dcrat | fd198cf3ef764ffa17e7bd465d666057804a25ed5c6061074c0de7b6df43a667

Analysis

max time kernel
155s
max time network
172s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
Size

1.6MB
MD5

e9a51358da08f22af241931abad598ae
SHA1

04afc75b8bd8a406d03b844292ac955499feb7bf
SHA256

301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db
SHA512

fe3c8a7ecca641122815dc2ecdaec54811318291df3fd278a9516e5a87b95b76b92caef20efbdf382bf286fa5d3d71ddc35d53a8097b5972e8c03a7b1cc36eab
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 63 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2904	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2904	schtasks.exe	29

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral29/memory/2376-1-0x0000000000D00000-0x0000000000EA2000-memory.dmp	dcrat
behavioral29/files/0x000500000001a469-27.dat	dcrat
behavioral29/files/0x000700000001a479-82.dat	dcrat
behavioral29/memory/2928-278-0x0000000001290000-0x0000000001432000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 23 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2532	powershell.exe
1156	powershell.exe
844	powershell.exe
1920	powershell.exe
2384	powershell.exe
1920	powershell.exe
868	powershell.exe
2976	powershell.exe
1296	powershell.exe
1200	powershell.exe
1864	powershell.exe
836	powershell.exe
1840	powershell.exe
1792	powershell.exe
1832	powershell.exe
964	powershell.exe
1764	powershell.exe
2952	powershell.exe
2232	powershell.exe
1740	powershell.exe
1156	powershell.exe
3040	powershell.exe
2420	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
2928	System.exe
1724	System.exe
2128	System.exe
236	System.exe
2924	System.exe
916	System.exe

Drops file in Program Files directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defender\ja-JP\services.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX92E0.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\7-Zip\Lang\24dbde2999530e	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\b75386f1303e64	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsass.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCX999A.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\7-Zip\Lang\WmiPrvSE.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX9FD7.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCX92CF.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCX991C.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\RCX9FC7.tmp	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\7-Zip\Lang\WmiPrvSE.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\6203df4a6bafc7	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\Google\24dbde2999530e	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\lsm.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\Google\WmiPrvSE.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\f3b6ecef712a24	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\Windows Defender\ja-JP\services.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\Google\WmiPrvSE.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\101b941d020240	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsass.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\explorer.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\7a0fd90576e088	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\529db8da3dc1f9	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Program Files\Windows Defender\ja-JP\c5b4cb5e9653cc	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\explorer.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\IME\IMESC5\services.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Windows\IME\IMESC5\c5b4cb5e9653cc	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Windows\Downloaded Program Files\WmiPrvSE.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Windows\Downloaded Program Files\24dbde2999530e	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Windows\Fonts\services.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Windows\winsxs\x86_networking-mpssvc-svc.resources_31bf3856ad364e35_6.1.7601.17514_ja-jp_b8406654aa00440b\sppsvc.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Windows\Fonts\services.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File created	C:\Windows\Fonts\c5b4cb5e9653cc	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Windows\IME\IMESC5\services.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
File opened for modification	C:\Windows\Downloaded Program Files\WmiPrvSE.exe	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 63 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
884	schtasks.exe
1524	schtasks.exe
2992	schtasks.exe
2752	schtasks.exe
2452	schtasks.exe
2648	schtasks.exe
2924	schtasks.exe
940	schtasks.exe
1244	schtasks.exe
2248	schtasks.exe
2588	schtasks.exe
1052	schtasks.exe
608	schtasks.exe
2140	schtasks.exe
1496	schtasks.exe
1016	schtasks.exe
2556	schtasks.exe
2736	schtasks.exe
1248	schtasks.exe
1232	schtasks.exe
1852	schtasks.exe
2516	schtasks.exe
2260	schtasks.exe
1252	schtasks.exe
2620	schtasks.exe
2444	schtasks.exe
2280	schtasks.exe
2568	schtasks.exe
2696	schtasks.exe
1812	schtasks.exe
1880	schtasks.exe
1768	schtasks.exe
924	schtasks.exe
2832	schtasks.exe
2392	schtasks.exe
2184	schtasks.exe
2592	schtasks.exe
2456	schtasks.exe
2128	schtasks.exe
1344	schtasks.exe
1816	schtasks.exe
2272	schtasks.exe
2368	schtasks.exe
2760	schtasks.exe
1844	schtasks.exe
2232	schtasks.exe
1744	schtasks.exe
2256	schtasks.exe
1636	schtasks.exe
1648	schtasks.exe
944	schtasks.exe
2640	schtasks.exe
2120	schtasks.exe
2640	schtasks.exe
2984	schtasks.exe
1868	schtasks.exe
764	schtasks.exe
2592	schtasks.exe
2436	schtasks.exe
756	schtasks.exe
2644	schtasks.exe
3044	schtasks.exe
652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
1792	powershell.exe
1832	powershell.exe
1200	powershell.exe
1920	powershell.exe
1156	powershell.exe
1296	powershell.exe
1840	powershell.exe
844	powershell.exe
1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
1740	powershell.exe
2384	powershell.exe
2532	powershell.exe
836	powershell.exe
2976	powershell.exe
1764	powershell.exe
2420	powershell.exe
964	powershell.exe
1920	powershell.exe
1156	powershell.exe
3040	powershell.exe
2952	powershell.exe
2232	powershell.exe
868	powershell.exe
1864	powershell.exe
2928	System.exe
1724	System.exe
2128	System.exe
236	System.exe
2924	System.exe
916	System.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2928	System.exe
Token: SeDebugPrivilege	1724	System.exe
Token: SeDebugPrivilege	2128	System.exe
Token: SeDebugPrivilege	236	System.exe
Token: SeDebugPrivilege	2924	System.exe
Token: SeDebugPrivilege	916	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1840	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	51
PID 2376 wrote to memory of 1840	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	51
PID 2376 wrote to memory of 1840	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	51
PID 2376 wrote to memory of 1296	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	52
PID 2376 wrote to memory of 1296	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	52
PID 2376 wrote to memory of 1296	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	52
PID 2376 wrote to memory of 1156	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	53
PID 2376 wrote to memory of 1156	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	53
PID 2376 wrote to memory of 1156	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	53
PID 2376 wrote to memory of 1792	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	54
PID 2376 wrote to memory of 1792	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	54
PID 2376 wrote to memory of 1792	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	54
PID 2376 wrote to memory of 844	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	55
PID 2376 wrote to memory of 844	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	55
PID 2376 wrote to memory of 844	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	55
PID 2376 wrote to memory of 1200	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	56
PID 2376 wrote to memory of 1200	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	56
PID 2376 wrote to memory of 1200	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	56
PID 2376 wrote to memory of 1920	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	57
PID 2376 wrote to memory of 1920	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	57
PID 2376 wrote to memory of 1920	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	57
PID 2376 wrote to memory of 1832	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	58
PID 2376 wrote to memory of 1832	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	58
PID 2376 wrote to memory of 1832	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	58
PID 2376 wrote to memory of 1544	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	67
PID 2376 wrote to memory of 1544	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	67
PID 2376 wrote to memory of 1544	2376	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	67
PID 1544 wrote to memory of 2384	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	110
PID 1544 wrote to memory of 2384	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	110
PID 1544 wrote to memory of 2384	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	110
PID 1544 wrote to memory of 1920	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	111
PID 1544 wrote to memory of 1920	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	111
PID 1544 wrote to memory of 1920	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	111
PID 1544 wrote to memory of 836	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	112
PID 1544 wrote to memory of 836	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	112
PID 1544 wrote to memory of 836	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	112
PID 1544 wrote to memory of 1864	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	113
PID 1544 wrote to memory of 1864	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	113
PID 1544 wrote to memory of 1864	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	113
PID 1544 wrote to memory of 2532	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	114
PID 1544 wrote to memory of 2532	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	114
PID 1544 wrote to memory of 2532	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	114
PID 1544 wrote to memory of 2232	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	115
PID 1544 wrote to memory of 2232	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	115
PID 1544 wrote to memory of 2232	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	115
PID 1544 wrote to memory of 1740	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	116
PID 1544 wrote to memory of 1740	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	116
PID 1544 wrote to memory of 1740	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	116
PID 1544 wrote to memory of 964	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	117
PID 1544 wrote to memory of 964	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	117
PID 1544 wrote to memory of 964	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	117
PID 1544 wrote to memory of 1156	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	118
PID 1544 wrote to memory of 1156	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	118
PID 1544 wrote to memory of 1156	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	118
PID 1544 wrote to memory of 868	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	119
PID 1544 wrote to memory of 868	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	119
PID 1544 wrote to memory of 868	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	119
PID 1544 wrote to memory of 2976	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	120
PID 1544 wrote to memory of 2976	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	120
PID 1544 wrote to memory of 2976	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	120
PID 1544 wrote to memory of 1764	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	121
PID 1544 wrote to memory of 1764	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	121
PID 1544 wrote to memory of 1764	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	121
PID 1544 wrote to memory of 3040	1544	301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe	122

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
"C:\Users\Admin\AppData\Local\Temp\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1840
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe
  "C:\Users\Admin\AppData\Local\Temp\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2384
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1864
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2532
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsass.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2232
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\explorer.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1740
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:868
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\IMESC5\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\services.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Users\Admin\Templates\System.exe
    "C:\Users\Admin\Templates\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\efcfb48b-05d7-48ca-96ee-993ec1e4db79.vbs"
      4⤵
      PID:616
    - - C:\Users\Admin\Templates\System.exe
        
        C:\Users\Admin\Templates\System.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4a5355b1-599b-467a-b6eb-ef6e4d95f4dc.vbs"
        6⤵
        
        PID:2820
        
        C:\Users\Admin\Templates\System.exe
        
        C:\Users\Admin\Templates\System.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5b17698f-a6a9-4973-8c44-ec78b97729c9.vbs"
        8⤵
        
        PID:1860
        
        C:\Users\Admin\Templates\System.exe
        
        C:\Users\Admin\Templates\System.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3736ad55-8ce1-4e56-8099-22d6aa4e3bb9.vbs"
        10⤵
        
        PID:2980
        
        C:\Users\Admin\Templates\System.exe
        
        C:\Users\Admin\Templates\System.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5678030-0271-490b-9998-ece4d033d7a4.vbs"
        12⤵
        
        PID:1612
        
        C:\Users\Admin\Templates\System.exe
        
        C:\Users\Admin\Templates\System.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b0c4ba1b-f464-4127-8376-290801fff6c1.vbs"
        14⤵
        
        PID:3008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e04cdce4-1fff-4aec-9ae0-5448cb5b9a99.vbs"
        14⤵
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b649fa1-4a3b-4be4-b5d7-7e259bc8f3a7.vbs"
        12⤵
        
        PID:1456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cf9f962e-de2e-4f2c-baad-0b9e07100050.vbs"
        10⤵
        
        PID:2108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\807cd471-5046-4a60-b7df-126582193741.vbs"
        8⤵
        
        PID:2972
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8fe44fab-fc91-4326-b871-5ecaebddca86.vbs"
        6⤵
        
        PID:1740
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\00da256f-450c-48ec-b714-2203945f002e.vbs"
      4⤵
      PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db3" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db3" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\Crashpad\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\Accessories\en-US\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Templates\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\IMESC5\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\IME\IMESC5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\IME\IMESC5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Downloaded Program Files\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Fonts\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\spoolsv.exe

Filesize
1.6MB

MD5
e9a51358da08f22af241931abad598ae

SHA1
04afc75b8bd8a406d03b844292ac955499feb7bf

SHA256
301cceb8e4221cd718e3c661b8ade26f604d90eb15652b5842fefee4fcf1e8db

SHA512
fe3c8a7ecca641122815dc2ecdaec54811318291df3fd278a9516e5a87b95b76b92caef20efbdf382bf286fa5d3d71ddc35d53a8097b5972e8c03a7b1cc36eab

Download Submit
C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe

Filesize
1.6MB

MD5
8df4c00eaf9b62fb141debe69750f8fa

SHA1
572e8062cd5ab57e8888243a2d9014324661f7c7

SHA256
b7389d8814d91c8f5ee04562bd41d4c3d923555d6c0ce7ed28a3cd516b3c1df5

SHA512
5cdf594ae4cdb487fee79b064662f74a3a8dfd53783db9a5749d40cbf9cada4f7d50504b448d77e5a1af5d7a74beecde7a255833606649653c18cfd699e24533

Download Submit
C:\Users\Admin\AppData\Local\Temp\00da256f-450c-48ec-b714-2203945f002e.vbs

Filesize
487B

MD5
100ef692b9bdb5ea57cffb80c96c2593

SHA1
5b75e7f6e2e4af16b227470fceb82eeb72edbde8

SHA256
cf51f600837d5a028bc4d01adfbe73801e4fd837efd533829f26d47f11e06971

SHA512
83d165f62ef6c1f0169d0a05cae587733e22af66ad26a0be7d534140c9a80d05d292d2ab110c48a764cbe3c6a05229f81aab68bb91ab6d628cf335875d6c7709

Download Submit
C:\Users\Admin\AppData\Local\Temp\3736ad55-8ce1-4e56-8099-22d6aa4e3bb9.vbs

Filesize
710B

MD5
b110a38163ec77a97628d920e80172da

SHA1
9235841ceef158bab57ae9058e6c972c9dc4529f

SHA256
f943e0318d5b232e28c26bf89a142e59b92184986e037b4884d98d89ed5827ca

SHA512
adf343b8a36ed95a6058b6fba481426a8740d8f6f30dff1d15b47af4dc8b1f20b94ab5b690f678b204cad656d50c52d9225bfc2fa201c9927eca968659281508

Download Submit
C:\Users\Admin\AppData\Local\Temp\4a5355b1-599b-467a-b6eb-ef6e4d95f4dc.vbs

Filesize
711B

MD5
e1b2d6a72367826e420889e3d0cb842e

SHA1
74b052409f72d037e61449c488ec1fe7db276e63

SHA256
c833da17ae3c191bd329398a438656bc9b15e8b008b4e5e4d62cf656bc98b41c

SHA512
d6775a183a53f59d6013864ffedff8e3609e661e9359aeabfe3bc49c15576976be583e13c0c69e96b3dbad83f1736231b09f123e1c081fc1e1144917e3d75aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b17698f-a6a9-4973-8c44-ec78b97729c9.vbs

Filesize
711B

MD5
88405bfe8962f0cf44b593f314d127c8

SHA1
f216cd53c11ab18ec4bd407e38f90c354b500667

SHA256
1d0578fe6f865c7df1a6d2fd64e686cc8965f8ced3b762565739ffb229e5da5c

SHA512
37488e53d2c6d08c71e2f4d454b71200af4fa8538d8477e908ecd87c9ec6115e3a98c83d9da3a49c2ec6db05fb1a8b8d9e59a958f4ae7a6e198f20666526d535

Download Submit
C:\Users\Admin\AppData\Local\Temp\b0c4ba1b-f464-4127-8376-290801fff6c1.vbs

Filesize
710B

MD5
a92c5726df89027b779c517316e8b7c8

SHA1
ab3f134b031b06f0606bbfe902fbd41d3799e7a8

SHA256
9fd579fc088907208c43fae2529581ad7dd0e1925aaecabe6785a0dd4129fc00

SHA512
69a96fbd0b672c2bda8d3518f34c7be8e757e99e5afc19f5d8031d58f005a7a62a0f2d2b0bc18a95bf4e5d85984469a935be14aaff7221fb916ae3e0c291fa8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5678030-0271-490b-9998-ece4d033d7a4.vbs

Filesize
711B

MD5
a36f92e928eebbcb3fa5432e19f1f24f

SHA1
288b61c71e45d4d838608e1d2fc3a7ebbc3ae05a

SHA256
18b8773142dde8d8926f174cb0750193a5c3b39bdaf3be5b0d8dd14621a55eaa

SHA512
2c27aa31c1574a199f7b90fd2bb81bc7358993bb7605e479bed589ee7b01aa1c337691ec8869c69a73b1dc04d5f4f41e6e13e32cf6a088ca578923cee7240c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\efcfb48b-05d7-48ca-96ee-993ec1e4db79.vbs

Filesize
711B

MD5
a67dedecb715d8344f97fadcedf7bf8e

SHA1
89a16648235a75d99af46a60310332ac8a270124

SHA256
0b7f863e7ec9cf17378e8f4f56da08eec9fe3f0eb6c3ef244823c40aa9a24ad5

SHA512
6d99479f7b049e370ffb07b568656741602c2ba07689fb7296f1206681bd9aec2bb21163084950f4a0f89980a488f242cd240df87334e2f72447ba4374bfcc71

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d12513c06d0b2d2da81ac2853feb6725

SHA1
b87549080d13399abdf1a7a5471001f1be96f5cb

SHA256
631a2b7817ece492ef60635f12dc66435ed6502a27b9653fcb4927ffd569ac09

SHA512
2ded3a7d06194de847bc7d0f25e91cf1d78e09c15daee8abebf833374808c681da0524ef0867dc84f3626df014698b9c0bc1ae16bcba44a349692ab4043b9a3b

Download Submit
memory/1740-234-0x000000001B340000-0x000000001B622000-memory.dmp

Filesize
2.9MB

Download
memory/1740-235-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/1792-157-0x0000000002360000-0x0000000002368000-memory.dmp

Filesize
32KB

Download
memory/1792-156-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/2376-9-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/2376-0-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

Filesize
4KB

Download
memory/2376-17-0x0000000002400000-0x000000000240C000-memory.dmp

Filesize
48KB

Download
memory/2376-24-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-14-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/2376-15-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/2376-13-0x00000000022C0000-0x00000000022CE000-memory.dmp

Filesize
56KB

Download
memory/2376-12-0x00000000022B0000-0x00000000022BA000-memory.dmp

Filesize
40KB

Download
memory/2376-11-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/2376-158-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-10-0x0000000000CE0000-0x0000000000CEC000-memory.dmp

Filesize
48KB

Download
memory/2376-16-0x00000000023F0000-0x00000000023FA000-memory.dmp

Filesize
40KB

Download
memory/2376-8-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

Filesize
64KB

Download
memory/2376-1-0x0000000000D00000-0x0000000000EA2000-memory.dmp

Filesize
1.6MB

Download
memory/2376-6-0x0000000000CA0000-0x0000000000CB6000-memory.dmp

Filesize
88KB

Download
memory/2376-7-0x00000000004F0000-0x00000000004F8000-memory.dmp

Filesize
32KB

Download
memory/2376-5-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/2376-4-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2376-3-0x000007FEF5A70000-0x000007FEF645C000-memory.dmp

Filesize
9.9MB

Download
memory/2376-2-0x000007FEF5A73000-0x000007FEF5A74000-memory.dmp

Filesize
4KB

Download
memory/2928-278-0x0000000001290000-0x0000000001432000-memory.dmp

Filesize
1.6MB

Download