dcrat | 7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8

Analysis

max time kernel
120s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-01-2025 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Size

1.7MB
MD5

6d5faed87aba710c68377628f3cd1ad0
SHA1

95e477a9a047e2bf841e7ff88d484fbdc33c9182
SHA256

7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8
SHA512

c4c5877da078e10e38391ab0d233815b41306ba9f7660a5a7bb3d5a5b9d82733a33411b29408a177798c35047ad8aa784c02bb32aa641d1d5fb633800b8a03de
SSDEEP

49152:T+gYXZTD1VXUqzX7VwjvMoh1IFyuyigWnMzm6sDBKv:+THUxUoh1IF9gl2

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2724	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2724	schtasks.exe	30

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2400-1-0x00000000001F0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/files/0x0005000000019275-27.dat	dcrat
behavioral1/files/0x000600000001946a-82.dat	dcrat
behavioral1/files/0x0006000000019479-105.dat	dcrat
behavioral1/files/0x000d000000019275-166.dat	dcrat
behavioral1/memory/1128-376-0x0000000000AE0000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/2972-387-0x0000000000F80000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/448-411-0x0000000000FC0000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/3004-423-0x0000000000010000-0x00000000001D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 24 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2644	powershell.exe
2144	powershell.exe
2444	powershell.exe
2240	powershell.exe
2452	powershell.exe
2172	powershell.exe
2936	powershell.exe
2932	powershell.exe
1200	powershell.exe
1944	powershell.exe
2164	powershell.exe
1736	powershell.exe
1592	powershell.exe
1704	powershell.exe
2892	powershell.exe
2616	powershell.exe
2928	powershell.exe
1588	powershell.exe
2944	powershell.exe
1028	powershell.exe
3056	powershell.exe
2748	powershell.exe
2872	powershell.exe
756	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Executes dropped EXE 6 IoCs

pid	Process
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
1128	taskhost.exe
2972	taskhost.exe
2552	taskhost.exe
448	taskhost.exe
3004	taskhost.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Skins\42af1c969fbb7b	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXDF03.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\b75386f1303e64	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files (x86)\Google\taskhost.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files (x86)\Google\taskhost.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\Windows Media Player\ja-JP\42af1c969fbb7b	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\RCXD47E.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\RCXDF02.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\Windows Photo Viewer\e978f868350d50	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\RCXD47D.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\powershell.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\Windows Media Player\ja-JP\audiodg.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCXC573.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\RCXC574.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\audiodg.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXD681.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXD682.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\c5b4cb5e9653cc	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\conhost.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Windows Media Player\Skins\audiodg.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\audiodg.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\Windows Photo Viewer\42af1c969fbb7b	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\RCXD075.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\taskhost.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\es-ES\services.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\6ccacd8608530f	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\Windows Photo Viewer\powershell.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\Windows NT\Accessories\es-ES\services.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\VideoLAN\VLC\skins\conhost.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\VideoLAN\VLC\skins\088424020bedd6	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\it-IT\taskhost.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\Windows Media Player\Skins\audiodg.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\RCXD076.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files (x86)\Google\b75386f1303e64	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Program Files\Windows Photo Viewer\audiodg.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\lsm.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Windows\de-DE\RCXD887.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Windows\de-DE\lsm.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Windows\Web\Wallpaper\Windows\088424020bedd6	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Windows\Media\Characters\088424020bedd6	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Windows\Media\Characters\conhost.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Windows\de-DE\101b941d020240	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Windows\de-DE\RCXD886.tmp	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Windows\Web\Wallpaper\Windows\conhost.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File created	C:\Windows\Media\Characters\conhost.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
File opened for modification	C:\Windows\Web\Wallpaper\Windows\conhost.exe	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2672	schtasks.exe
1920	schtasks.exe
2980	schtasks.exe
1512	schtasks.exe
2640	schtasks.exe
1272	schtasks.exe
2244	schtasks.exe
2000	schtasks.exe
816	schtasks.exe
1128	schtasks.exe
2524	schtasks.exe
1076	schtasks.exe
2972	schtasks.exe
1668	schtasks.exe
2344	schtasks.exe
2612	schtasks.exe
2772	schtasks.exe
2012	schtasks.exe
336	schtasks.exe
3032	schtasks.exe
2772	schtasks.exe
2636	schtasks.exe
2736	schtasks.exe
1808	schtasks.exe
2656	schtasks.exe
328	schtasks.exe
2916	schtasks.exe
1996	schtasks.exe
2460	schtasks.exe
336	schtasks.exe
372	schtasks.exe
1084	schtasks.exe
2820	schtasks.exe
2952	schtasks.exe
3064	schtasks.exe
2268	schtasks.exe
3000	schtasks.exe
1348	schtasks.exe
2360	schtasks.exe
3048	schtasks.exe
1840	schtasks.exe
1676	schtasks.exe
2040	schtasks.exe
572	schtasks.exe
2892	schtasks.exe
3056	schtasks.exe
1288	schtasks.exe
2232	schtasks.exe
560	schtasks.exe
1776	schtasks.exe
2388	schtasks.exe
1656	schtasks.exe
1544	schtasks.exe
3000	schtasks.exe
1988	schtasks.exe
2708	schtasks.exe
2948	schtasks.exe
1128	schtasks.exe
2892	schtasks.exe
1524	schtasks.exe
2856	schtasks.exe
1684	schtasks.exe
2288	schtasks.exe
1772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
2164	powershell.exe
2872	powershell.exe
2144	powershell.exe
1944	powershell.exe
2892	powershell.exe
1200	powershell.exe
1736	powershell.exe
2644	powershell.exe
2748	powershell.exe
1704	powershell.exe
756	powershell.exe
2616	powershell.exe
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1128	taskhost.exe
Token: SeDebugPrivilege	2972	taskhost.exe
Token: SeDebugPrivilege	2552	taskhost.exe
Token: SeDebugPrivilege	448	taskhost.exe
Token: SeDebugPrivilege	3004	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2644	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	71
PID 2400 wrote to memory of 2644	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	71
PID 2400 wrote to memory of 2644	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	71
PID 2400 wrote to memory of 1704	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	72
PID 2400 wrote to memory of 1704	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	72
PID 2400 wrote to memory of 1704	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	72
PID 2400 wrote to memory of 2144	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	73
PID 2400 wrote to memory of 2144	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	73
PID 2400 wrote to memory of 2144	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	73
PID 2400 wrote to memory of 1200	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	74
PID 2400 wrote to memory of 1200	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	74
PID 2400 wrote to memory of 1200	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	74
PID 2400 wrote to memory of 2748	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	75
PID 2400 wrote to memory of 2748	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	75
PID 2400 wrote to memory of 2748	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	75
PID 2400 wrote to memory of 2892	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	76
PID 2400 wrote to memory of 2892	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	76
PID 2400 wrote to memory of 2892	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	76
PID 2400 wrote to memory of 2872	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	77
PID 2400 wrote to memory of 2872	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	77
PID 2400 wrote to memory of 2872	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	77
PID 2400 wrote to memory of 1944	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	78
PID 2400 wrote to memory of 1944	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	78
PID 2400 wrote to memory of 1944	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	78
PID 2400 wrote to memory of 2616	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	79
PID 2400 wrote to memory of 2616	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	79
PID 2400 wrote to memory of 2616	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	79
PID 2400 wrote to memory of 756	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	80
PID 2400 wrote to memory of 756	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	80
PID 2400 wrote to memory of 756	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	80
PID 2400 wrote to memory of 2164	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	81
PID 2400 wrote to memory of 2164	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	81
PID 2400 wrote to memory of 2164	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	81
PID 2400 wrote to memory of 1736	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	82
PID 2400 wrote to memory of 1736	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	82
PID 2400 wrote to memory of 1736	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	82
PID 2400 wrote to memory of 3044	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	95
PID 2400 wrote to memory of 3044	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	95
PID 2400 wrote to memory of 3044	2400	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	95
PID 3044 wrote to memory of 2240	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	135
PID 3044 wrote to memory of 2240	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	135
PID 3044 wrote to memory of 2240	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	135
PID 3044 wrote to memory of 2928	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	136
PID 3044 wrote to memory of 2928	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	136
PID 3044 wrote to memory of 2928	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	136
PID 3044 wrote to memory of 2444	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	137
PID 3044 wrote to memory of 2444	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	137
PID 3044 wrote to memory of 2444	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	137
PID 3044 wrote to memory of 2452	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	138
PID 3044 wrote to memory of 2452	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	138
PID 3044 wrote to memory of 2452	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	138
PID 3044 wrote to memory of 1588	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	140
PID 3044 wrote to memory of 1588	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	140
PID 3044 wrote to memory of 1588	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	140
PID 3044 wrote to memory of 2944	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	141
PID 3044 wrote to memory of 2944	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	141
PID 3044 wrote to memory of 2944	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	141
PID 3044 wrote to memory of 2172	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	142
PID 3044 wrote to memory of 2172	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	142
PID 3044 wrote to memory of 2172	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	142
PID 3044 wrote to memory of 1592	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	143
PID 3044 wrote to memory of 1592	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	143
PID 3044 wrote to memory of 1592	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	143
PID 3044 wrote to memory of 2936	3044	7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe	144

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
"C:\Users\Admin\AppData\Local\Temp\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe"
1⤵
- Drops file in Drivers directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2748
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Users\Admin\AppData\Local\Temp\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe
  "C:\Users\Admin\AppData\Local\Temp\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2444
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1592
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2936
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PRQTW9ZyiV.bat"
    3⤵
    PID:1508
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2732
  - - C:\Program Files (x86)\Google\taskhost.exe
      "C:\Program Files (x86)\Google\taskhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1128
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dabd6e94-4349-4d4c-90c3-6368f48a271b.vbs"
        5⤵
        
        PID:1732
      - C:\Program Files (x86)\Google\taskhost.exe
        
        "C:\Program Files (x86)\Google\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\406eaeb3-0ada-490e-8bfd-4b7449fb8736.vbs"
        7⤵
        
        PID:2248
        
        C:\Program Files (x86)\Google\taskhost.exe
        
        "C:\Program Files (x86)\Google\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36b37aab-3f44-485e-8b51-9007f95a1d5b.vbs"
        9⤵
        
        PID:2952
        
        C:\Program Files (x86)\Google\taskhost.exe
        
        "C:\Program Files (x86)\Google\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c45db73f-547d-41a5-ab2a-92887daadb8f.vbs"
        11⤵
        
        PID:2244
        
        C:\Program Files (x86)\Google\taskhost.exe
        
        "C:\Program Files (x86)\Google\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\76433d7a-1c39-41bb-8638-42f0c66367a1.vbs"
        13⤵
        
        PID:572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\edb21e52-0e28-4022-a20d-2cbe2565ffe3.vbs"
        13⤵
        
        PID:880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f64bf984-7e6b-4836-99ca-e55fa3e7deaf.vbs"
        11⤵
        
        PID:2072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2bcb0ad-c58c-4e0b-9931-3efdb0df5772.vbs"
        9⤵
        
        PID:388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ef291dec-70c2-4c9c-a5ee-c59e8a4ddac1.vbs"
        7⤵
        
        PID:1056
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6bfa64c8-d2ef-48c1-9948-4d8498cfeaef.vbs"
        5⤵
        
        PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Local Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\ja-JP\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\ja-JP\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Skins\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Skins\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N7" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N" /sc ONLOGON /tr "'C:\Users\Public\Libraries\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N7" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N7" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N7" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Users\Public\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Public\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Users\Public\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Windows\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Windows\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Web\Wallpaper\Windows\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Downloads\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Downloads\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Characters\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Media\Characters\conhost.exe'" /rl HIGHEST /f
1⤵
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Media\Characters\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 12 /tr "'C:\Users\Default\powershell.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Users\Default\powershell.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\skins\conhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\skins\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\skins\conhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe

Filesize
1.7MB

MD5
6d5faed87aba710c68377628f3cd1ad0

SHA1
95e477a9a047e2bf841e7ff88d484fbdc33c9182

SHA256
7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8

SHA512
c4c5877da078e10e38391ab0d233815b41306ba9f7660a5a7bb3d5a5b9d82733a33411b29408a177798c35047ad8aa784c02bb32aa641d1d5fb633800b8a03de

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\taskhost.exe

Filesize
1.7MB

MD5
89f46c705617fc782920c5991e106693

SHA1
ffc4f8e245e7bcd20046fe4e5c391680a0a14175

SHA256
83387cfb0ac803f5d2b9a2441b89be090b321bdab253bec8da16b8d42ffaecf4

SHA512
a1676f1ab164d405c366810ef8782e1f7289c09d67b6b3eebd6f3bdf40e3e0179a41d634d25e64a5135620d7fee9c7605075e9ef9a1aaec50f28e29eddf75735

Download Submit
C:\Users\Admin\AppData\Local\Temp\36b37aab-3f44-485e-8b51-9007f95a1d5b.vbs

Filesize
718B

MD5
feb147bc4c350d53d2e3278f34e68f4c

SHA1
7ac5b8b0bdb7d8158b1ef0a79bc7c4886d02e16a

SHA256
245b7e0fd633340394467f424316e9f62891fdced1e1bc2f5245413d8d1ac4b5

SHA512
cdc6e4d9f5afbc1533a85afb1624303722a81b2fcd2383c6d2a58d2e625257d395d5b48bfd1cb0986c2cf9937a254262c7982777fe71db1560df8eced2f00ba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\406eaeb3-0ada-490e-8bfd-4b7449fb8736.vbs

Filesize
718B

MD5
62592f5609d6242e5fea35a373eb29c9

SHA1
90575b1bc7a7878187686467e442e084104eea00

SHA256
d0e8bc6b12b11e62c0c614c67e13addde56625ba6c5622b2e8cd100c5e6557f6

SHA512
d4815d50e7149b879832a96334d1db2dfccc82831a6b12204cf911b32429bd284cd39d6925ebecfcf46d282ca444393eebccf37fdb64d6bbc58a071b0c970573

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bfa64c8-d2ef-48c1-9948-4d8498cfeaef.vbs

Filesize
494B

MD5
afcd6a376865e2aac73bde765ee1c2be

SHA1
947777f6cd028ecd482861f3ab23ebad6dfdb7ab

SHA256
15cc73af88d53f26a167dba04d0e58e3d38841e7fa862d13f96f85f7695a04ec

SHA512
2543677a2cee313e4245f89ddccfb1b546730335cdf6ca6c0c421ec29d6259b17e274d7c58b065d8cd00e765e94eb819c96571f69164a3551308f487cba3b76d

Download Submit
C:\Users\Admin\AppData\Local\Temp\76433d7a-1c39-41bb-8638-42f0c66367a1.vbs

Filesize
718B

MD5
ed5473baf348f1669aab9a4f5b6bb577

SHA1
7baa023fe32f3265b4b13437cc33a4de82d7d7a2

SHA256
3b69521e37d0503139b43ac044ad6aac63958ffa11b26ffa4cb57f047064dec9

SHA512
9ea841f940ca29ad10de8de1e390b060c2c9860584f4522b6cfa9fa4b9faa743df44e608b5a2c9fba51b42293381aea207a4450197c13821b310ce4f3a831a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\PRQTW9ZyiV.bat

Filesize
207B

MD5
1af3e65f3821fec7864a53d7a7115676

SHA1
cc47dc030309b88b39db4b68025cf76d4eea1618

SHA256
5008b3979f2e9d969f82b3173a86ddbc4eb502cd9d392fc534cf5aa542f1185a

SHA512
59769ab1669782248f0f4905f3c2812cfcb216cc156af59859a036ee560f783a711824b4524ede9e7ccac3a2819f8f7ed548f8ef73e8358e2fae728b69d8d67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c45db73f-547d-41a5-ab2a-92887daadb8f.vbs

Filesize
717B

MD5
e1e62a7cf700545fb8db425902578361

SHA1
0b8de5e54d7989e3c7e54b6e7ec4bf8b27bcfed0

SHA256
57a7ada02509e9c0e9521423f98432226328aa16b615ad0cb44bf0dc631b7561

SHA512
a1e232ec5d41ee20d8698a75a0938924ad5169db2a7ef141851e331b3755b971a2e296a561035ed93654dbf01f3c0bbb98a3d1170123de38c6fea53bf72f78de

Download Submit
C:\Users\Admin\AppData\Local\Temp\dabd6e94-4349-4d4c-90c3-6368f48a271b.vbs

Filesize
718B

MD5
b00b08431eb66a4f98a6148bfb0229db

SHA1
45fc55b778f4d60cf75d3bc03def67af322ad51b

SHA256
b7f4e15062b228c94e9865691977bd1a20d6b19a0342d7cfe8b83ba80a2e1d29

SHA512
bd05893d60567fc54360261ad122db3dc9e1ef8c8469352f6447d66f244540653f42b46b9959612bfc5c3ffd16c0191542c1f2979012daa7cb423c0698019d4f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
56d3c47fd52596871afb708abe9d3235

SHA1
433f67336b5035572b34bfef7e131e3b8faabb77

SHA256
62e1bf61a11022bbba71f7fa4b3abbb249464c199f428e23cc2875ced3090133

SHA512
61ba0f09e7b40f182cff498cd98f734dda5cb2d52a516c5b8f2e59d2a066a40e4a783e80c70dee694b0e64c05370d4241a050c0fd8b1e5619554acbc9b68392e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
afac154461001c59fcc2ff2189ea30a4

SHA1
50e7281627ad2ad53dd93e15ad956b3759c3f45d

SHA256
81e52da5df13a60f4adca94a490433e59360762c6076b29d9e9413656b3df22f

SHA512
e24c2f415da4aabff6cd87662ff15dc769608e20ad60e262abfbcc8b3475d253a1033e56157016814923642e18273667f176f5916e8931cbdfecf98798a150b7

Download Submit
C:\Users\Default\AppData\Local\explorer.exe

Filesize
1.7MB

MD5
9172f37e280f791e256bb6b92fb16f2e

SHA1
ca82bc35378eaf3073db3a53dfdf84e7506d2802

SHA256
970edb05e25886ca4933d0ac2c3176575257d5b24a7ff977e98931f3290be51e

SHA512
17cd507c6bba090e601e278aa0ac7b100b8cf79bb55ab8f5b4593bfe3e18054fa0efe8a8d74285b164a87bddf0d761694bbf8a18c1e4e713d8dc9d3b5e4d0d4e

Download Submit
C:\Users\Public\Libraries\7f632feb26dcbc39bc00ddb8204cbed76b9c937d29f4635feb0d2deea64c07a8N.exe

Filesize
1.7MB

MD5
f6321fa26a581a94a9cc072c73b0d3d7

SHA1
f4e573cc979846891eab7778aa75f46cfa5c2615

SHA256
2f7a388957bdfba6f1c81ac6bffdac73ae2c95ec590e07803856d1f9ce6b2f76

SHA512
fc573f4cbc02ad4f334b8231f3b50631f453c3630d3610e884924144057514d247a569e212b486aad0bd862b3cfce66f0f0a0afc46d9fdd1ae6834ad6ae93f8a

Download Submit
memory/448-411-0x0000000000FC0000-0x0000000001180000-memory.dmp

Filesize
1.8MB

Download
memory/1128-376-0x0000000000AE0000-0x0000000000CA0000-memory.dmp

Filesize
1.8MB

Download
memory/2164-240-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/2240-327-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2400-9-0x0000000000670000-0x0000000000678000-memory.dmp

Filesize
32KB

Download
memory/2400-13-0x0000000000850000-0x000000000085A000-memory.dmp

Filesize
40KB

Download
memory/2400-20-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-16-0x00000000020B0000-0x00000000020BC000-memory.dmp

Filesize
48KB

Download
memory/2400-0-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

Filesize
4KB

Download
memory/2400-181-0x000007FEF5213000-0x000007FEF5214000-memory.dmp

Filesize
4KB

Download
memory/2400-14-0x0000000000860000-0x000000000086E000-memory.dmp

Filesize
56KB

Download
memory/2400-8-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2400-12-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2400-1-0x00000000001F0000-0x00000000003B0000-memory.dmp

Filesize
1.8MB

Download
memory/2400-11-0x0000000000680000-0x0000000000692000-memory.dmp

Filesize
72KB

Download
memory/2400-2-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-15-0x0000000000870000-0x0000000000878000-memory.dmp

Filesize
32KB

Download
memory/2400-17-0x00000000020C0000-0x00000000020CC000-memory.dmp

Filesize
48KB

Download
memory/2400-203-0x000007FEF5210000-0x000007FEF5BFC000-memory.dmp

Filesize
9.9MB

Download
memory/2400-6-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/2400-7-0x0000000000650000-0x0000000000660000-memory.dmp

Filesize
64KB

Download
memory/2400-3-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2400-4-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2400-5-0x0000000000430000-0x0000000000440000-memory.dmp

Filesize
64KB

Download
memory/2444-317-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2552-399-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2872-239-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2972-387-0x0000000000F80000-0x0000000001140000-memory.dmp

Filesize
1.8MB

Download
memory/3004-423-0x0000000000010000-0x00000000001D0000-memory.dmp

Filesize
1.8MB

Download