dcrat | b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72

Analysis

max time kernel
147s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 05:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
Size

2.3MB
MD5

95ce095073ce57e823674de34b621cdb
SHA1

129a46af1ad0ad1a15f6f3df3e1ee5e1147ae004
SHA256

b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72
SHA512

e16251a67637a09771d3962fca4fa92ac5f58483cff8cbf29c94f0eb0237f30deed49036a724cff32b0942715334865c2bb06084fefb0872551181c8e6accb28
SSDEEP

49152:bSrudTH6WUww8iz704mELP36hEgMMFzFOIh:GrudTHu0ivwELP38MMhFOIh

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2384	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2384	schtasks.exe	30

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2124-1-0x0000000000800000-0x0000000000A50000-memory.dmp	dcrat
behavioral1/files/0x0005000000019334-17.dat	dcrat
behavioral1/memory/2360-89-0x0000000000E50000-0x00000000010A0000-memory.dmp	dcrat

Executes dropped EXE 1 IoCs

pid	Process
2360	csrss.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\wininit.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\audiodg.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\42af1c969fbb7b	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files\Microsoft Office\taskhost.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\3a6fe29a7ceee6	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files\Microsoft Office\b75386f1303e64	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files\Windows Defender\27d1bcfc3c54e0	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\schtasks.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\3a6fe29a7ceee6	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\69ddcba757bf72	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\schtasks.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files\Windows Defender\System.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\schtasks.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\smss.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\aae7ed462fc6a4	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files\DVD Maker\56085415360792	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\3a6fe29a7ceee6	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\56085415360792	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\886983d96e3d3e	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\PolicyDefinitions\sppsvc.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\PolicyDefinitions\0a1fd5f707cd16	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\Fonts\csrss.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\ehome\ja-JP\42af1c969fbb7b	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\Fonts\886983d96e3d3e	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\csrss.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\wininit.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\ehome\ja-JP\audiodg.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\Help\Help\it-IT\886983d96e3d3e	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\CSC\5940a34987c991	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\diagnostics\index\explorer.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\Help\Help\it-IT\csrss.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
File created	C:\Windows\CSC\dllhost.exe	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1964	schtasks.exe
1680	schtasks.exe
3064	schtasks.exe
596	schtasks.exe
540	schtasks.exe
2848	schtasks.exe
1484	schtasks.exe
2688	schtasks.exe
1864	schtasks.exe
2604	schtasks.exe
2648	schtasks.exe
2472	schtasks.exe
640	schtasks.exe
1748	schtasks.exe
324	schtasks.exe
2804	schtasks.exe
1528	schtasks.exe
2964	schtasks.exe
2492	schtasks.exe
1960	schtasks.exe
2484	schtasks.exe
664	schtasks.exe
1936	schtasks.exe
2444	schtasks.exe
1592	schtasks.exe
1732	schtasks.exe
1720	schtasks.exe
2872	schtasks.exe
1868	schtasks.exe
2268	schtasks.exe
2608	schtasks.exe
2780	schtasks.exe
3040	schtasks.exe
1424	schtasks.exe
2564	schtasks.exe
1260	schtasks.exe
988	schtasks.exe
2040	schtasks.exe
1944	schtasks.exe
2004	schtasks.exe
2412	schtasks.exe
1764	schtasks.exe
2440	schtasks.exe
2700	schtasks.exe
3012	schtasks.exe
1588	schtasks.exe
908	schtasks.exe
2536	schtasks.exe
1224	schtasks.exe
2856	schtasks.exe
1604	schtasks.exe
1644	schtasks.exe
1368	schtasks.exe
1536	schtasks.exe
2928	schtasks.exe
840	schtasks.exe
2616	schtasks.exe
2708	schtasks.exe
2240	schtasks.exe
3048	schtasks.exe
2576	schtasks.exe
3004	schtasks.exe
2424	schtasks.exe
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe
2360	csrss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
Token: SeDebugPrivilege	2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
Token: SeDebugPrivilege	2360	csrss.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2752	2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe	88
PID 2124 wrote to memory of 2752	2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe	88
PID 2124 wrote to memory of 2752	2124	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe	88
PID 2752 wrote to memory of 2360	2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe	137
PID 2752 wrote to memory of 2360	2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe	137
PID 2752 wrote to memory of 2360	2752	b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
"C:\Users\Admin\AppData\Local\Temp\b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe
  "C:\Users\Admin\AppData\Local\Temp\b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe
    "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Fonts\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72b" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72b" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\My Documents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\ehome\ja-JP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\ehome\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Windows\ehome\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\Help\it-IT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\Help\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\Help\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\CSC\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\CSC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\CSC\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\My Pictures\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\wininit.exe'" /rl HIGHEST /f
1⤵
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\wininit.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Documents\My Videos\schtasks.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Videos\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Documents\My Videos\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\System.exe'" /f
1⤵
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\System.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\schtasks.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\schtasks.exe'" /f
1⤵
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\schtasks.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\schtasks.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\schtasks.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\schtasks.exe'" /rl HIGHEST /f
1⤵
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\NativeImages_v2.0.50727_32\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\schtasks.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\schtasks.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\sppsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\sppsvc.exe'" /rl HIGHEST /f
1⤵
PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\TextConv\es-ES\b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72.exe

Filesize
2.3MB

MD5
95ce095073ce57e823674de34b621cdb

SHA1
129a46af1ad0ad1a15f6f3df3e1ee5e1147ae004

SHA256
b90b75dcc06003408ea406424ae16179137d2a39d2092d26c25677122479ed72

SHA512
e16251a67637a09771d3962fca4fa92ac5f58483cff8cbf29c94f0eb0237f30deed49036a724cff32b0942715334865c2bb06084fefb0872551181c8e6accb28

Download Submit
C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\886983d96e3d3e

Filesize
730B

MD5
2de2c86b2a07d4e10132dcfbba8e0020

SHA1
4732678aa373b54eef428b9681440d1d817a63c2

SHA256
406aca2a8f71a0b498fb8173f6ba19147f7a628b75c925a17aab3116c3bb4129

SHA512
84b25e5bfdb268b0670bb93deb0ef1a66599b2f472ebbbc192b13d1b3d1639c515d219aafa312f0f79fe7a652d8d59a7b0dd3a395ecd40d284a63c9a101fc3a2

Download Submit
memory/2124-3-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/2124-0-0x000007FEF61C3000-0x000007FEF61C4000-memory.dmp

Filesize
4KB

Download
memory/2124-4-0x00000000005A0000-0x00000000005B6000-memory.dmp

Filesize
88KB

Download
memory/2124-5-0x000000001A940000-0x000000001A996000-memory.dmp

Filesize
344KB

Download
memory/2124-6-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2124-7-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/2124-8-0x00000000007F0000-0x00000000007F8000-memory.dmp

Filesize
32KB

Download
memory/2124-2-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2124-47-0x000007FEF61C0000-0x000007FEF6BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2124-1-0x0000000000800000-0x0000000000A50000-memory.dmp

Filesize
2.3MB

Download
memory/2360-89-0x0000000000E50000-0x00000000010A0000-memory.dmp

Filesize
2.3MB

Download
memory/2360-90-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2752-48-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download