dcrat | f08d555b265bc840ef4d7904f37de7886b276d3b2f85180bb63b0e29445e02b1

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Size

1.6MB
MD5

3300bfaf9bf1b6c6ad8edd215d41f472
SHA1

410ca541b614b044273f9ce3be0aeb5eb185097a
SHA256

c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812
SHA512

c628e19818f92eb95e068fba254ce8be88a712cb28607034d99bb66352aa1640222b89412b26e1324862834f2d271db0432f338a9273707755e08c2bfff9deac
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5716	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3544	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4576	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4744	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3624	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5440	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4032	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5932	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4948	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5036	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6064	5456	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	5456	schtasks.exe	88

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral28/memory/2880-1-0x0000000000FE0000-0x0000000001182000-memory.dmp	dcrat
behavioral28/files/0x00070000000242a1-26.dat	dcrat
behavioral28/files/0x00080000000242bd-79.dat	dcrat
behavioral28/files/0x000900000002429a-90.dat	dcrat
behavioral28/files/0x000900000002429e-101.dat	dcrat
behavioral28/files/0x00080000000242a5-123.dat	dcrat
behavioral28/files/0x00070000000242be-136.dat	dcrat
behavioral28/files/0x00090000000242ab-147.dat	dcrat
behavioral28/memory/3196-328-0x0000000000210000-0x00000000003B2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5408	powershell.exe
4040	powershell.exe
3160	powershell.exe
3584	powershell.exe
3284	powershell.exe
4684	powershell.exe
1680	powershell.exe
5732	powershell.exe
2008	powershell.exe
3280	powershell.exe
5788	powershell.exe
3692	powershell.exe
3908	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000\Control Panel\International\Geo\Nation	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe

Executes dropped EXE 15 IoCs

pid	Process
3196	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
5216	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
3096	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
4596	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2952	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
3280	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
1384	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
3900	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
4504	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
3324	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
4664	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
3520	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2012	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
5160	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
4960	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\fr-FR\886983d96e3d3e	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\9e8d7a4ca61bd9	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCX7A34.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\RCX7E6D.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\RCX7EEB.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files\Windows Mail\csrss.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\RuntimeBroker.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files\7-Zip\Lang\d7237c82d0bde4	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files\Windows Mail\886983d96e3d3e	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX8878.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files\Windows Mail\RCX8F81.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files\Windows Mail\csrss.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\RCX7A23.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\RuntimeBroker.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files\7-Zip\Lang\RCX88F6.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Program Files\Windows Mail\RCX902D.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Media\Heritage\27d1bcfc3c54e0	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\Media\Heritage\RCX85F5.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\Media\Heritage\RCX85F6.tmp	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File opened for modification	C:\Windows\Media\Heritage\System.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
File created	C:\Windows\Media\Heritage\System.exe	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Key created	\REGISTRY\USER\S-1-5-21-3975168204-1612096350-4002976354-1000_Classes\Local Settings	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5716	schtasks.exe
2952	schtasks.exe
5440	schtasks.exe
2856	schtasks.exe
540	schtasks.exe
5088	schtasks.exe
1644	schtasks.exe
4868	schtasks.exe
4948	schtasks.exe
4880	schtasks.exe
5104	schtasks.exe
3544	schtasks.exe
4752	schtasks.exe
4788	schtasks.exe
4592	schtasks.exe
5036	schtasks.exe
5932	schtasks.exe
4964	schtasks.exe
2916	schtasks.exe
3624	schtasks.exe
2528	schtasks.exe
372	schtasks.exe
4504	schtasks.exe
4576	schtasks.exe
4744	schtasks.exe
4908	schtasks.exe
3796	schtasks.exe
4928	schtasks.exe
6064	schtasks.exe
4032	schtasks.exe
1660	schtasks.exe
1064	schtasks.exe
4456	schtasks.exe
4544	schtasks.exe
1104	schtasks.exe
740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
4684	powershell.exe
4684	powershell.exe
3908	powershell.exe
3908	powershell.exe
5732	powershell.exe
5732	powershell.exe
5408	powershell.exe
5408	powershell.exe
1680	powershell.exe
1680	powershell.exe
2008	powershell.exe
2008	powershell.exe
3584	powershell.exe
3584	powershell.exe
4040	powershell.exe
4040	powershell.exe
3692	powershell.exe
3692	powershell.exe
3160	powershell.exe
3160	powershell.exe
3284	powershell.exe
3284	powershell.exe
5788	powershell.exe
5788	powershell.exe
3280	powershell.exe
3280	powershell.exe
3280	powershell.exe
4684	powershell.exe
5788	powershell.exe
3584	powershell.exe
5732	powershell.exe
4040	powershell.exe
3908	powershell.exe
1680	powershell.exe
5408	powershell.exe
3284	powershell.exe
3692	powershell.exe
2008	powershell.exe
3160	powershell.exe
3196	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
5216	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
3096	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
4596	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2952	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
3280	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
3280	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
1384	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
3900	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
4504	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
3324	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
4664	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
3520	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
2012	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
5160	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
4960	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	3908	powershell.exe
Token: SeDebugPrivilege	4040	powershell.exe
Token: SeDebugPrivilege	5732	powershell.exe
Token: SeDebugPrivilege	5408	powershell.exe
Token: SeDebugPrivilege	5788	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	3692	powershell.exe
Token: SeDebugPrivilege	3160	powershell.exe
Token: SeDebugPrivilege	3284	powershell.exe
Token: SeDebugPrivilege	3280	powershell.exe
Token: SeDebugPrivilege	3196	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	5216	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	3096	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	4596	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	2952	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	3280	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	1384	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	3900	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	4504	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	3324	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	4664	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	3520	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	2012	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	5160	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
Token: SeDebugPrivilege	4960	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 4684	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	130
PID 2880 wrote to memory of 4684	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	130
PID 2880 wrote to memory of 1680	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	131
PID 2880 wrote to memory of 1680	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	131
PID 2880 wrote to memory of 5788	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	132
PID 2880 wrote to memory of 5788	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	132
PID 2880 wrote to memory of 3692	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	133
PID 2880 wrote to memory of 3692	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	133
PID 2880 wrote to memory of 3908	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	134
PID 2880 wrote to memory of 3908	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	134
PID 2880 wrote to memory of 5408	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	135
PID 2880 wrote to memory of 5408	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	135
PID 2880 wrote to memory of 5732	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	136
PID 2880 wrote to memory of 5732	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	136
PID 2880 wrote to memory of 4040	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	137
PID 2880 wrote to memory of 4040	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	137
PID 2880 wrote to memory of 2008	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	138
PID 2880 wrote to memory of 2008	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	138
PID 2880 wrote to memory of 3160	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	139
PID 2880 wrote to memory of 3160	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	139
PID 2880 wrote to memory of 3584	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	140
PID 2880 wrote to memory of 3584	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	140
PID 2880 wrote to memory of 3284	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	141
PID 2880 wrote to memory of 3284	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	141
PID 2880 wrote to memory of 3280	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	142
PID 2880 wrote to memory of 3280	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	142
PID 2880 wrote to memory of 5784	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	156
PID 2880 wrote to memory of 5784	2880	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	156
PID 5784 wrote to memory of 1332	5784	cmd.exe	158
PID 5784 wrote to memory of 1332	5784	cmd.exe	158
PID 5784 wrote to memory of 3196	5784	cmd.exe	160
PID 5784 wrote to memory of 3196	5784	cmd.exe	160
PID 3196 wrote to memory of 4000	3196	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	161
PID 3196 wrote to memory of 4000	3196	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	161
PID 3196 wrote to memory of 2672	3196	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	162
PID 3196 wrote to memory of 2672	3196	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	162
PID 4000 wrote to memory of 5216	4000	WScript.exe	163
PID 4000 wrote to memory of 5216	4000	WScript.exe	163
PID 5216 wrote to memory of 5036	5216	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	165
PID 5216 wrote to memory of 5036	5216	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	165
PID 5216 wrote to memory of 1984	5216	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	166
PID 5216 wrote to memory of 1984	5216	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	166
PID 5036 wrote to memory of 3096	5036	WScript.exe	169
PID 5036 wrote to memory of 3096	5036	WScript.exe	169
PID 3096 wrote to memory of 460	3096	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	171
PID 3096 wrote to memory of 460	3096	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	171
PID 3096 wrote to memory of 4688	3096	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	172
PID 3096 wrote to memory of 4688	3096	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	172
PID 460 wrote to memory of 4596	460	WScript.exe	176
PID 460 wrote to memory of 4596	460	WScript.exe	176
PID 4596 wrote to memory of 5804	4596	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	177
PID 4596 wrote to memory of 5804	4596	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	177
PID 4596 wrote to memory of 1864	4596	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	178
PID 4596 wrote to memory of 1864	4596	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	178
PID 5804 wrote to memory of 2952	5804	WScript.exe	179
PID 5804 wrote to memory of 2952	5804	WScript.exe	179
PID 2952 wrote to memory of 2256	2952	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	180
PID 2952 wrote to memory of 2256	2952	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	180
PID 2952 wrote to memory of 1184	2952	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	181
PID 2952 wrote to memory of 1184	2952	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	181
PID 2256 wrote to memory of 3280	2256	WScript.exe	182
PID 2256 wrote to memory of 3280	2256	WScript.exe	182
PID 3280 wrote to memory of 5888	3280	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	183
PID 3280 wrote to memory of 5888	3280	c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe	183

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
"C:\Users\Admin\AppData\Local\Temp\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OfficeClickToRun.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\video_output\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Heritage\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3160
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\f170d29a37c9c9775251\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3280
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2VouYs0zfV.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5784
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1332
- - C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
    "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0c428ea3-9c34-49df-a170-337a0dd40e47.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4000
    - - C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5216
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\863cf13c-7112-4518-be8b-99e3e4b80c1d.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\164822ee-2499-4ea3-94cc-ffd58745daef.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:460
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c8b8421d-2199-4901-9c52-a5ce0cd6344f.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:5804
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1294826e-4307-43f7-931f-b65eb66224bf.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e03e610e-ffe4-4d2f-8270-402244537fef.vbs"
        14⤵
        
        PID:5888
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e97eff64-24a4-4b2a-a7d8-74b4260e13a8.vbs"
        16⤵
        
        PID:5636
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1350d61b-d5b1-449f-b8cf-4972a9110326.vbs"
        18⤵
        
        PID:4492
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f8c7a403-1648-414b-b8e5-55609bcc7b11.vbs"
        20⤵
        
        PID:4600
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e9d1311a-a373-454c-bec3-8405eec0b72d.vbs"
        22⤵
        
        PID:704
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee312c14-dd58-4940-96f6-7da6aecf07b0.vbs"
        24⤵
        
        PID:3464
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1ff1068c-b2a9-4f4d-b092-b1a3e98a052f.vbs"
        26⤵
        
        PID:2744
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f86e562-b4a8-4d83-ab06-14a57cdcb4eb.vbs"
        28⤵
        
        PID:5824
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d817fad3-1c8e-4bfb-84f9-71cba02443c6.vbs"
        30⤵
        
        PID:5896
        
        C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe
        
        "C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ae32598-dd52-4f8c-a4ee-873cf2390f5d.vbs"
        30⤵
        
        PID:1036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0ed6fc61-355b-4037-8caf-102b4dc0a65e.vbs"
        28⤵
        
        PID:1596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\36e047cc-64c5-48d1-9ca9-372debd8d73b.vbs"
        26⤵
        
        PID:3648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6e26bbd4-8519-48b2-9183-6ccdd2349b1d.vbs"
        24⤵
        
        PID:4972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\31560388-0abf-475e-bf69-3e6e5be3e33f.vbs"
        22⤵
        
        PID:3020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1e1beb67-7d03-4734-bf7d-74ce3db8f1ae.vbs"
        20⤵
        
        PID:5660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\569a9f8e-b0b4-444b-9bc7-5ce5b68016e7.vbs"
        18⤵
        
        PID:6080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe06fcda-e1bf-4dba-bce8-0bf635752520.vbs"
        16⤵
        
        PID:1924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e55a49d9-47f5-4a78-be08-f00e3e5d4be4.vbs"
        14⤵
        
        PID:2468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d87e45d-4cad-488d-817f-89b8a94474a0.vbs"
        12⤵
        
        PID:1184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9712678e-46ee-4d1b-9db5-0eb655b69813.vbs"
        10⤵
        
        PID:1864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6412fe97-1ee8-4e00-9167-dd1133dfc87e.vbs"
        8⤵
        
        PID:4688
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1c7cfef9-07c9-494d-88e4-9d18643570b2.vbs"
        6⤵
        
        PID:1984
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65761ec3-c73b-419c-874b-cc804087ad8a.vbs"
      4⤵
      PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\plugins\video_output\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\video_output\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\plugins\video_output\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\f170d29a37c9c9775251\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\f170d29a37c9c9775251\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\Heritage\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Media\Heritage\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Media\Heritage\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812c" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812c" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\f170d29a37c9c9775251\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\f170d29a37c9c9775251\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\f170d29a37c9c9775251\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\f170d29a37c9c9775251\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\f170d29a37c9c9775251\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe

Filesize
1.6MB

MD5
be4312549157ff7015d83a13e9cbf5a3

SHA1
071b7e163518f24187475e36a035e4e18c9076a3

SHA256
5479e593a4a36fc6146c5fecb61fe36bd15fd7dba2ad286d03dfa0ab02288723

SHA512
c16e11e039e9105d6183cd23a8746035e49f2702934e5a83cb7fa2a68a2cdf52299e5f9d7922b8cc6d216bf1031133f3e20e33556317233cab3ccc318daefa05

Download Submit
C:\Program Files\VideoLAN\VLC\plugins\video_output\RuntimeBroker.exe

Filesize
1.6MB

MD5
22913a4017fee976569fb28fa0c5b5f2

SHA1
5e90d39ebde2a4b203f81d1cf6b4ea8e30695014

SHA256
7b354a372e296cd3edd5ab2da776ed1f84741329fcbf44d035e57eea33861c8b

SHA512
71c9ff4d1a249741c231bc49ac4b305a5898b5990c8480227aea05b16985038338a355fbee6750f3d3d255785d703b0879aa936c9df6893a45cfbb3f656c8470

Download Submit
C:\Program Files\Windows Mail\csrss.exe

Filesize
1.6MB

MD5
f98769d3b4e881c87cd591a81ca51006

SHA1
bcd575dc0a091c1b9f91551201e276f76331faa5

SHA256
25801e77f0aa4dec5d3f2ab8db05bd2ce61c729e29bc35521e1a70582f8cdaeb

SHA512
9faaaf03b36c660cdb84cbf533736e6460bb12038956ae18f8c35c82798fad1302f946008e12f52abbc35c38e2fba292ba0f0e5b6c5c9ef36b91fe7d47d496e9

Download Submit
C:\Recovery\WindowsRE\services.exe

Filesize
1.6MB

MD5
1e30ce46c65049a6d79c98d134898b34

SHA1
fa3f8fe45c0df306604af8e593d37c7f69b34c80

SHA256
1a73fadfece2cf8df35522eb6caeb0e7d49a6832cde81bb44300ccfd7bd4b573

SHA512
b182ea07a24319c2b3f39380790aa635e4a7a31b4e672ae1cd15d9aa33dc5516b5bb54fa6f0c9bededd71b11fe89c6b5a3301b3238b3f43bc8fc21db55256648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
94f35f261590c8add6967ae13ee05fab

SHA1
e0e5828e2c4b7d1937fde13dbfcc63f59c1899c7

SHA256
db908d6ae1a8ae3e77e93332eaa24f8316aa9e65285996439d35a133024e1a63

SHA512
3e3438bc5e8dfe738d8cf374d444f9f8600cadac6071708426b7852d3a84f0363f79ae6895f11206b5c7fbb8c850725318196c4171112634cfef3d2d70d1e8fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
c44e48d99762769d16de7352e92db16f

SHA1
29898e4ddba0504899fe0f0a55abacf592689e1b

SHA256
f92b4e399718fecfdc08924f70f0bdb7c5e0014eaeec343d815a503e06205bc8

SHA512
18cfd8b4bf3871c26c01d20ecd90f76493a6e55d7df33e78fb1491f6151ab3c04589758d6419f7b73a1288d5e65b85f40142bb7e3df5bc46e7fe4cf2da014879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e8e7675df15697eee65b731b90f33a5f

SHA1
8fe1308e032c5cb61b8ea50672fd650889cecdcd

SHA256
656a10810af26e008c2c5d4748b4a476b97b9fd5ef7837ae197feff6ec00b932

SHA512
fed3aa124a90998c734d36397f7fa6e26973bbeaa2c11b999ee05b0fb2378473b14765ca606f021c2f778613ce61f3a1c6836e955b7c6b192a7774973a945992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3f0db2be09ea50e93f81f83a58fdc049

SHA1
862883227880dde307538079454109d35f39723e

SHA256
b747c644e6479e6e921d09626c68d2df0d33d2a707f9432e5fc1b138e6c9387d

SHA512
a7f4644e8f4a0dd59f47645ba7afe312c9e714f923019add5cddf6491f3466731abd66c854bdaa497c0f162c1ae08df5c6506e2171ec9d74ae5c9ffcd69f0773

Download Submit
C:\Users\Admin\AppData\Local\Temp\0c428ea3-9c34-49df-a170-337a0dd40e47.vbs

Filesize
772B

MD5
38ea612f378ae57f03ed507a6a82caf3

SHA1
f1436cb455d629c6433761375793698bd4f1994f

SHA256
46160d38c06809925cc88a98742ee70e4b45db90bfa319b3ffcc0f8748c87938

SHA512
a3b9327e3a629281dd0ff4c1f8370c6c4d4b2e44d870c1bcac314461adee9887ecfc611d8db353f79ecf4f3d09fdeab76cd0e31bb4689b8dde662f3a047d32c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1294826e-4307-43f7-931f-b65eb66224bf.vbs

Filesize
772B

MD5
9ea1d8a6e7178cdeb17a983b0949cbb3

SHA1
e9a8a9710b9f4134e3e6d24dc512a40956e3088e

SHA256
b0f2e1555c138e8081b7519814f0640c2c51c5c7207d54085f67f2cafc8a1ed9

SHA512
63de4f97458a04d57234005d4c37e672c252e6d4ec9b5a322448dcf103c595eeebaf79abb51c11bf88d1a2479da9daa214dc44a22270636d7840d650a83f8703

Download Submit
C:\Users\Admin\AppData\Local\Temp\1350d61b-d5b1-449f-b8cf-4972a9110326.vbs

Filesize
772B

MD5
c5eaa27b51a98a38bf4d8c097520441d

SHA1
460170fe8203329e5e650cb136c93fb70b5c0460

SHA256
be3ed5fedd3f174694353117eb5edbbf41a8d7f342e4269ead5a51830c9f0c6a

SHA512
3c0ab7b84c8001fb2c9fa856d3175d758a731033e7bf0cfd6a254233be11dfa7f555048a6910bd9fc5c40b432e9fa3e9eab6f218efacd7bb0fdaa1d50dd86c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\164822ee-2499-4ea3-94cc-ffd58745daef.vbs

Filesize
772B

MD5
7ce404ba2f7dbf52cf0dce9efeecc480

SHA1
dfc5cbd6744ce5594221e07bb3e259b849587062

SHA256
6f59f8e5758865d35ff3d1c6aca0979efd75d760344161b123b4e820845f80b7

SHA512
e83c637a9379ff9ddfefe0bf96c4e46efc648fb08f21b555b8a586d93de3b62f8cf871c45f9321138308ea5c4ca08953d533f79564150688604aaa5243c5295c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ff1068c-b2a9-4f4d-b092-b1a3e98a052f.vbs

Filesize
772B

MD5
2b7078f19602419a30d8a9e38965e68e

SHA1
ffe8120c8f0bce81f733e95bdb06060c26a112ba

SHA256
7a826fb419e003496f3ca36be99a289164c584ec2d5f35a68689029547ac279e

SHA512
83f8bcde36b46760aea7a196d86c6b1987a0560e0064f82cae2c5dcf4a5ea1894defe48d3821a088005351259817e56ee69eb7ffdd95557fa423584d5ec30e9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2VouYs0zfV.bat

Filesize
261B

MD5
11a2a05e2e00b8a227fac53f891d8c3c

SHA1
9ea7a767e763be5ed3fe996089e6491c1492a85b

SHA256
3ab22514894678531e6c3842dada8bfd8bdcfd0275bde68034f04e5db93aa2c3

SHA512
3f4b3efa670395116daf9d751e9669637443d6c35b5988097302fdbb2732fce17294bede7160155ebc59ce05607813af34fe5f4ff04fede9bdc4b0bf29254978

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f86e562-b4a8-4d83-ab06-14a57cdcb4eb.vbs

Filesize
772B

MD5
408dcae188f47d5a4c319879270b4ed3

SHA1
e50df8e6b27bc1e42a37359895df4636b03c0efb

SHA256
2d0a16da1347f01ee7b6e741f1b5a4b4918c3866edb75b5dab09b577bb9d1263

SHA512
b592d5f37eb37ae6d774f74d1a19d647611dab81583d884ecaebe3a00409afebed48414f2eeda1b36cb8bad51931776a7de65dd781cf91d26e30916dce644472

Download Submit
C:\Users\Admin\AppData\Local\Temp\65761ec3-c73b-419c-874b-cc804087ad8a.vbs

Filesize
548B

MD5
abe91f3953975be526d97eefaa59c724

SHA1
cfb996de3a380a26ee56f8d49ad7706df805a6c1

SHA256
d4a7257cb1a7e149d4b1bdfd0003ddd84a9f5dcca773a287e7736b58c534dc30

SHA512
663d60fd4719eec9ae51c66788279cfb29af21a06892e423f432d612590c41cce4cbb49e22c721f57fbf5356fd8a9a9d493d60c67be096ba0ef1a9b222731ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\863cf13c-7112-4518-be8b-99e3e4b80c1d.vbs

Filesize
772B

MD5
ff22d727f97625de3ba522bfe5b3a84c

SHA1
ca6bbe0acaacd54498aa8825e2bd2061cbf8d5b4

SHA256
377bd73a30b8e9ab308741de0daca887c5e3ae54b3caa8e0f0a9453bce2b437a

SHA512
af4c3afb3169e9754eae1253561692d432956812d9174a0429fe6125934a6684bfcc7bc404b81b0e9bcfd4287ef56f2e597d1bbd2d42953e053a1dca5c7d0cc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1cjeklaj.0jn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c8b8421d-2199-4901-9c52-a5ce0cd6344f.vbs

Filesize
772B

MD5
fd80490f17660a95b240ed291b209c0d

SHA1
4c30e92935539acb6dcfadf401cda12289f714bb

SHA256
2cca2313f14ecbf8e887b68868d0d514beb66d5ee0778e3a94965ac4109866c1

SHA512
41f07077d9aadcf687b2bed0543fcc5a441152caab4d3b04ee0615364686d75c9f810f0501dae7a39e915e2e08e49c217e5e4b793d9088997cc7e66d9cb52327

Download Submit
C:\Users\Admin\AppData\Local\Temp\e03e610e-ffe4-4d2f-8270-402244537fef.vbs

Filesize
772B

MD5
816a630a2364a5fdda1d961d970edccb

SHA1
48d03c0af099fda87be024f93a2e55da43dfa8f7

SHA256
4730424ebdace36cbefa752f50419ea3fc658587ea5ba55061c6b07c940be5bc

SHA512
725e406274f38a7c8bbc03704e2a54b65830a9363c4ccd5b495fd57072046480a49a1202ea8390060c816845888e785e3fab96397a749c59696d5e49f33b9506

Download Submit
C:\Users\Admin\AppData\Local\Temp\e97eff64-24a4-4b2a-a7d8-74b4260e13a8.vbs

Filesize
772B

MD5
b378328e3315f236ec96e48de9788ba8

SHA1
3ebf9d4541a0442ece0a665a0fd3478709341ac5

SHA256
2142263293b18789086b078be115128c2268f65092085d87862767ed49a42f6b

SHA512
63d8fdfeb6dff4d6e0191cac8d317354a5dd83bb63be34117d0e1373a2bf717f0ce9fdf8c00a90de107e6a4cc049ded6757722bcfcb436b0b857259055a32092

Download Submit
C:\Users\Admin\AppData\Local\Temp\e9d1311a-a373-454c-bec3-8405eec0b72d.vbs

Filesize
772B

MD5
de5629530dac38398e9b9945c51dff97

SHA1
882e1bb2fdc72a0e19715f4d3759095524425c5c

SHA256
fa9f435516346ef9b86cba5eed0edcfd9586c22e61b73e17cddb4d52c63f3cec

SHA512
f26eb3936436696fc1f3ec84d5987f2299c11edc68a8bcc6f95f2101bf2fe8ac67d50f9038d22c6ca1356316764a49554dc055e71a0baca64fbba4783afed914

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee312c14-dd58-4940-96f6-7da6aecf07b0.vbs

Filesize
772B

MD5
5f50f618643a6c835269b885a205b11f

SHA1
dbe3f764fc12c68d698e67057c92ed409c54602f

SHA256
86d77a6415c04fee0f85c1e935717777578fea7c38ec2be22cc0df3cea3d1971

SHA512
a996330dc21c4a8a1852aabaddb7693b5480e4d01a535f1d6d234a4c4fd96d3dc414cc7980977daca8a3a5421b9f992f4b2d871a3ed1c68e78f03e8b3083698a

Download Submit
C:\Users\Admin\AppData\Local\Temp\f8c7a403-1648-414b-b8e5-55609bcc7b11.vbs

Filesize
772B

MD5
57c311eeb51e619f157cfce05b2323db

SHA1
5e44a39e7356cfd4325f5e5fb305b0dc4bdefda9

SHA256
6125155db6261e2e2f6ba3907e04db4ce601725bf0bfdc61620cf29bc36efa87

SHA512
d4dc1864af44001f235d014ad40514d7d22e0814e151cd8bb114c9343d811345dbf9f70402b7fd0413a904af1dbb317a976018987a27c17b0ec3b7628e7cb918

Download Submit
C:\f170d29a37c9c9775251\System.exe

Filesize
1.6MB

MD5
3300bfaf9bf1b6c6ad8edd215d41f472

SHA1
410ca541b614b044273f9ce3be0aeb5eb185097a

SHA256
c93d951c2fb1c1505deb11e457ce4df9f4849181c8ba19c12bbb2b7066b18812

SHA512
c628e19818f92eb95e068fba254ce8be88a712cb28607034d99bb66352aa1640222b89412b26e1324862834f2d271db0432f338a9273707755e08c2bfff9deac

Download Submit
C:\f170d29a37c9c9775251\System.exe

Filesize
1.6MB

MD5
5788f8e31cb8978ebfaa368589276c7b

SHA1
321f3aec2a7c982643834e5a18927dc48ab54955

SHA256
6f635e9e987d5f47b9369d55c41d1e6b7061422b1141674fa76cd4d23d4500ea

SHA512
c93cb1e00bbff94449551a459e8cbbaba52247422f168dbc32f967587d2494f9d804272a9f557d12b1ac2947b0691f5fdd01410f573be3d83a810688dde750e0

Download Submit
C:\f170d29a37c9c9775251\sppsvc.exe

Filesize
1.6MB

MD5
4ac9256332541be92851567516f6bb8b

SHA1
aa088d4af2978b4ae89cb33d6b8a558882df6a27

SHA256
83f6d28b74060204fa65298a32194f84ec1dde38cd83c507896c0bc7e5c64ec7

SHA512
bf8d22f0aed9dedae359d864c4496e3b458671d63def0438f9b018669b081222a854b657d136ffad64a7272e29193d96f43f8c7df8507d0441f4a33c27363929

Download Submit
memory/2880-12-0x000000001C630000-0x000000001C63A000-memory.dmp

Filesize
40KB

Download
memory/2880-7-0x000000001C3E0000-0x000000001C3E8000-memory.dmp

Filesize
32KB

Download
memory/2880-1-0x0000000000FE0000-0x0000000001182000-memory.dmp

Filesize
1.6MB

Download
memory/2880-174-0x00007FFAD8673000-0x00007FFAD8675000-memory.dmp

Filesize
8KB

Download
memory/2880-17-0x000000001C680000-0x000000001C68C000-memory.dmp

Filesize
48KB

Download
memory/2880-14-0x000000001C650000-0x000000001C658000-memory.dmp

Filesize
32KB

Download
memory/2880-2-0x00007FFAD8670000-0x00007FFAD9131000-memory.dmp

Filesize
10.8MB

Download
memory/2880-16-0x000000001C670000-0x000000001C67A000-memory.dmp

Filesize
40KB

Download
memory/2880-15-0x000000001C660000-0x000000001C668000-memory.dmp

Filesize
32KB

Download
memory/2880-0-0x00007FFAD8673000-0x00007FFAD8675000-memory.dmp

Filesize
8KB

Download
memory/2880-13-0x000000001C640000-0x000000001C64E000-memory.dmp

Filesize
56KB

Download
memory/2880-11-0x000000001C620000-0x000000001C62C000-memory.dmp

Filesize
48KB

Download
memory/2880-9-0x000000001C400000-0x000000001C408000-memory.dmp

Filesize
32KB

Download
memory/2880-10-0x000000001C460000-0x000000001C46C000-memory.dmp

Filesize
48KB

Download
memory/2880-6-0x000000001C3C0000-0x000000001C3D6000-memory.dmp

Filesize
88KB

Download
memory/2880-8-0x000000001C3F0000-0x000000001C400000-memory.dmp

Filesize
64KB

Download
memory/2880-191-0x00007FFAD8670000-0x00007FFAD9131000-memory.dmp

Filesize
10.8MB

Download
memory/2880-4-0x000000001C410000-0x000000001C460000-memory.dmp

Filesize
320KB

Download
memory/2880-5-0x000000001BD80000-0x000000001BD90000-memory.dmp

Filesize
64KB

Download
memory/2880-3-0x000000001C3A0000-0x000000001C3BC000-memory.dmp

Filesize
112KB

Download
memory/3196-328-0x0000000000210000-0x00000000003B2000-memory.dmp

Filesize
1.6MB

Download
memory/4684-189-0x000001A475D80000-0x000001A475DA2000-memory.dmp

Filesize
136KB

Download