

SHA1
da5712d99e54b5389587d5c46a29f7cd1b763bc0

SHA256
07f4bd19cce22f8cb72b88914b2cfd3513965ec33f2dbb620d6e62d59dacafe0

SHA512
b6b948a94371978e0a5a246a437ae5cb7c3cc0efaa5826bd9c0ffb9c8102940af2e7e4c3ece671f8eb5a31a171abf437718de70d2e4cc201bdafe010fbfc37f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q72762U41X5WCY6RK63S.temp

Filesize
7KB

MD5
74919b609c6108111847938b3e4add96

SHA1
3fa1e751b331cdc818d98c36d7fe4a4226638690

SHA256
6adb905ae962bf2a31038a7603a467dce4973de851f1015b126033d7ece5fcbd

SHA512
44a9203d36b98311aa708d4a68a65f8c8b6720fbb68aa9aeb5118ad25d72cf51df6a188dd4b27c2db158a8ee788dfe0486dff1e04d68c85dd6b3094a42123a1a

Download Submit
C:\Users\Default\Idle.exe

Filesize
1.1MB

MD5
1afa1d1715f44af5b2fc860f9082a5e9

SHA1
0e9fe018d2f8195aaecbce81702d2a34b69f41ae

SHA256
c9628ff2d188f90174153bcb5881731d41c9114be03b839a45c214a1241de173

SHA512
1d9a92525f2ff2a92f9176ad17057d740bdd579ca780981040c95b878f02346df7e0182f19c36e78c5d9125ee3101659f7d5f101c6660c5b0e0b6faa1788c7f0

Download Submit
memory/1128-203-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-410-0x0000000000190000-0x00000000002BC000-memory.dmp

Filesize
1.2MB

Download
memory/2096-7-0x0000000005D00000-0x0000000005E2E000-memory.dmp

Filesize
1.2MB

Download
memory/2096-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/2096-6-0x0000000005650000-0x0000000005746000-memory.dmp

Filesize
984KB

Download
memory/2096-5-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2096-4-0x00000000748BE000-0x00000000748BF000-memory.dmp

Filesize
4KB

Download
memory/2096-23-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2096-3-0x0000000000950000-0x0000000000962000-memory.dmp

Filesize
72KB

Download
memory/2096-2-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2096-1-0x0000000000A50000-0x0000000000B7C000-memory.dmp

Filesize
1.2MB

Download
memory/2712-398-0x0000000000940000-0x0000000000952000-memory.dmp

Filesize
72KB

Download
memory/2712-393-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-17-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2880-25-0x00000000007A0000-0x00000000007BC000-memory.dmp

Filesize
112KB

Download
memory/2880-29-0x0000000002220000-0x0000000002232000-memory.dmp

Filesize
72KB

Download
memory/2880-30-0x0000000002240000-0x000000000224C000-memory.dmp

Filesize
48KB

Download
memory/2880-33-0x00000000022E0000-0x00000000022EC000-memory.dmp

Filesize
48KB

Download
memory/2880-35-0x0000000002300000-0x000000000230C000-memory.dmp

Filesize
48KB

Download
memory/2880-34-0x00000000022F0000-0x00000000022FA000-memory.dmp

Filesize
40KB

Download
memory/2880-32-0x00000000022D0000-0x00000000022DE000-memory.dmp

Filesize
56KB

Download
memory/2880-31-0x00000000022C0000-0x00000000022CA000-memory.dmp

Filesize
40KB

Download
memory/2880-27-0x0000000000820000-0x0000000000836000-memory.dmp

Filesize
88KB

Download
memory/2880-26-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/2880-28-0x00000000021F0000-0x0000000002200000-memory.dmp

Filesize
64KB

Download
memory/2880-24-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2880-22-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2880-193-0x00000000748B0000-0x0000000074F9E000-memory.dmp

Filesize
6.9MB

Download
memory/2880-8-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2880-10-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2880-11-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2880-21-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2880-13-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2880-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-19-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2884-192-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2964-311-0x0000000000CB0000-0x0000000000DDC000-memory.dmp

Filesize
1.2MB

Download