dcrat | 4e5088984e5d2304a531271ae248973b36e6d96a7f48f0dc56a92ffd951452fc

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
Size

1.6MB
MD5

f82f2ef304088a6c70fb7c56d7453d4d
SHA1

ec83164a34f06f452b81cbe1e80481c56dc89d9c
SHA256

051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9
SHA512

cd75c63375de66ea9d6954252058a2e4d89cdb2d54d907424fa72a09c1ab5f3d9d2426eff93090606cf015d71bd7b509bf1eb7d94421811b1b445a15cdb9ddb8
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	440	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2776	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2776	schtasks.exe	30

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral9/memory/2600-1-0x0000000000960000-0x0000000000B02000-memory.dmp	dcrat
behavioral9/files/0x00050000000194df-25.dat	dcrat
behavioral9/files/0x000800000001a2ed-100.dat	dcrat
behavioral9/files/0x000800000001a4b8-113.dat	dcrat
behavioral9/files/0x0006000000019c74-171.dat	dcrat
behavioral9/files/0x0007000000019d7b-180.dat	dcrat
behavioral9/memory/1108-364-0x0000000000DD0000-0x0000000000F72000-memory.dmp	dcrat
behavioral9/memory/2068-375-0x00000000012E0000-0x0000000001482000-memory.dmp	dcrat
behavioral9/memory/1524-420-0x00000000001B0000-0x0000000000352000-memory.dmp	dcrat
behavioral9/memory/1660-432-0x0000000000AC0000-0x0000000000C62000-memory.dmp	dcrat
behavioral9/memory/1328-444-0x0000000000FE0000-0x0000000001182000-memory.dmp	dcrat
behavioral9/memory/2896-456-0x0000000000360000-0x0000000000502000-memory.dmp	dcrat
behavioral9/memory/1144-468-0x0000000000120000-0x00000000002C2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1596	powershell.exe
1012	powershell.exe
2448	powershell.exe
2972	powershell.exe
1496	powershell.exe
1532	powershell.exe
1892	powershell.exe
704	powershell.exe
1788	powershell.exe
2968	powershell.exe
2136	powershell.exe
1624	powershell.exe
1196	powershell.exe
2684	powershell.exe
1484	powershell.exe
560	powershell.exe
2572	powershell.exe
2068	powershell.exe
328	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1108	System.exe
2068	System.exe
3068	System.exe
2856	System.exe
2680	System.exe
1524	System.exe
1660	System.exe
1328	System.exe
2896	System.exe
1144	System.exe

Drops file in Program Files directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Uninstall Information\RCXC796.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXCBA0.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Uninstall Information\101b941d020240	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\RCXCB9F.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\csrss.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\RCXD49D.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXDB86.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Common Files\System\RCXE29C.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCXE4A2.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files (x86)\Windows Defender\csrss.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files (x86)\Microsoft Office\c5b4cb5e9653cc	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Uninstall Information\RCXC795.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCXDD89.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\explorer.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Common Files\System\051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\wininit.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Java\jre7\RCXE6A7.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\0a1fd5f707cd16	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\wininit.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Shared Gadgets\RCXDB17.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Common Files\System\RCXE29D.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Java\jre7\smss.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXE8AB.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCXE8AC.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Reference Assemblies\wininit.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\7a0fd90576e088	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\es-ES\RCXDDF8.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Media Renderer\RCXE4A1.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXEAB0.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Uninstall Information\lsm.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files (x86)\Windows Defender\886983d96e3d3e	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\RCXEAB1.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Common Files\System\e84910b1001b43	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Java\jre7\smss.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Reference Assemblies\56085415360792	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files (x86)\Microsoft Office\services.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\RCXD49C.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files\Java\jre7\RCXE6A6.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\services.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\56085415360792	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Uninstall Information\lsm.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\27d1bcfc3c54e0	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\explorer.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Common Files\System\051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Java\jre7\69ddcba757bf72	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Program Files\Reference Assemblies\wininit.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Windows\SchCache\RCXE098.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Windows\SchCache\RCXE099.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Windows\SchCache\System.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Windows\SchCache\27d1bcfc3c54e0	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCXCDA3.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File opened for modification	C:\Windows\RemotePackages\RemoteApps\RCXCE12.tmp	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Windows\RemotePackages\RemoteApps\24dbde2999530e	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
File created	C:\Windows\SchCache\System.exe	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2672	schtasks.exe
1768	schtasks.exe
920	schtasks.exe
2216	schtasks.exe
336	schtasks.exe
344	schtasks.exe
2060	schtasks.exe
848	schtasks.exe
1760	schtasks.exe
1264	schtasks.exe
2452	schtasks.exe
1084	schtasks.exe
3016	schtasks.exe
1920	schtasks.exe
1632	schtasks.exe
2636	schtasks.exe
1912	schtasks.exe
1380	schtasks.exe
1540	schtasks.exe
2300	schtasks.exe
1596	schtasks.exe
1100	schtasks.exe
2272	schtasks.exe
1908	schtasks.exe
540	schtasks.exe
2544	schtasks.exe
1652	schtasks.exe
2844	schtasks.exe
2676	schtasks.exe
2972	schtasks.exe
1532	schtasks.exe
1496	schtasks.exe
2744	schtasks.exe
2660	schtasks.exe
2976	schtasks.exe
704	schtasks.exe
904	schtasks.exe
2524	schtasks.exe
2564	schtasks.exe
3024	schtasks.exe
1928	schtasks.exe
2448	schtasks.exe
440	schtasks.exe
2156	schtasks.exe
2904	schtasks.exe
1764	schtasks.exe
1584	schtasks.exe
1484	schtasks.exe
2368	schtasks.exe
984	schtasks.exe
808	schtasks.exe
3008	schtasks.exe
1036	schtasks.exe
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
1892	powershell.exe
1624	powershell.exe
1596	powershell.exe
2448	powershell.exe
1012	powershell.exe
2972	powershell.exe
1496	powershell.exe
704	powershell.exe
2572	powershell.exe
560	powershell.exe
2068	powershell.exe
1532	powershell.exe
1196	powershell.exe
2684	powershell.exe
2136	powershell.exe
1788	powershell.exe
2968	powershell.exe
1484	powershell.exe
328	powershell.exe
1108	System.exe
2068	System.exe
3068	System.exe
2856	System.exe
2680	System.exe
1524	System.exe
1660	System.exe
1328	System.exe
2896	System.exe
1144	System.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1108	System.exe
Token: SeDebugPrivilege	2068	System.exe
Token: SeDebugPrivilege	3068	System.exe
Token: SeDebugPrivilege	2856	System.exe
Token: SeDebugPrivilege	2680	System.exe
Token: SeDebugPrivilege	1524	System.exe
Token: SeDebugPrivilege	1660	System.exe
Token: SeDebugPrivilege	1328	System.exe
Token: SeDebugPrivilege	2896	System.exe
Token: SeDebugPrivilege	1144	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 2136	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	86
PID 2600 wrote to memory of 2136	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	86
PID 2600 wrote to memory of 2136	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	86
PID 2600 wrote to memory of 1596	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	87
PID 2600 wrote to memory of 1596	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	87
PID 2600 wrote to memory of 1596	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	87
PID 2600 wrote to memory of 1624	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	88
PID 2600 wrote to memory of 1624	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	88
PID 2600 wrote to memory of 1624	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	88
PID 2600 wrote to memory of 560	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	89
PID 2600 wrote to memory of 560	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	89
PID 2600 wrote to memory of 560	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	89
PID 2600 wrote to memory of 1532	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	90
PID 2600 wrote to memory of 1532	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	90
PID 2600 wrote to memory of 1532	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	90
PID 2600 wrote to memory of 1892	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	91
PID 2600 wrote to memory of 1892	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	91
PID 2600 wrote to memory of 1892	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	91
PID 2600 wrote to memory of 1012	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	92
PID 2600 wrote to memory of 1012	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	92
PID 2600 wrote to memory of 1012	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	92
PID 2600 wrote to memory of 704	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	93
PID 2600 wrote to memory of 704	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	93
PID 2600 wrote to memory of 704	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	93
PID 2600 wrote to memory of 1196	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	94
PID 2600 wrote to memory of 1196	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	94
PID 2600 wrote to memory of 1196	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	94
PID 2600 wrote to memory of 1788	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	95
PID 2600 wrote to memory of 1788	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	95
PID 2600 wrote to memory of 1788	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	95
PID 2600 wrote to memory of 2448	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	96
PID 2600 wrote to memory of 2448	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	96
PID 2600 wrote to memory of 2448	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	96
PID 2600 wrote to memory of 2572	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	97
PID 2600 wrote to memory of 2572	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	97
PID 2600 wrote to memory of 2572	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	97
PID 2600 wrote to memory of 2684	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	98
PID 2600 wrote to memory of 2684	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	98
PID 2600 wrote to memory of 2684	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	98
PID 2600 wrote to memory of 1484	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	99
PID 2600 wrote to memory of 1484	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	99
PID 2600 wrote to memory of 1484	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	99
PID 2600 wrote to memory of 2068	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	100
PID 2600 wrote to memory of 2068	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	100
PID 2600 wrote to memory of 2068	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	100
PID 2600 wrote to memory of 2968	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	101
PID 2600 wrote to memory of 2968	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	101
PID 2600 wrote to memory of 2968	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	101
PID 2600 wrote to memory of 2972	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	102
PID 2600 wrote to memory of 2972	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	102
PID 2600 wrote to memory of 2972	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	102
PID 2600 wrote to memory of 328	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	103
PID 2600 wrote to memory of 328	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	103
PID 2600 wrote to memory of 328	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	103
PID 2600 wrote to memory of 1496	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	104
PID 2600 wrote to memory of 1496	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	104
PID 2600 wrote to memory of 1496	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	104
PID 2600 wrote to memory of 3004	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	124
PID 2600 wrote to memory of 3004	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	124
PID 2600 wrote to memory of 3004	2600	051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe	124
PID 3004 wrote to memory of 1324	3004	cmd.exe	126
PID 3004 wrote to memory of 1324	3004	cmd.exe	126
PID 3004 wrote to memory of 1324	3004	cmd.exe	126
PID 3004 wrote to memory of 1108	3004	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe
"C:\Users\Admin\AppData\Local\Temp\051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2136
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1596
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:704
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\es-ES\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQR7EMdEjw.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1324
- - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
    "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3d9cc6a3-813c-4e4e-ab8e-6771ab73d4f7.vbs"
      4⤵
      PID:2500
    - - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\068d7748-4a1f-4c8c-a22c-55d8dec163ea.vbs"
        6⤵
        
        PID:1888
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4dd7fde-bee4-4371-add5-d87163fe8975.vbs"
        8⤵
        
        PID:2876
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3522e187-5e2b-4752-84ae-7bc73554cfd2.vbs"
        10⤵
        
        PID:1048
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b8ae96ef-9d9e-4a55-a0df-6da104f068d7.vbs"
        12⤵
        
        PID:2928
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8d8e5c78-db20-4159-942e-350b3325ffbd.vbs"
        14⤵
        
        PID:2716
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c854f2b-fa78-4add-9f77-6aadd58499da.vbs"
        16⤵
        
        PID:108
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8c71a11-a1d3-4aae-ac7f-1aafb181410e.vbs"
        18⤵
        
        PID:876
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c50fbe99-ccc2-4370-b548-44f6bfef17a3.vbs"
        20⤵
        
        PID:2300
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58e24cff-a24e-498c-ba98-e880ad82ca65.vbs"
        22⤵
        
        PID:2284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bf9a441b-a75c-4ffc-b71d-aed46aaaf403.vbs"
        22⤵
        
        PID:1996
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\93cb11c9-213a-4fd4-b4c9-ebee12f43394.vbs"
        20⤵
        
        PID:952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\97a23cad-beec-4cbb-b7ac-fac94ba0602d.vbs"
        18⤵
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee7083ad-7ec7-45ac-be4c-a9671d7ecaf7.vbs"
        16⤵
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07a18948-224a-4b28-af22-71baaee15e92.vbs"
        14⤵
        
        PID:2196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\426851ef-28b7-4f4c-8c67-a534afe04df3.vbs"
        12⤵
        
        PID:2028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7088f765-fd48-45d5-b147-4a78ff21940d.vbs"
        10⤵
        
        PID:2180
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5494583b-631a-465c-9d9b-e2bafdc31851.vbs"
        8⤵
        
        PID:2892
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f98d0964-0aa5-4027-8a54-12a4820b1d7d.vbs"
        6⤵
        
        PID:2520
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5bbed2a-e9e2-445b-b7ec-21d5a1622a30.vbs"
      4⤵
      PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Local Settings\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\SendTo\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\SendTo\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SchCache\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd90" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd90" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jre7\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jre7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Windows NT\TableTextService\es-ES\explorer.exe

Filesize
1.6MB

MD5
27387d1e64c7a429f0fb0bc10ebf833b

SHA1
71e830a23b6cc5dfeff184a41af642d5c17385cf

SHA256
e09c5a7ea4673d5fb9293d240f83130e1c8ec74e54d5ef6f8df31f6bfbd6909b

SHA512
a51187b665140960ec798d3e2ccd9ae495ca4d17aca197fd9edbea909f71c2b982a8a9f050ba0b393de07002e82241645213e4ded3bbda70d3a837cc13c26032

Download Submit
C:\Program Files\Windows Sidebar\Shared Gadgets\sppsvc.exe

Filesize
1.6MB

MD5
9bf35c2462bd86df9f61101b64a49773

SHA1
45f8f5efecbf83418d4443b4fd1d095f8b09ab84

SHA256
e63b25636c4cd35c571f66044f84c6f1e23583ea84d4aaa51a45268434c12c66

SHA512
b92d1140a11ad63fc6f586e08f711a37c14a1718eb7622db141ee84be5facd92b06b4df3c9e9e55682010081027a5514ed458c7d4a1ada0091afd033e43fce24

Download Submit
C:\Users\Admin\AppData\Local\Temp\068d7748-4a1f-4c8c-a22c-55d8dec163ea.vbs

Filesize
764B

MD5
35d6644dc927964291a5d19a5cd44796

SHA1
89735e13dbab27fc3c8c351ad025a7e2046d4dce

SHA256
7ff8a8924ed4f90904a71ed2d1d0f11af7409d166590165f1a03d27f5a429558

SHA512
a291a88f5a8f5cb137da4017e3ef31b023263621e6fc7b0596bf55357de355a4288dc8b03afc31f1931e64c2fb89c5c43c4b77daf7afcbb74a3eeece41023e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\3522e187-5e2b-4752-84ae-7bc73554cfd2.vbs

Filesize
764B

MD5
29d955177319bfbaecf587c5e6f8d6f1

SHA1
d1d249364c5f389222061c955b8d07b5d122ce87

SHA256
b7293d7b7ec9a265d52f30ce95f0eb0f81e905a8e9d24511f4ef09e0d789eb93

SHA512
2015046c3a2d87424be61ce5e31f2f49abd0e5093a50939809c39b594db73737f43ef8a9ca335dec9717d1a25c66ddf616adf470d3e3776f90b65567edd34a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3d9cc6a3-813c-4e4e-ab8e-6771ab73d4f7.vbs

Filesize
764B

MD5
f0a17278b98b2c4c9b5adc3e34611187

SHA1
a7067503db35b98c398be639175f9edf8bf8f0b3

SHA256
bfc868bdf6a21d917990f5ddf16cf0eef41cb19abb57472b5e2b9ecd3933b0e3

SHA512
3f4b58e9aa6a26e2441f9fb618eb879c66b77cb29bc15c7847615e4dc4714d568b681799342b49a8e825e5cb1afa4e4deec4472b042781edf8b5b4493977149b

Download Submit
C:\Users\Admin\AppData\Local\Temp\58e24cff-a24e-498c-ba98-e880ad82ca65.vbs

Filesize
764B

MD5
e200054c3b4b84367c50cb02bc26dba0

SHA1
38109c0cd5b938c544ec17cd42ae3347b141ab82

SHA256
dd22f5dc57c9f83508014920d12f3870dcfb4a3d12292aca3f04a3c7750b8ba3

SHA512
3e160d640b0dff42aeb4cc2a5fbe280e2f1011ffc42c508866802198fc7d89025887d5111737a10b096c6037ac483cff12b5d033197663b7dbca7341014099f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c854f2b-fa78-4add-9f77-6aadd58499da.vbs

Filesize
764B

MD5
be7e52d5da45cffaf39b7c29f41ccb66

SHA1
b1b3ec2d5c1c20fa3d826cb6f90f391d471fbcd4

SHA256
2f7ce2b33d7ff1bbaa28fe9e4760159846b40de46763c7608ed0f9875850a3d9

SHA512
2e8b88ae0b1ba79695cee7c6f82fdd616dc2074babe68dd023357bbbfecf8eca175ac7049a1ecfdd2b10f0f0fef1cfe20fdb3b16c2675f9518f400e4f358911b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8d8e5c78-db20-4159-942e-350b3325ffbd.vbs

Filesize
764B

MD5
ebabe77258986b8ccd6f525c707abdff

SHA1
8a60aee69faf2b54bcde3532d93bd161fbd03876

SHA256
6e78f1b9cdc4d655375412518c964e328da349d2eb32b65eb3527221174bf717

SHA512
831be123b115068bee5ce2fadfe7590d093302e3960b66dfa48cf1da54a872e13e79faf992a913af9b6214912a3e598f5cacd67aad7ec0e7ddc52c0755ebeb2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQR7EMdEjw.bat

Filesize
253B

MD5
16909fd8943d26cf0b5f6f93142e3fdc

SHA1
f8b2a9ee52431758a4eb5fd60e1b69f6bb50669d

SHA256
d7b03d05756802a90dac5923cb63d5cc16b786feb71929d62e9e934a28dcdaa4

SHA512
cd9f240ac2eaa6d8bd09461f8c914a76570fe39b743d4db6e369c0443ffc22df9cac1f9d4afbfbc22180a260101cc386fc2af5d555c3fe1c0baea8d5fc33d2e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\b8ae96ef-9d9e-4a55-a0df-6da104f068d7.vbs

Filesize
764B

MD5
13639fc58178c6773b5b5c644a09befb

SHA1
668b4ef166d43fe8c00a954c7d7f2335c61e3a14

SHA256
f824d08408bc417553d440340ef076e09cc10a484b915de4a59849d0f7d5b898

SHA512
1d5e8ee2196479c2c4e432c020ef2d59a6c2366296ae22fabc99b1cb6f891e648aff4a66cbc1d237bbe3511c5ab34914b07fbbca1a66c7a315890399d4009fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c50fbe99-ccc2-4370-b548-44f6bfef17a3.vbs

Filesize
764B

MD5
e05bfb095437dabf9b84659d9b5faa16

SHA1
ae0a4d443ad2b9d39038d4ca5746f6e88355b9d1

SHA256
04384d1a9b82d18dd635ca4f07cb543614f03733107ecece4482082d59cc9144

SHA512
46e9d60b7ed9829ca2a0d248938fd7ef01a7c553907ac927801426ee956a34f77c52b968da16e47470d5aba49a218831c89d7683e9dc13e5820fe93791f6b35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4dd7fde-bee4-4371-add5-d87163fe8975.vbs

Filesize
764B

MD5
79d8bf917b19191eac0e9093955c3214

SHA1
1e3cd00086b4e9cad15ed4cf8b04e7d5a6adaca9

SHA256
c393ce52cc4c612d10dfb1173fa70ca59a6965a234c1cb7fe4c0cf126137c0d2

SHA512
2a57879ab98884eb54a5f72de22fdc4584653f7beb464cafff63fa53e7a802b9357e4586c5e2f8246d2ff18ba2de6c38d126d54a835671a436065b6b887a5099

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5bbed2a-e9e2-445b-b7ec-21d5a1622a30.vbs

Filesize
540B

MD5
3c76cbb8facfda12ca34785f13209e3a

SHA1
3df0db1dca58bbdc9fb3b06a8f07f83ecca8951f

SHA256
9c834bde13ca0d13067cf184a6b0ba2dc37fcff1834e2298a98a6344a4f9ea34

SHA512
870db4456d4e34e44595e70eab23b56a5132e5761220b71a7a20ffd61dbc0284a97bab39e4f5d3409b84d6b816d383e27150ce3e1c41a7b11f386194039c27a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\e8c71a11-a1d3-4aae-ac7f-1aafb181410e.vbs

Filesize
764B

MD5
aae4bb0f5bb0d88d09fe8270e847782e

SHA1
c464bb92344a232254e2c4f6843ebab193b127cf

SHA256
c2b25830c8d9338584dbbf43b571d451b21d3a8f4df85eac9b577cdd18b29816

SHA512
7c27ffa66af8225aef82bd3b0eef237e6ac7e27379cc295ef92293272d99d779fd3282bbb90211eaf8ccd30ab4914b30ac3773277fe0ebfe4329968b04e32a3e

Download Submit
C:\Users\Admin\AppData\Local\audiodg.exe

Filesize
1.6MB

MD5
f82f2ef304088a6c70fb7c56d7453d4d

SHA1
ec83164a34f06f452b81cbe1e80481c56dc89d9c

SHA256
051d54e80e3f28743c56367890e0952fad3e6bfa88e8774b24c6c2c714840dd9

SHA512
cd75c63375de66ea9d6954252058a2e4d89cdb2d54d907424fa72a09c1ab5f3d9d2426eff93090606cf015d71bd7b509bf1eb7d94421811b1b445a15cdb9ddb8

Download Submit
C:\Users\Admin\AppData\Local\audiodg.exe

Filesize
1.6MB

MD5
531ec430666052ae6969f72db7e61862

SHA1
afccdd73a9daeda4add5072cac167ffed9da0ab6

SHA256
6590c11e4509ca9f05478a228a2918e686041476c593dac879f2f17f18dd1b08

SHA512
48f1ded3bcf54e7eff079586b8d32c12f0bcd317806665c21e54a222e49298f48d75689deb23826bfbf1717aabfa4ed4b3489513e2a8a2d3f2a9190a87db40cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d9cbf40c38ca35eba6ca548bd68e2724

SHA1
3c786d0cef890e2b2ad2a5980584df5b4bf18153

SHA256
a8b863487f4a926bc10647e24582d6a9695a2da0e178483108ce0ac283070de5

SHA512
95a6992e1aa7027986cccfbef6d6fe40f25a83784d0a27985094d0c3efb8faa78030ca1ac948372d54b7adca4af82dbce05035f9461205351f194865157171a0

Download Submit
C:\Windows\RemotePackages\RemoteApps\WmiPrvSE.exe

Filesize
1.6MB

MD5
9acb6e413cd64df8223244dbd4ced37e

SHA1
bacaadbb8332f1c49f9d7541d2cc00be29e98d09

SHA256
e39a900160247dddb9374f73895363628b063dd9440bef1559d0932c9cde44ad

SHA512
f7f91467fa37c82ae12f46deec4180422f31398970b48133e678e88665bafbe22ec13134124db368ff50bcdea6d9f9aada2a644a9f8e3cffd238fa5229451b30

Download Submit
memory/1108-364-0x0000000000DD0000-0x0000000000F72000-memory.dmp

Filesize
1.6MB

Download
memory/1144-468-0x0000000000120000-0x00000000002C2000-memory.dmp

Filesize
1.6MB

Download
memory/1328-444-0x0000000000FE0000-0x0000000001182000-memory.dmp

Filesize
1.6MB

Download
memory/1524-420-0x00000000001B0000-0x0000000000352000-memory.dmp

Filesize
1.6MB

Download
memory/1660-432-0x0000000000AC0000-0x0000000000C62000-memory.dmp

Filesize
1.6MB

Download
memory/1892-296-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/1892-297-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/2068-375-0x00000000012E0000-0x0000000001482000-memory.dmp

Filesize
1.6MB

Download
memory/2600-13-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/2600-16-0x00000000022C0000-0x00000000022CC000-memory.dmp

Filesize
48KB

Download
memory/2600-245-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-220-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2600-4-0x0000000000260000-0x0000000000270000-memory.dmp

Filesize
64KB

Download
memory/2600-8-0x00000000005A0000-0x00000000005A8000-memory.dmp

Filesize
32KB

Download
memory/2600-9-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2600-11-0x0000000000780000-0x000000000078A000-memory.dmp

Filesize
40KB

Download
memory/2600-12-0x0000000000790000-0x000000000079E000-memory.dmp

Filesize
56KB

Download
memory/2600-0-0x000007FEF53E3000-0x000007FEF53E4000-memory.dmp

Filesize
4KB

Download
memory/2600-14-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/2600-264-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-15-0x00000000020A0000-0x00000000020AA000-memory.dmp

Filesize
40KB

Download
memory/2600-10-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2600-5-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/2600-6-0x0000000000480000-0x0000000000488000-memory.dmp

Filesize
32KB

Download
memory/2600-7-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2600-1-0x0000000000960000-0x0000000000B02000-memory.dmp

Filesize
1.6MB

Download
memory/2600-3-0x0000000000240000-0x000000000025C000-memory.dmp

Filesize
112KB

Download
memory/2600-2-0x000007FEF53E0000-0x000007FEF5DCC000-memory.dmp

Filesize
9.9MB

Download
memory/2896-456-0x0000000000360000-0x0000000000502000-memory.dmp

Filesize
1.6MB

Download