dcrat | b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05-12-2024 01:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Size

1.7MB
MD5

9dd2bc624ea9c953ff5621fef397066b
SHA1

e4ea9a4db77e4a5b3f062d4a3bbe10aa04913593
SHA256

b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6
SHA512

c63117abd2afa7b97afa1439b44412439bf5c0608fdcd4d45fce397d1a2e30766e2df0a19fafcb43b3cf657abe379848dbed4eaa666474be19ec52b7e7740a12
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2620	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2620	schtasks.exe	30

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2688-1-0x0000000001080000-0x0000000001240000-memory.dmp	dcrat
behavioral1/files/0x0007000000017420-27.dat	dcrat
behavioral1/files/0x000b000000015d21-114.dat	dcrat
behavioral1/files/0x0009000000017420-125.dat	dcrat
behavioral1/files/0x000a000000017520-148.dat	dcrat
behavioral1/files/0x000b000000019080-159.dat	dcrat
behavioral1/files/0x0008000000019329-230.dat	dcrat
behavioral1/files/0x0007000000019371-237.dat	dcrat
behavioral1/files/0x00070000000193e6-263.dat	dcrat
behavioral1/memory/1448-449-0x0000000000390000-0x0000000000550000-memory.dmp	dcrat
behavioral1/memory/3000-460-0x0000000001310000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/1856-483-0x00000000013B0000-0x0000000001570000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2944	powershell.exe
544	powershell.exe
2276	powershell.exe
2184	powershell.exe
2608	powershell.exe
1676	powershell.exe
2712	powershell.exe
1528	powershell.exe
3024	powershell.exe
2796	powershell.exe
1880	powershell.exe
2484	powershell.exe
2980	powershell.exe
1988	powershell.exe
1656	powershell.exe
1148	powershell.exe
2452	powershell.exe
1964	powershell.exe
2828	powershell.exe
472	powershell.exe
1544	powershell.exe
2708	powershell.exe
2380	powershell.exe
3052	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Executes dropped EXE 10 IoCs

pid	Process
1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
1448	conhost.exe
3000	conhost.exe
2208	conhost.exe
1856	conhost.exe
2720	conhost.exe
1724	conhost.exe
1988	conhost.exe
1576	conhost.exe
2560	conhost.exe

Drops file in Program Files directory 45 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\lsass.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\powershell.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Idle.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Media Player\6ccacd8608530f	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Mail\lsass.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCX9488.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\RCX94A8.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXA0C3.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCXB4E1.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\DVD Maker\en-US\886983d96e3d3e	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\MSBuild\Microsoft\dwm.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Windows Portable Devices\d5ace72e83c328	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\24dbde2999530e	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\dwm.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\56085415360792	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\d5ace72e83c328	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\RCXA055.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXB2DC.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\System.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCXB4E2.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\MSBuild\Microsoft\6cb0b6c459d5d3	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Mail\6203df4a6bafc7	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\RCXB2DD.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\MSBuild\e978f868350d50	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\MSBuild\powershell.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\csrss.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\WmiPrvSE.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\fr-FR\System.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCX994D.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCX99DA.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXA345.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\e978f868350d50	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\Windows Media Player\Idle.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\powershell.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\27d1bcfc3c54e0	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXA2D7.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\WmiPrvSE.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files\DVD Maker\en-US\csrss.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Program Files (x86)\MSBuild\powershell.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\lsm.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\Setup\State\lsm.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\security\templates\conhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\DigitalLocker\de-DE\powershell.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\L2Schemas\Idle.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\Media\Cityscape\smss.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\Setup\State\101b941d020240	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\Setup\State\RCXA972.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\L2Schemas\Idle.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\DigitalLocker\de-DE\e978f868350d50	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\DigitalLocker\de-DE\powershell.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\Media\Cityscape\69ddcba757bf72	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\Media\Cityscape\smss.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\security\templates\088424020bedd6	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\security\templates\conhost.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\rescache\rc0005\lsm.exe	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\Media\Cityscape\RCXA568.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\Media\Cityscape\RCXA569.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File opened for modification	C:\Windows\Setup\State\RCXA971.tmp	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
File created	C:\Windows\L2Schemas\6ccacd8608530f	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1992	schtasks.exe
1752	schtasks.exe
2640	schtasks.exe
2904	schtasks.exe
2104	schtasks.exe
2768	schtasks.exe
2864	schtasks.exe
2640	schtasks.exe
3040	schtasks.exe
2736	schtasks.exe
2204	schtasks.exe
2020	schtasks.exe
1816	schtasks.exe
3008	schtasks.exe
376	schtasks.exe
1624	schtasks.exe
1964	schtasks.exe
1960	schtasks.exe
680	schtasks.exe
1036	schtasks.exe
3008	schtasks.exe
2188	schtasks.exe
2648	schtasks.exe
1824	schtasks.exe
888	schtasks.exe
2840	schtasks.exe
1948	schtasks.exe
2012	schtasks.exe
2852	schtasks.exe
2536	schtasks.exe
2112	schtasks.exe
2396	schtasks.exe
2292	schtasks.exe
2444	schtasks.exe
2592	schtasks.exe
1100	schtasks.exe
1676	schtasks.exe
2828	schtasks.exe
552	schtasks.exe
2480	schtasks.exe
1568	schtasks.exe
2212	schtasks.exe
2860	schtasks.exe
2124	schtasks.exe
2704	schtasks.exe
2092	schtasks.exe
1368	schtasks.exe
2676	schtasks.exe
1756	schtasks.exe
2748	schtasks.exe
1312	schtasks.exe
264	schtasks.exe
1680	schtasks.exe
1292	schtasks.exe
1724	schtasks.exe
472	schtasks.exe
2876	schtasks.exe
2740	schtasks.exe
1856	schtasks.exe
1520	schtasks.exe
1396	schtasks.exe
2056	schtasks.exe
2284	schtasks.exe
2628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
2380	powershell.exe
2796	powershell.exe
2608	powershell.exe
472	powershell.exe
1880	powershell.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	472	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1448	conhost.exe
Token: SeDebugPrivilege	3000	conhost.exe
Token: SeDebugPrivilege	2208	conhost.exe
Token: SeDebugPrivilege	1856	conhost.exe
Token: SeDebugPrivilege	2720	conhost.exe
Token: SeDebugPrivilege	1724	conhost.exe
Token: SeDebugPrivilege	1988	conhost.exe
Token: SeDebugPrivilege	1576	conhost.exe
Token: SeDebugPrivilege	2560	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2796	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	85
PID 2688 wrote to memory of 2796	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	85
PID 2688 wrote to memory of 2796	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	85
PID 2688 wrote to memory of 1880	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	86
PID 2688 wrote to memory of 1880	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	86
PID 2688 wrote to memory of 1880	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	86
PID 2688 wrote to memory of 2708	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	87
PID 2688 wrote to memory of 2708	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	87
PID 2688 wrote to memory of 2708	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	87
PID 2688 wrote to memory of 2608	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	88
PID 2688 wrote to memory of 2608	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	88
PID 2688 wrote to memory of 2608	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	88
PID 2688 wrote to memory of 2380	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	90
PID 2688 wrote to memory of 2380	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	90
PID 2688 wrote to memory of 2380	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	90
PID 2688 wrote to memory of 2184	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	92
PID 2688 wrote to memory of 2184	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	92
PID 2688 wrote to memory of 2184	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	92
PID 2688 wrote to memory of 3052	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	96
PID 2688 wrote to memory of 3052	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	96
PID 2688 wrote to memory of 3052	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	96
PID 2688 wrote to memory of 2712	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	97
PID 2688 wrote to memory of 2712	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	97
PID 2688 wrote to memory of 2712	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	97
PID 2688 wrote to memory of 2484	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	98
PID 2688 wrote to memory of 2484	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	98
PID 2688 wrote to memory of 2484	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	98
PID 2688 wrote to memory of 1964	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	99
PID 2688 wrote to memory of 1964	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	99
PID 2688 wrote to memory of 1964	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	99
PID 2688 wrote to memory of 472	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	100
PID 2688 wrote to memory of 472	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	100
PID 2688 wrote to memory of 472	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	100
PID 2688 wrote to memory of 2452	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	101
PID 2688 wrote to memory of 2452	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	101
PID 2688 wrote to memory of 2452	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	101
PID 2688 wrote to memory of 1232	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	109
PID 2688 wrote to memory of 1232	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	109
PID 2688 wrote to memory of 1232	2688	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	109
PID 1232 wrote to memory of 1148	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	159
PID 1232 wrote to memory of 1148	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	159
PID 1232 wrote to memory of 1148	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	159
PID 1232 wrote to memory of 1544	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	160
PID 1232 wrote to memory of 1544	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	160
PID 1232 wrote to memory of 1544	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	160
PID 1232 wrote to memory of 1656	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	162
PID 1232 wrote to memory of 1656	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	162
PID 1232 wrote to memory of 1656	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	162
PID 1232 wrote to memory of 2276	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	164
PID 1232 wrote to memory of 2276	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	164
PID 1232 wrote to memory of 2276	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	164
PID 1232 wrote to memory of 1988	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	165
PID 1232 wrote to memory of 1988	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	165
PID 1232 wrote to memory of 1988	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	165
PID 1232 wrote to memory of 544	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	167
PID 1232 wrote to memory of 544	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	167
PID 1232 wrote to memory of 544	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	167
PID 1232 wrote to memory of 2944	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	169
PID 1232 wrote to memory of 2944	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	169
PID 1232 wrote to memory of 2944	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	169
PID 1232 wrote to memory of 2980	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	170
PID 1232 wrote to memory of 2980	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	170
PID 1232 wrote to memory of 2980	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	170
PID 1232 wrote to memory of 3024	1232	b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe	171

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
"C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2712
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe
  "C:\Users\Admin\AppData\Local\Temp\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2276
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1676
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2cfOw3EDP6.bat"
    3⤵
    PID:1960
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2764
  - - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe
      "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1448
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\86d5a5be-ac03-4219-8713-06ebb540328f.vbs"
        5⤵
        
        PID:1520
      - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2fe2bc8a-b91e-4285-8b37-05ad6f9e8b4c.vbs"
        7⤵
        
        PID:3004
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f714864c-e573-4f4f-845d-509210948e94.vbs"
        9⤵
        
        PID:1600
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\055f7539-ddc6-454c-8fb9-25e4b55e7335.vbs"
        11⤵
        
        PID:1368
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba057b27-4181-472e-aae0-caa6e502c54d.vbs"
        13⤵
        
        PID:2416
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a34abeb7-a3c9-45d7-b9ad-cfd368ead311.vbs"
        15⤵
        
        PID:2404
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d7a9c980-b0e1-4866-a750-21321352b88c.vbs"
        17⤵
        
        PID:2552
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\db46f4d0-4187-4351-bf2c-d69c59a89318.vbs"
        19⤵
        
        PID:2336
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9e82bef-49fa-43e3-b1aa-0582eaddbdfa.vbs"
        21⤵
        
        PID:2812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e74ebf1f-17d1-41d4-8f6f-68e3233d3ef7.vbs"
        21⤵
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ea55b466-5bf4-4559-b1ca-d442668d8354.vbs"
        19⤵
        
        PID:2408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2c5859e-2f79-40d3-9b82-1766d6a859f6.vbs"
        17⤵
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\62fa5626-43ee-42ba-9172-42b25641964c.vbs"
        15⤵
        
        PID:2156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a6ebcc90-84e3-4efa-9c4d-506902a0dd0f.vbs"
        13⤵
        
        PID:576
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\955e2c21-f0e6-44b6-a54c-84044d973a93.vbs"
        11⤵
        
        PID:2216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\604d7ba8-43f1-4d9d-8c4d-40a0142ec044.vbs"
        9⤵
        
        PID:2088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5bea7c15-00f5-44f0-9ea6-07f2efc660d6.vbs"
        7⤵
        
        PID:1824
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d56f2e9-7a22-49c9-83b6-8c557d885e47.vbs"
        5⤵
        
        PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6b" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6b" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Cityscape\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\Cityscape\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\Media\Cityscape\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Setup\State\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Setup\State\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Setup\State\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6b" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6b" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Public\Favorites\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Favorites\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\L2Schemas\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\L2Schemas\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe'" /f
1⤵
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\security\templates\conhost.exe'" /f
1⤵
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\security\templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\security\templates\conhost.exe'" /rl HIGHEST /f
1⤵
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Admin\Music\powershell.exe'" /rl HIGHEST /f
1⤵
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Music\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /f
1⤵
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\powershell.exe'" /f
1⤵
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\powershell.exe'" /rl HIGHEST /f
1⤵
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\powershell.exe'" /rl HIGHEST /f
1⤵
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6b" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6" /sc ONLOGON /tr "'C:\MSOCache\All Users\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6b" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /f
1⤵
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\DigitalLocker\de-DE\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\de-DE\powershell.exe'" /rl HIGHEST /f
1⤵
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\de-DE\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\OSPPSVC.exe

Filesize
1.7MB

MD5
68379955b21a57fd66e874c9487ee831

SHA1
7344a77587d2cb7b15349c7ee07242c037f0faa0

SHA256
6c39fb3b7e1608b25707f2cf8bbe01b791cc49b855f86e5f2029efb4b48b5d5f

SHA512
e415592ea95910a3677861fecdaa66e3bf2a81f367820cee79d6c7b42cd9b5916032b9fdc687d963cb07beef313955d00b2f94fdd20fcc4447b657ca78d4502d

Download Submit
C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
1.7MB

MD5
655caa7e04e82dab931e978c0fc57ba9

SHA1
cde51350bf1ccddaf633dd0a0c7f1aa8e0da5d15

SHA256
00c8377833517e858b7ba02ce6527eade126b7dee8d8911f0dee96f73be387ee

SHA512
ed7c78e620f39630ca4842118a18852f920d3664dfcdb7c02254211545c607d122135b424dc86fc1042bdbb6c0958a3d9dd9b74a0514d9566adcf85ad162a6f4

Download Submit
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe

Filesize
1.7MB

MD5
9dd2bc624ea9c953ff5621fef397066b

SHA1
e4ea9a4db77e4a5b3f062d4a3bbe10aa04913593

SHA256
b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6

SHA512
c63117abd2afa7b97afa1439b44412439bf5c0608fdcd4d45fce397d1a2e30766e2df0a19fafcb43b3cf657abe379848dbed4eaa666474be19ec52b7e7740a12

Download Submit
C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\wininit.exe

Filesize
1.7MB

MD5
b1f821c6a5700a3c7af5dc37a6e65d82

SHA1
0e5d692a466d353449de4345a0455e6f321b3279

SHA256
2e47acec713f2af713a18f39f1c3ca92d5cadb4d10862a21371946b5634c283c

SHA512
3636ec46175235b3df5b50756e166d2b18ebd487595dbcd87c530d6b7810117cdd1345db3490556066e8c0015c2056081cc20a0d7b977ab4a3ba3fde81776226

Download Submit
C:\Program Files (x86)\Windows Mail\lsass.exe

Filesize
1.7MB

MD5
ac03c5636c20131f767634584157ae4d

SHA1
c84983677ee768812f6132b550b9f00d904da577

SHA256
7dc73eb7b2b1ba21a94132c0260e86389293117ed72806727b1d2b4c531ccfc0

SHA512
cbf5beeab8327641af611fa189b0de1f92f235fac7fb7f3eec44f5564afaa216fb9e5dbf9ca259a0e218e86e3bbc36d0e775e7e166b15a41416529556b6725ae

Download Submit
C:\Program Files\Microsoft Office\Office14\1033\RCXB2DC.tmp

Filesize
1.7MB

MD5
503492ac0de47dd8856b8540407d1753

SHA1
f00e345f7cbff7ed2854e7524b496cdcc88a97e7

SHA256
3290c12aa0846d741ed2f10ae875c9dc555113e1175cffeba4152a4a86505298

SHA512
0436962ddb8f4bf16630af8a15e5da408b3c4f114b40cafd48fdf0d76edf373edadb882578a90185dc320a749f141265daa57d02d4313cf83d8147bda725960d

Download Submit
C:\Program Files\Windows Portable Devices\b1595d9ef6e1af82294a1b004f38c6843b4ba0613b0dea3a413f7189a08df2b6.exe

Filesize
1.7MB

MD5
02a1b23e9759e28f84baf88daa64e70c

SHA1
54c4b951d795ce6694ef0c2dce759c3903c1c940

SHA256
dfb5844d41823ac03df3721e00bd6228d988ab01b3c09e7fad4afe46a20ffa93

SHA512
46d5744fc32eac27fbcc953834cf25bd30b9fe68969930f415129711fb216674e3f7bc038b76df9e1b108788e4dff572dfba87016219a2f303430f66e9dc72a1

Download Submit
C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\Idle.exe

Filesize
1.7MB

MD5
47fdb8d7fe5d16c0cab5039ca67f3bbb

SHA1
8f577062f04f1d4fea97ecdc450f68d34c78b2b8

SHA256
e0d889c2fb2427373ce85fc944f8e3b2e0b1f01b3e301acc91b69c358e2549ec

SHA512
3307947ec7e7ab2c09a901f621bf8663aecac2dc55440a4b1a9d999932651c3c3d950972638cf1a2a1dd3db0b7c8007081afa85dc6137c2fd8c7c02653021354

Download Submit
C:\Users\Admin\AppData\Local\Temp\055f7539-ddc6-454c-8fb9-25e4b55e7335.vbs

Filesize
750B

MD5
e467bdbfb765de5e683920eef12d4d7f

SHA1
9cda386f1bbafcefabdfbd5f2866af8a61a30d96

SHA256
51cf822f50c499b64cd4cc8b18476e66bd71459410880b8eb068b3bf73165a89

SHA512
5e6034c8b7f8886ba3c24a2f3353737b16a64e4635738d1edbafdc5c7a5c48d419a2c55d607e87e60d21bb45792d7a882ad482d0e3ad45df54ba6aeedd6e8413

Download Submit
C:\Users\Admin\AppData\Local\Temp\2cfOw3EDP6.bat

Filesize
239B

MD5
4c19ba9593b3850f6ee00b6671736b13

SHA1
e160b8cba3c82dd49362c54725a2b8245cb32c7e

SHA256
b010240a4cab1ae4e1a7321dcfc04b821bf66761ef569c4fa9cba9e7cc13a729

SHA512
5ad91a8994c6cdd8d930134e30d517b5b3de8bde0cd9e7c1e7dc3daced3bc53ad85707f46186d9fa681c463fed180eb403f77816c544a42c3440eb4ff29f3b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d56f2e9-7a22-49c9-83b6-8c557d885e47.vbs

Filesize
526B

MD5
7e0d14f7b32ea8d8b6b2424794084c15

SHA1
10e7c1fa1a7c8584f088612673e4092aef3202f0

SHA256
24523c1876c8e69b252dff2ac79ab95e968b051d40945ddefc7a4d61652231bd

SHA512
e4f2a155cb719e6c99c3818f25be08062deea31b9f70ff256fa13c5ba37b94ca9c1867330f4391a3949c167f27dc5ba9ce41df31857c734699ea0f6efa3ff03a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2fe2bc8a-b91e-4285-8b37-05ad6f9e8b4c.vbs

Filesize
750B

MD5
b210d63163bd9dd978acefc001833de8

SHA1
fe5983d4b00059d7870a47676a295d1b32638b5d

SHA256
5d3e09440603c5f1afa6ba096c2a5326cb1b6eb7f81a3b4ba7851db937ad7787

SHA512
89208ee9f0f032314eadc417457aa6810cdd5a5df1ac6b8db6e8a55baccd613248ce224f8296746211423def22a8a830f32e9e98666b1156b0d0b0cfd8034022

Download Submit
C:\Users\Admin\AppData\Local\Temp\86d5a5be-ac03-4219-8713-06ebb540328f.vbs

Filesize
750B

MD5
0012895489063144a92cf45dddbebd66

SHA1
f9da29768a1343342f486a86f0ae4fea09610626

SHA256
50019b2aaff58ba95b1852bc4ef43fba62986148583d55ec0749ea9b35f45fbf

SHA512
249db9d73e7edf21bb7ba71bfd9f8c88ce925125dadaa72e5f254b61c873fc0f7d54ab03840d546996dd1f3f46074f4673367a3d4c63353acfab47a9a1e7464f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a34abeb7-a3c9-45d7-b9ad-cfd368ead311.vbs

Filesize
750B

MD5
1ef78bd63dcaa3e58db5e56f38254861

SHA1
b014f0a66b42d3511da76c47ac81de064ee9e043

SHA256
5b86a5eb2d7213d22f62c51cfcea38848a07c77b98b7f9e20b9d5a84f252ebd0

SHA512
96d4d1a0ff06a36873b7f9cae1288c726f5c17712fd6b5cee405c775feb8b4bb55db793c8fdc5fb7200106e662b8e91086a5c0d174099508a312cdc66820ba65

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba057b27-4181-472e-aae0-caa6e502c54d.vbs

Filesize
750B

MD5
bd774563b3784e86b1f19727237858b6

SHA1
6cae06d79c7ea4734cca7272a34af5e8cefeac37

SHA256
335f301407ef866ed7a2068e9fdc71d7b93e32c1f97641335d1f307c6596e1e2

SHA512
7e8c2a14d2281cf475bf842a0f0933bf73f6d62d45e94bfa7a0519cd907736b7aba6c9f8cd6a8f92cf1382f419f172c800597384e36db16b3f7bb1ff096ae034

Download Submit
C:\Users\Admin\AppData\Local\Temp\d7a9c980-b0e1-4866-a750-21321352b88c.vbs

Filesize
750B

MD5
7da362304fc03ac35655bce99f2848ba

SHA1
4983a18abcd20f36befec7805306efad2df77b31

SHA256
c7b9021f91b58be3af2004f83b55e4e32613bcdd057f3951da14c69ecf65171b

SHA512
7df672a2268a356613fc5847e5a5103108316322052518e5d293c922c6793cd42f3fae7643774cb1323e1b3c4eda97985f5e16c074384d10b8bb1f0c4f121695

Download Submit
C:\Users\Admin\AppData\Local\Temp\db46f4d0-4187-4351-bf2c-d69c59a89318.vbs

Filesize
750B

MD5
21df92931cb579290dfe43d8d5ce1ede

SHA1
a72ece5f375f3dfa5316ef3239206baa626e1fbd

SHA256
f34f141d1b78ffb4d1ccec0332516055d22993e9e9e1a9dcbdad90b224f3deaf

SHA512
9bab9c8ec6d30aa75d9b5d2601a455bac171553c2c9765be3ed90b34f9089022b9dcb7056d6adc23f89ca8b50eb5b0de4bd4c699d3ad3b89a4a60ec1f8ddbe53

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9e82bef-49fa-43e3-b1aa-0582eaddbdfa.vbs

Filesize
750B

MD5
81f1cd7e29b514750124f5dc90304c37

SHA1
43589e4edd7890d1f95bfb39e54dc8ffab12273a

SHA256
3872845a5fa407aa95947f953f26ab14263ccd00c2a90f18b845aeb939e30058

SHA512
f4bf2777e0bf7c9dd19fa25d572d2e69e3bea78ec43f5fb5b0b51a2b6895268c78305bf7f706637ca162a0dbb11f0dab37812b34d4cd416b24f6eceaba3faefa

Download Submit
C:\Users\Admin\AppData\Local\Temp\f714864c-e573-4f4f-845d-509210948e94.vbs

Filesize
750B

MD5
e322613445aac5a607731347b87fa6cd

SHA1
1004c1be99e3f6d2bf286ba4184e0be0e7a27db7

SHA256
79eb4a5246b22afddc168a952d7d27c4fba5e930c43ef3d8f49f9ba8b9fb4e8b

SHA512
52497d59df51bfd545dc14dc3a49fd276a89580547b1720b32e7476161555ce96374cd1de8db811fb9aeab753ac831d863f32ec61d81aa779fcfb67cd8757dca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K3PEZATGOPNIT6RYOOFC.temp

Filesize
7KB

MD5
5733d310847484364faa194a9edbf742

SHA1
47aef1054c185bb6b3c2196399e090770eb4b600

SHA256
d76a57fb0808d0f4bbb5b17d94adaeef3097ec2f7d98a58cafa915278d09e263

SHA512
ef0fcd4c8218a8b97d2d3e3eaa04fdedce238c9c1c3c2ce7d174c0ff800d1304d577625e8dc90047c6f63171394c3e0f6e692757853694d678dd8090d6ffd006

Download Submit
memory/1448-449-0x0000000000390000-0x0000000000550000-memory.dmp

Filesize
1.8MB

Download
memory/1724-506-0x0000000000A10000-0x0000000000A22000-memory.dmp

Filesize
72KB

Download
memory/1856-483-0x00000000013B0000-0x0000000001570000-memory.dmp

Filesize
1.8MB

Download
memory/1988-395-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1988-399-0x00000000026E0000-0x00000000026E8000-memory.dmp

Filesize
32KB

Download
memory/2380-276-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2608-289-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2688-13-0x0000000000B70000-0x0000000000B7A000-memory.dmp

Filesize
40KB

Download
memory/2688-12-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2688-209-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-293-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-186-0x000007FEF5073000-0x000007FEF5074000-memory.dmp

Filesize
4KB

Download
memory/2688-19-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-17-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2688-16-0x0000000000B60000-0x0000000000B6C000-memory.dmp

Filesize
48KB

Download
memory/2688-14-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/2688-15-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/2688-0-0x000007FEF5073000-0x000007FEF5074000-memory.dmp

Filesize
4KB

Download
memory/2688-233-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/2688-1-0x0000000001080000-0x0000000001240000-memory.dmp

Filesize
1.8MB

Download
memory/2688-11-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2688-9-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/2688-8-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/2688-7-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2688-6-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/2688-5-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2688-4-0x0000000000260000-0x0000000000268000-memory.dmp

Filesize
32KB

Download
memory/2688-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2688-2-0x000007FEF5070000-0x000007FEF5A5C000-memory.dmp

Filesize
9.9MB

Download
memory/3000-460-0x0000000001310000-0x00000000014D0000-memory.dmp

Filesize
1.8MB

Download