dcrat | f4111d30be32600233ad61440ff2f9a6484f3ba6c04fae4b522fc09ab0de3831

Analysis

max time kernel
149s
max time network
160s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49986bd925df8b3a09e58c4999927830.exe
Size

1.6MB
MD5

49986bd925df8b3a09e58c4999927830
SHA1

40750b7b784db39850b805c151dfe76c9a6fdf30
SHA256

8d08430b6955cd7396f0e929bc2e098bab79adf22ff486fac8e07c369ebd9837
SHA512

4fb7adb39f1cfba3151cf099b14582e79ad3100c8de878a169bc2028f2bad9082b79ed94f1a8d0d7a441a00799f48c9a22e04eea0b7258930cda4569955b269a
SSDEEP

24576:Msm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:MD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2576	schtasks.exe	30

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral31/memory/2180-1-0x0000000001160000-0x0000000001302000-memory.dmp	dcrat
behavioral31/files/0x0005000000019c74-25.dat	dcrat
behavioral31/files/0x000c000000012282-65.dat	dcrat
behavioral31/files/0x000700000001963a-74.dat	dcrat
behavioral31/files/0x000a00000001963a-98.dat	dcrat
behavioral31/files/0x0007000000019c74-109.dat	dcrat
behavioral31/files/0x0010000000019d7b-181.dat	dcrat
behavioral31/memory/1660-256-0x0000000000200000-0x00000000003A2000-memory.dmp	dcrat
behavioral31/memory/2568-267-0x0000000000BB0000-0x0000000000D52000-memory.dmp	dcrat
behavioral31/memory/2356-279-0x00000000002D0000-0x0000000000472000-memory.dmp	dcrat
behavioral31/memory/2064-291-0x00000000000F0000-0x0000000000292000-memory.dmp	dcrat
behavioral31/memory/300-303-0x0000000001210000-0x00000000013B2000-memory.dmp	dcrat
behavioral31/memory/444-315-0x0000000000020000-0x00000000001C2000-memory.dmp	dcrat
behavioral31/memory/1636-327-0x0000000000170000-0x0000000000312000-memory.dmp	dcrat
behavioral31/memory/1616-339-0x0000000000910000-0x0000000000AB2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2412	powershell.exe
2200	powershell.exe
592	powershell.exe
2792	powershell.exe
1528	powershell.exe
2652	powershell.exe
2560	powershell.exe
2796	powershell.exe
2460	powershell.exe
2668	powershell.exe
1776	powershell.exe
3008	powershell.exe
2592	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2004	lsm.exe
1660	lsm.exe
2568	lsm.exe
2356	lsm.exe
2064	lsm.exe
300	lsm.exe
444	lsm.exe
1636	lsm.exe
1616	lsm.exe

Drops file in Program Files directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX483E.tmp	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RCX3B95.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX4638.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\6cb0b6c459d5d3	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\RCX3923.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\RCX3B27.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX3E07.tmp	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\56085415360792	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\6ccacd8608530f	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\smss.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\RCX4639.tmp	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\wininit.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\RCX3922.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\RCX3D99.tmp	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\7a0fd90576e088	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\RCX483D.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\wininit.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\69ddcba757bf72	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\Windows Photo Viewer\it-IT\Idle.exe	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX3101.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\Idle.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\smss.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\69ddcba757bf72	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\RCX3102.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe	49986bd925df8b3a09e58c4999927830.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\it-IT\0a1fd5f707cd16	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\it-IT\RCX401A.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\it-IT\RCX401B.tmp	49986bd925df8b3a09e58c4999927830.exe
File opened for modification	C:\Windows\it-IT\sppsvc.exe	49986bd925df8b3a09e58c4999927830.exe
File created	C:\Windows\it-IT\sppsvc.exe	49986bd925df8b3a09e58c4999927830.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe
2144	schtasks.exe
2140	schtasks.exe
320	schtasks.exe
2668	schtasks.exe
2572	schtasks.exe
1728	schtasks.exe
2336	schtasks.exe
444	schtasks.exe
1776	schtasks.exe
2072	schtasks.exe
1944	schtasks.exe
2000	schtasks.exe
2508	schtasks.exe
2204	schtasks.exe
2024	schtasks.exe
2732	schtasks.exe
2436	schtasks.exe
2784	schtasks.exe
1908	schtasks.exe
2056	schtasks.exe
1928	schtasks.exe
2120	schtasks.exe
1768	schtasks.exe
1784	schtasks.exe
2976	schtasks.exe
1972	schtasks.exe
884	schtasks.exe
668	schtasks.exe
2456	schtasks.exe
2320	schtasks.exe
944	schtasks.exe
868	schtasks.exe
2876	schtasks.exe
688	schtasks.exe
2952	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2180	49986bd925df8b3a09e58c4999927830.exe
2180	49986bd925df8b3a09e58c4999927830.exe
2180	49986bd925df8b3a09e58c4999927830.exe
2180	49986bd925df8b3a09e58c4999927830.exe
2180	49986bd925df8b3a09e58c4999927830.exe
3008	powershell.exe
2652	powershell.exe
2796	powershell.exe
2412	powershell.exe
2592	powershell.exe
1776	powershell.exe
1528	powershell.exe
2560	powershell.exe
2792	powershell.exe
2460	powershell.exe
2200	powershell.exe
2668	powershell.exe
592	powershell.exe
1660	lsm.exe
2568	lsm.exe
2356	lsm.exe
2064	lsm.exe
300	lsm.exe
444	lsm.exe
1636	lsm.exe
1616	lsm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2180	49986bd925df8b3a09e58c4999927830.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	1660	lsm.exe
Token: SeDebugPrivilege	2568	lsm.exe
Token: SeDebugPrivilege	2356	lsm.exe
Token: SeDebugPrivilege	2064	lsm.exe
Token: SeDebugPrivilege	300	lsm.exe
Token: SeDebugPrivilege	444	lsm.exe
Token: SeDebugPrivilege	1636	lsm.exe
Token: SeDebugPrivilege	1616	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2560	2180	49986bd925df8b3a09e58c4999927830.exe	67
PID 2180 wrote to memory of 2560	2180	49986bd925df8b3a09e58c4999927830.exe	67
PID 2180 wrote to memory of 2560	2180	49986bd925df8b3a09e58c4999927830.exe	67
PID 2180 wrote to memory of 2796	2180	49986bd925df8b3a09e58c4999927830.exe	68
PID 2180 wrote to memory of 2796	2180	49986bd925df8b3a09e58c4999927830.exe	68
PID 2180 wrote to memory of 2796	2180	49986bd925df8b3a09e58c4999927830.exe	68
PID 2180 wrote to memory of 2412	2180	49986bd925df8b3a09e58c4999927830.exe	69
PID 2180 wrote to memory of 2412	2180	49986bd925df8b3a09e58c4999927830.exe	69
PID 2180 wrote to memory of 2412	2180	49986bd925df8b3a09e58c4999927830.exe	69
PID 2180 wrote to memory of 2652	2180	49986bd925df8b3a09e58c4999927830.exe	70
PID 2180 wrote to memory of 2652	2180	49986bd925df8b3a09e58c4999927830.exe	70
PID 2180 wrote to memory of 2652	2180	49986bd925df8b3a09e58c4999927830.exe	70
PID 2180 wrote to memory of 2460	2180	49986bd925df8b3a09e58c4999927830.exe	72
PID 2180 wrote to memory of 2460	2180	49986bd925df8b3a09e58c4999927830.exe	72
PID 2180 wrote to memory of 2460	2180	49986bd925df8b3a09e58c4999927830.exe	72
PID 2180 wrote to memory of 2668	2180	49986bd925df8b3a09e58c4999927830.exe	74
PID 2180 wrote to memory of 2668	2180	49986bd925df8b3a09e58c4999927830.exe	74
PID 2180 wrote to memory of 2668	2180	49986bd925df8b3a09e58c4999927830.exe	74
PID 2180 wrote to memory of 1528	2180	49986bd925df8b3a09e58c4999927830.exe	76
PID 2180 wrote to memory of 1528	2180	49986bd925df8b3a09e58c4999927830.exe	76
PID 2180 wrote to memory of 1528	2180	49986bd925df8b3a09e58c4999927830.exe	76
PID 2180 wrote to memory of 2200	2180	49986bd925df8b3a09e58c4999927830.exe	78
PID 2180 wrote to memory of 2200	2180	49986bd925df8b3a09e58c4999927830.exe	78
PID 2180 wrote to memory of 2200	2180	49986bd925df8b3a09e58c4999927830.exe	78
PID 2180 wrote to memory of 2592	2180	49986bd925df8b3a09e58c4999927830.exe	81
PID 2180 wrote to memory of 2592	2180	49986bd925df8b3a09e58c4999927830.exe	81
PID 2180 wrote to memory of 2592	2180	49986bd925df8b3a09e58c4999927830.exe	81
PID 2180 wrote to memory of 2792	2180	49986bd925df8b3a09e58c4999927830.exe	83
PID 2180 wrote to memory of 2792	2180	49986bd925df8b3a09e58c4999927830.exe	83
PID 2180 wrote to memory of 2792	2180	49986bd925df8b3a09e58c4999927830.exe	83
PID 2180 wrote to memory of 592	2180	49986bd925df8b3a09e58c4999927830.exe	84
PID 2180 wrote to memory of 592	2180	49986bd925df8b3a09e58c4999927830.exe	84
PID 2180 wrote to memory of 592	2180	49986bd925df8b3a09e58c4999927830.exe	84
PID 2180 wrote to memory of 3008	2180	49986bd925df8b3a09e58c4999927830.exe	85
PID 2180 wrote to memory of 3008	2180	49986bd925df8b3a09e58c4999927830.exe	85
PID 2180 wrote to memory of 3008	2180	49986bd925df8b3a09e58c4999927830.exe	85
PID 2180 wrote to memory of 1776	2180	49986bd925df8b3a09e58c4999927830.exe	86
PID 2180 wrote to memory of 1776	2180	49986bd925df8b3a09e58c4999927830.exe	86
PID 2180 wrote to memory of 1776	2180	49986bd925df8b3a09e58c4999927830.exe	86
PID 2180 wrote to memory of 2052	2180	49986bd925df8b3a09e58c4999927830.exe	93
PID 2180 wrote to memory of 2052	2180	49986bd925df8b3a09e58c4999927830.exe	93
PID 2180 wrote to memory of 2052	2180	49986bd925df8b3a09e58c4999927830.exe	93
PID 2052 wrote to memory of 2448	2052	cmd.exe	95
PID 2052 wrote to memory of 2448	2052	cmd.exe	95
PID 2052 wrote to memory of 2448	2052	cmd.exe	95
PID 2052 wrote to memory of 2004	2052	cmd.exe	96
PID 2052 wrote to memory of 2004	2052	cmd.exe	96
PID 2052 wrote to memory of 2004	2052	cmd.exe	96
PID 3004 wrote to memory of 1660	3004	WScript.exe	99
PID 3004 wrote to memory of 1660	3004	WScript.exe	99
PID 3004 wrote to memory of 1660	3004	WScript.exe	99
PID 1660 wrote to memory of 2768	1660	lsm.exe	100
PID 1660 wrote to memory of 2768	1660	lsm.exe	100
PID 1660 wrote to memory of 2768	1660	lsm.exe	100
PID 1660 wrote to memory of 1028	1660	lsm.exe	101
PID 1660 wrote to memory of 1028	1660	lsm.exe	101
PID 1660 wrote to memory of 1028	1660	lsm.exe	101
PID 2768 wrote to memory of 2568	2768	WScript.exe	102
PID 2768 wrote to memory of 2568	2768	WScript.exe	102
PID 2768 wrote to memory of 2568	2768	WScript.exe	102
PID 2568 wrote to memory of 2624	2568	lsm.exe	103
PID 2568 wrote to memory of 2624	2568	lsm.exe	103
PID 2568 wrote to memory of 2624	2568	lsm.exe	103
PID 2568 wrote to memory of 3012	2568	lsm.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\49986bd925df8b3a09e58c4999927830.exe
"C:\Users\Admin\AppData\Local\Temp\49986bd925df8b3a09e58c4999927830.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\49986bd925df8b3a09e58c4999927830.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\1033\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\it-IT\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\it-IT\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kb54B5vlKY.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2448
- - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
    "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
    3⤵
    - Executes dropped EXE
    PID:2004
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6c53460-1812-4732-9223-ba18f119bfc6.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f7ff6fc-bce6-42e4-be29-2f37836e9268.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a1736e6b-de1b-4332-92e2-883b11321183.vbs"
        8⤵
        
        PID:2624
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\54847f59-4745-4c35-916c-9ab75da5fe89.vbs"
        10⤵
        
        PID:1524
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65910bd3-6178-490a-b110-1a9aafe54605.vbs"
        12⤵
        
        PID:2872
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\80f52173-d36e-4c3b-b2f4-a36c7cd9d216.vbs"
        14⤵
        
        PID:2908
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efc8d31d-a36b-4dc4-b41a-f89cc4da7ab1.vbs"
        16⤵
        
        PID:1076
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\af9a604e-206b-47f6-bafd-8eb9973d00b9.vbs"
        18⤵
        
        PID:1708
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\87cc4bc4-e41b-41cd-8742-c87da031f8a0.vbs"
        20⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\73b94619-8873-499e-a42f-9d62c4ec4eaf.vbs"
        20⤵
        
        PID:2708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\34cfe353-c262-414a-b3ec-080bdfc9763b.vbs"
        18⤵
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9bbf523-ff51-4d16-99e8-2f07da246bd7.vbs"
        16⤵
        
        PID:2328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cebf781f-a7b3-4a06-8def-6e1db8c3aa8d.vbs"
        14⤵
        
        PID:932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\83824c62-befc-456b-8478-44ccd40d25e3.vbs"
        12⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6ce67b9a-97e8-447f-b3e8-f56dedbe91db.vbs"
        10⤵
        
        PID:2084
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fdd52d4a-51dc-4a1e-879f-5b5269914c98.vbs"
        8⤵
        
        PID:3012
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a604cbeb-e986-46c2-8cbc-43daeabf65ce.vbs"
        6⤵
        
        PID:1028
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3206afd5-f8fd-423c-96c2-9ab112807c5a.vbs"
      4⤵
      PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Cookies\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\it-IT\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\it-IT\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\it-IT\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe

Filesize
1.6MB

MD5
f7642be8eb26f70e6ebd6095f2df03af

SHA1
c4df036f3759dfedb0eea0f4f88b576598671b3e

SHA256
42540cdae15f4d9fc9728ca85cd0b6a61050fb97df7c45727f3c1716d61fe019

SHA512
ca2260d9f6b2c569417611bbbf498203180d35bed937572762b5413bf9ea5f3eb73eb205b3552508924caf5f4ca182accf40630d299eb8c70fef586ddd1adf16

Download Submit
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe

Filesize
1.6MB

MD5
49986bd925df8b3a09e58c4999927830

SHA1
40750b7b784db39850b805c151dfe76c9a6fdf30

SHA256
8d08430b6955cd7396f0e929bc2e098bab79adf22ff486fac8e07c369ebd9837

SHA512
4fb7adb39f1cfba3151cf099b14582e79ad3100c8de878a169bc2028f2bad9082b79ed94f1a8d0d7a441a00799f48c9a22e04eea0b7258930cda4569955b269a

Download Submit
C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\dwm.exe

Filesize
1.6MB

MD5
01eff2ce54c002348b946897c17284e3

SHA1
c61998f7e40e4ad76f8f832b610ccc578d050555

SHA256
4d08f9d4a2a556e384e2e8764d683669bd8dcb270b66e484f9df049e225e5af0

SHA512
dd7c1172753cd02a38ab10852d98076f07ddacb5542f5828fac32aa9af2ede8b7d3c7bf4ed1ece2dcbc38696031a5185d6c176d18587c311e9fdbbb754506c25

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\explorer.exe

Filesize
1.6MB

MD5
b8f98208f45208c048e9492c8a1de856

SHA1
ad14b4e58395b885ad3ef5e09cd1699f57894bf6

SHA256
bb4cad08fb3cc3b8d4b30ee1eb0f935ba3cda9b426f7cc24b4662c45461d2f8a

SHA512
0c1822b0aaf0f5b05a0811de334724e9cdf93e15432bdb57a9c2ed01dce594340a67bab507a29099bf791a7fff3e3b5e8bb651f71731a1796ba8181d8cd151a2

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe

Filesize
1.6MB

MD5
66529f7f6afa2cf62133799b08e7ac0e

SHA1
175a16d032f5e567d49dfab65065d9c66f3eebcd

SHA256
7660bdc4039060650c721aef7d425da73a738d11f6513941adf5f9dab41ef662

SHA512
6d36d94c450297f76eb4872350246d78bf71a140258698835b2616abbcaebee3ef30a094195c0ca4c5a59601643dd09d181bcaf76a2e92fc7ce7b86a31c8a095

Download Submit
C:\Users\Admin\AppData\Local\Temp\54847f59-4745-4c35-916c-9ab75da5fe89.vbs

Filesize
746B

MD5
94b0be16e848902c67ccdc528750f727

SHA1
417d66973e8ed2278bbb0b9760055b4c16e5bde0

SHA256
4c536fc5301c9c56aadea028947e8f57900e2e0f739a62ac1f5359bb4eca858f

SHA512
ca78a611ebaa59b0ec1efd3b4bc1f0a4f10a631dfbcec207d9df298cb5477e0a7ffc24ef7c6b1e4696884330306d2629c952ee4385cfb5d1fdbb5d2d192225f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\65910bd3-6178-490a-b110-1a9aafe54605.vbs

Filesize
746B

MD5
6d0b2925281110752efbbe2313bfd0a1

SHA1
de3076ddedc20f35b2c38c0fd6786b6fc6c3e35d

SHA256
b5efcf2089a9a195b592f81ab5a3a72bd72c51e46c08055b084436d28f0dd8a1

SHA512
7ea840068ae51788f5c6b82d182ea48146e727b5fe10ceb8f1f30f08f725ca8fdb25d69538bb5d8beec800a7970dfad5adc1cee626128935682ae46dc8273577

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f7ff6fc-bce6-42e4-be29-2f37836e9268.vbs

Filesize
746B

MD5
e6725fe2e2ccb4193e8241e2474c541a

SHA1
026cf0e990c94e74f0f1ccc1e643935db6e23aa5

SHA256
e9410d5a208cf724b831bbc4d825dcaf2dc4a64e3a6443125a156717236b53c4

SHA512
ad81253bbe8643c55e7c1738ddf700623bf3d19842863df70ba02da5a7712442f3b26d38964bf24f455713e5c47b3d911e7da2e8c535c461606d4e634822bf44

Download Submit
C:\Users\Admin\AppData\Local\Temp\80f52173-d36e-4c3b-b2f4-a36c7cd9d216.vbs

Filesize
745B

MD5
0e4b1e73ec06acfdf7c38190f0018a65

SHA1
609f29e53026e2098124f1e51d195507d028fad5

SHA256
1625bfab42a81e7a07064628c926f70e9f7bc6bf2426f8c2642d1d5a8a056cbd

SHA512
7910a220107a1ed6c32b50182680438c86c18690c89cfc6c7b954ce813d12d0ac220a2b60c701034b859d249a0f6fb5e2f812248f9f9ab6eb25ad0a0a7e09110

Download Submit
C:\Users\Admin\AppData\Local\Temp\87cc4bc4-e41b-41cd-8742-c87da031f8a0.vbs

Filesize
746B

MD5
9e7d5c981bec10b2ffa0d76793dabedf

SHA1
e75d48b5d06bf40fe93bd2b176edd36ab0b0cb3b

SHA256
001f459bdc2dd2ba985a5d364bef43033e159e81ec67894204b018bba02be9fe

SHA512
0a192efa3bdebcd297124f4eec1cb624216b6d74e8f1bead0c59e80518608e6b2b7124cbe7b5b3f2e7df0561b73b19611358b418be3592b9aca8a2fa4184c948

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kb54B5vlKY.bat

Filesize
235B

MD5
610a5681de773fc78d900421c0b2d93a

SHA1
a631acc80f11f6372898e08ffa29458b36e020b0

SHA256
548704e45c9139d8fa663ab3f6c30b9f0964e15e10b33111a2fb87f5db7ebbb6

SHA512
18a210996a141dfc55e06f92d883d9257821b85da03c0c9bfcf00f9a74dc45b4637a4dfa660e7ac42ee461e3987f74007db38e0345c0818f4cf9d91af21a1eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1736e6b-de1b-4332-92e2-883b11321183.vbs

Filesize
746B

MD5
3a604d32e0a325748a21127755976f3a

SHA1
290813d89ed5e54c88a3df155a6c261bafbc1965

SHA256
d2641969e124fe5cbdec51b119ad47dcb328cceffb054780d758ef540b127205

SHA512
e0bd011b034760f6c8ea82e12f264d14392df4d47652b58148664810334aa9b612c274962df5b66d03c3320daf20683458b32c672c65e2ccb40453dcdb990f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\a604cbeb-e986-46c2-8cbc-43daeabf65ce.vbs

Filesize
522B

MD5
d95cbfdd5b55802a3ba6369ad16830a8

SHA1
01324c40d94073f15ca03de63f259d6164973ea6

SHA256
467efd9f55262c2ae7123411f1324c1585e0840fa388082f895b9d47c5dbf270

SHA512
e6843c68b0a617deb5635eb3b31d4b354112c3bc7c069a0efb792177288955ae55fcee68990dc90e83e18b7a0c545340957be780b21cdb50a5c4e89227994849

Download Submit
C:\Users\Admin\AppData\Local\Temp\af9a604e-206b-47f6-bafd-8eb9973d00b9.vbs

Filesize
746B

MD5
b2e59c2d90a6ac2a41394c378a8af364

SHA1
33bd49f45ec99bd6e600a1856e245bc9d176d172

SHA256
8f099c7fa628729ce1c928b921d66cd45d6116f26396dc914a907eb94a1832ac

SHA512
1d76a9bd98e89af2fcac9328c168febb924a4c45a82cad10b9709566da5a5087575fb6483eb5318aa17af4d5c3d5118c20c797c524bfa7d254d73120bee7e4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\efc8d31d-a36b-4dc4-b41a-f89cc4da7ab1.vbs

Filesize
745B

MD5
e5430f3ebc754416ae9c6d1e98950ed5

SHA1
9191b14112523cc90b67011a83366b7dcef6b4cd

SHA256
21d0433175213bea8eaf30a15ac3aba8cb2531f3156d9fa7337896dae048e5f3

SHA512
771047711bda3b8f6448cf0fbbc511749efe3fd5e17af98b7b38ba51a210de71950923181dec4a908e42687f6e117588c99861cfd50af02961bc787415ddefe9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\lsm.exe

Filesize
1.6MB

MD5
aea9b696cab91497befd25802ff08259

SHA1
edc0aa4d3a2b86062c1274e84c9865c83bff3294

SHA256
d9eb95f58c163276a70e2471de92f09bd1d3fc080f29930d30f7444bf994b0c3

SHA512
67abce8f26cb12781d69fc7df83539aea6bb38846e6f47a5f9328b6f8ba4c1aab5ba7a186b75aff46fa4f4617b0ca2480b7eb6a345084a8007bcd8a0288452c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ea35aa012f1ce15839503d96daf7607e

SHA1
2a4f1486aed971cd423bbd4b8aa5e5396dfe45d3

SHA256
a345815e7c763474a420740e498b3bce080592f6a255dab9ef75bf50710a8fcd

SHA512
1bf6ce455df1dd83facfe3ea6e197ce7ac7181cfb34dcfc96611f852f5ef1b11f8845b5038235eb3f47bb24373df4c84aff586d289e67299678eb6374da1cb30

Download Submit
memory/300-303-0x0000000001210000-0x00000000013B2000-memory.dmp

Filesize
1.6MB

Download
memory/444-315-0x0000000000020000-0x00000000001C2000-memory.dmp

Filesize
1.6MB

Download
memory/1616-339-0x0000000000910000-0x0000000000AB2000-memory.dmp

Filesize
1.6MB

Download
memory/1636-327-0x0000000000170000-0x0000000000312000-memory.dmp

Filesize
1.6MB

Download
memory/1660-256-0x0000000000200000-0x00000000003A2000-memory.dmp

Filesize
1.6MB

Download
memory/2064-291-0x00000000000F0000-0x0000000000292000-memory.dmp

Filesize
1.6MB

Download
memory/2180-11-0x0000000000DE0000-0x0000000000DEA000-memory.dmp

Filesize
40KB

Download
memory/2180-7-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/2180-1-0x0000000001160000-0x0000000001302000-memory.dmp

Filesize
1.6MB

Download
memory/2180-2-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2180-234-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

Filesize
9.9MB

Download
memory/2180-16-0x0000000000E30000-0x0000000000E3C000-memory.dmp

Filesize
48KB

Download
memory/2180-15-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/2180-14-0x0000000000E10000-0x0000000000E18000-memory.dmp

Filesize
32KB

Download
memory/2180-13-0x0000000000E00000-0x0000000000E08000-memory.dmp

Filesize
32KB

Download
memory/2180-3-0x0000000000C70000-0x0000000000C8C000-memory.dmp

Filesize
112KB

Download
memory/2180-12-0x0000000000DF0000-0x0000000000DFE000-memory.dmp

Filesize
56KB

Download
memory/2180-4-0x0000000000530000-0x0000000000540000-memory.dmp

Filesize
64KB

Download
memory/2180-0-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2180-10-0x0000000000DD0000-0x0000000000DDC000-memory.dmp

Filesize
48KB

Download
memory/2180-9-0x0000000000D20000-0x0000000000D2C000-memory.dmp

Filesize
48KB

Download
memory/2180-8-0x0000000000D00000-0x0000000000D08000-memory.dmp

Filesize
32KB

Download
memory/2180-178-0x000007FEF57C3000-0x000007FEF57C4000-memory.dmp

Filesize
4KB

Download
memory/2180-6-0x0000000000CF0000-0x0000000000CF8000-memory.dmp

Filesize
32KB

Download
memory/2180-5-0x0000000000C90000-0x0000000000CA6000-memory.dmp

Filesize
88KB

Download
memory/2356-279-0x00000000002D0000-0x0000000000472000-memory.dmp

Filesize
1.6MB

Download
memory/2568-267-0x0000000000BB0000-0x0000000000D52000-memory.dmp

Filesize
1.6MB

Download
memory/2592-214-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/3008-218-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download