dcrat | 5e5d5458b8a025c2bc9a6e7998492989732967c9a1019b11d655200adf3686c7

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
Size

1.6MB
MD5

cd1634a0788a7e0c1120930a46dcceed
SHA1

5e990eda55dd6b4f6001898f8f4d828518d05c9b
SHA256

832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90
SHA512

7c4758fdb7fdc7fe06e542b0e64e245c6dae141b4355458e90fb7a600db94ef0d53cb0b18760833112d1e21e42528b03bce6f6196bbe9fe0aa228803e5ac2335
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2712	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2712	schtasks.exe	31

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral25/memory/2460-1-0x0000000000EC0000-0x0000000001062000-memory.dmp	dcrat
behavioral25/files/0x0005000000019d62-25.dat	dcrat
behavioral25/files/0x00100000000141df-91.dat	dcrat
behavioral25/files/0x00070000000199b9-102.dat	dcrat
behavioral25/files/0x000b000000018669-113.dat	dcrat
behavioral25/files/0x0006000000019d62-125.dat	dcrat
behavioral25/memory/2540-376-0x0000000000CD0000-0x0000000000E72000-memory.dmp	dcrat
behavioral25/memory/2924-387-0x0000000001130000-0x00000000012D2000-memory.dmp	dcrat
behavioral25/memory/1588-454-0x00000000003C0000-0x0000000000562000-memory.dmp	dcrat
behavioral25/memory/2928-466-0x00000000011C0000-0x0000000001362000-memory.dmp	dcrat
behavioral25/memory/1672-489-0x0000000001230000-0x00000000013D2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1384	powershell.exe
1660	powershell.exe
2848	powershell.exe
1788	powershell.exe
680	powershell.exe
2764	powershell.exe
2580	powershell.exe
2944	powershell.exe
2976	powershell.exe
1688	powershell.exe
2468	powershell.exe
2232	powershell.exe
2120	powershell.exe
1652	powershell.exe
1100	powershell.exe
1848	powershell.exe
588	powershell.exe
1988	powershell.exe
2276	powershell.exe
1588	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2540	OSPPSVC.exe
2924	OSPPSVC.exe
2656	OSPPSVC.exe
2000	OSPPSVC.exe
2228	OSPPSVC.exe
2004	OSPPSVC.exe
2868	OSPPSVC.exe
1588	OSPPSVC.exe
2928	OSPPSVC.exe
1684	OSPPSVC.exe
1672	OSPPSVC.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\6cb0b6c459d5d3	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\75a57c1bdf437c	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXEBD9.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXEBDA.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXFE41.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX808.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Program Files (x86)\Windows Portable Devices\24dbde2999530e	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WMIADAP.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Program Files\Reference Assemblies\audiodg.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Program Files\Reference Assemblies\42af1c969fbb7b	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\dwm.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\RCXF9BB.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WMIADAP.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Program Files\DVD Maker\en-US\WMIADAP.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\WMIADAP.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXB4.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files\Reference Assemblies\RCX79A.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files\Reference Assemblies\audiodg.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Program Files\DVD Maker\en-US\75a57c1bdf437c	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files\DVD Maker\en-US\RCXF9BA.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXFE42.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCXB3.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Program Files (x86)\Google\Temp\dwm.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\Custom\42af1c969fbb7b	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\ja-JP\RCXF330.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\ja-JP\winlogon.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\fr-FR\RCXEDDE.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\Cursors\RCXC20.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\Cursors\csrss.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\fr-FR\RCXEE4C.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\LiveKernelReports\lsass.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\fr-FR\sppsvc.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\LiveKernelReports\lsass.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\AppPatch\Custom\RCXE92.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\AppPatch\Custom\RCXE93.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\AppPatch\Custom\audiodg.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\Cursors\RCXC21.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\BitLockerDiscoveryVolumeContents\42af1c969fbb7b	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\Cursors\886983d96e3d3e	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\fr-FR\0a1fd5f707cd16	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\LiveKernelReports\6203df4a6bafc7	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\ja-JP\RCXF2C2.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\ja-JP\winlogon.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\Cursors\csrss.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXF050.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\LiveKernelReports\RCXF0BE.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXF7B7.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\RCXF7B6.tmp	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\fr-FR\sppsvc.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\ja-JP\cc11b995f2a76d	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
File created	C:\Windows\AppPatch\Custom\audiodg.exe	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
880	schtasks.exe
1768	schtasks.exe
1688	schtasks.exe
2308	schtasks.exe
3060	schtasks.exe
1536	schtasks.exe
2280	schtasks.exe
2572	schtasks.exe
644	schtasks.exe
772	schtasks.exe
620	schtasks.exe
408	schtasks.exe
700	schtasks.exe
1100	schtasks.exe
1652	schtasks.exe
2724	schtasks.exe
1992	schtasks.exe
1988	schtasks.exe
2936	schtasks.exe
2036	schtasks.exe
1648	schtasks.exe
3016	schtasks.exe
1484	schtasks.exe
2988	schtasks.exe
2976	schtasks.exe
1312	schtasks.exe
2636	schtasks.exe
2232	schtasks.exe
2244	schtasks.exe
1996	schtasks.exe
2844	schtasks.exe
2096	schtasks.exe
1636	schtasks.exe
2856	schtasks.exe
1540	schtasks.exe
3064	schtasks.exe
2956	schtasks.exe
696	schtasks.exe
2520	schtasks.exe
1588	schtasks.exe
3004	schtasks.exe
548	schtasks.exe
2912	schtasks.exe
1620	schtasks.exe
1796	schtasks.exe
1560	schtasks.exe
2760	schtasks.exe
2816	schtasks.exe
2876	schtasks.exe
2960	schtasks.exe
1596	schtasks.exe
580	schtasks.exe
2248	schtasks.exe
2624	schtasks.exe
640	schtasks.exe
1332	schtasks.exe
2008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
1848	powershell.exe
588	powershell.exe
1688	powershell.exe
2976	powershell.exe
680	powershell.exe
1588	powershell.exe
2944	powershell.exe
1988	powershell.exe
2848	powershell.exe
1788	powershell.exe
2276	powershell.exe
1660	powershell.exe
1384	powershell.exe
1652	powershell.exe
1100	powershell.exe
2232	powershell.exe
2120	powershell.exe
2580	powershell.exe
2468	powershell.exe
2764	powershell.exe
2540	OSPPSVC.exe
2924	OSPPSVC.exe
2656	OSPPSVC.exe
2000	OSPPSVC.exe
2228	OSPPSVC.exe
2004	OSPPSVC.exe
2868	OSPPSVC.exe
1588	OSPPSVC.exe
2928	OSPPSVC.exe
1684	OSPPSVC.exe
1672	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2540	OSPPSVC.exe
Token: SeDebugPrivilege	2924	OSPPSVC.exe
Token: SeDebugPrivilege	2656	OSPPSVC.exe
Token: SeDebugPrivilege	2000	OSPPSVC.exe
Token: SeDebugPrivilege	2228	OSPPSVC.exe
Token: SeDebugPrivilege	2004	OSPPSVC.exe
Token: SeDebugPrivilege	2868	OSPPSVC.exe
Token: SeDebugPrivilege	1588	OSPPSVC.exe
Token: SeDebugPrivilege	2928	OSPPSVC.exe
Token: SeDebugPrivilege	1684	OSPPSVC.exe
Token: SeDebugPrivilege	1672	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2976	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	89
PID 2460 wrote to memory of 2976	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	89
PID 2460 wrote to memory of 2976	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	89
PID 2460 wrote to memory of 1848	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	90
PID 2460 wrote to memory of 1848	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	90
PID 2460 wrote to memory of 1848	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	90
PID 2460 wrote to memory of 588	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	92
PID 2460 wrote to memory of 588	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	92
PID 2460 wrote to memory of 588	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	92
PID 2460 wrote to memory of 1988	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	93
PID 2460 wrote to memory of 1988	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	93
PID 2460 wrote to memory of 1988	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	93
PID 2460 wrote to memory of 2944	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	94
PID 2460 wrote to memory of 2944	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	94
PID 2460 wrote to memory of 2944	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	94
PID 2460 wrote to memory of 1100	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	96
PID 2460 wrote to memory of 1100	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	96
PID 2460 wrote to memory of 1100	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	96
PID 2460 wrote to memory of 680	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	97
PID 2460 wrote to memory of 680	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	97
PID 2460 wrote to memory of 680	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	97
PID 2460 wrote to memory of 1688	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	99
PID 2460 wrote to memory of 1688	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	99
PID 2460 wrote to memory of 1688	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	99
PID 2460 wrote to memory of 2276	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	101
PID 2460 wrote to memory of 2276	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	101
PID 2460 wrote to memory of 2276	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	101
PID 2460 wrote to memory of 1652	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	102
PID 2460 wrote to memory of 1652	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	102
PID 2460 wrote to memory of 1652	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	102
PID 2460 wrote to memory of 1384	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	103
PID 2460 wrote to memory of 1384	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	103
PID 2460 wrote to memory of 1384	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	103
PID 2460 wrote to memory of 2580	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	104
PID 2460 wrote to memory of 2580	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	104
PID 2460 wrote to memory of 2580	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	104
PID 2460 wrote to memory of 2120	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	105
PID 2460 wrote to memory of 2120	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	105
PID 2460 wrote to memory of 2120	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	105
PID 2460 wrote to memory of 1788	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	106
PID 2460 wrote to memory of 1788	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	106
PID 2460 wrote to memory of 1788	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	106
PID 2460 wrote to memory of 2848	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	107
PID 2460 wrote to memory of 2848	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	107
PID 2460 wrote to memory of 2848	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	107
PID 2460 wrote to memory of 1660	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	108
PID 2460 wrote to memory of 1660	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	108
PID 2460 wrote to memory of 1660	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	108
PID 2460 wrote to memory of 2232	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	109
PID 2460 wrote to memory of 2232	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	109
PID 2460 wrote to memory of 2232	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	109
PID 2460 wrote to memory of 2764	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	111
PID 2460 wrote to memory of 2764	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	111
PID 2460 wrote to memory of 2764	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	111
PID 2460 wrote to memory of 2468	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	113
PID 2460 wrote to memory of 2468	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	113
PID 2460 wrote to memory of 2468	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	113
PID 2460 wrote to memory of 1588	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	115
PID 2460 wrote to memory of 1588	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	115
PID 2460 wrote to memory of 1588	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	115
PID 2460 wrote to memory of 2540	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	129
PID 2460 wrote to memory of 2540	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	129
PID 2460 wrote to memory of 2540	2460	832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe	129
PID 2540 wrote to memory of 2336	2540	OSPPSVC.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe
"C:\Users\Admin\AppData\Local\Temp\832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1100
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1384
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Pictures\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\Custom\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
  "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ab34e10e-f762-466b-9e21-aa4e0c58650a.vbs"
    3⤵
    PID:2336
  - - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
      "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2924
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\688b3b69-bb79-42aa-886d-5497e52411d8.vbs"
        5⤵
        
        PID:920
      - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\49c691a1-56bf-4aae-a264-dcf6c1fd2184.vbs"
        7⤵
        
        PID:1788
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5f01588-9b4a-4028-8d8d-af3a12fbddda.vbs"
        9⤵
        
        PID:2800
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5c6e43c1-b859-4542-8613-02e04f155ab6.vbs"
        11⤵
        
        PID:2560
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50db9f4a-5fd4-4b93-a7be-a4d190990ba0.vbs"
        13⤵
        
        PID:2192
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\58e347e8-bab6-44d7-bcc9-757689ce7522.vbs"
        15⤵
        
        PID:920
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fb2b1f5b-bc0d-49b0-8fbd-4bb278ef4ab7.vbs"
        17⤵
        
        PID:2092
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d22add68-ac8c-4877-9517-2bdebea427d3.vbs"
        19⤵
        
        PID:2076
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2af059c-b2a0-4cfd-a105-a4d89652026d.vbs"
        21⤵
        
        PID:1992
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1820ca52-76e8-407d-89d9-e6b20abfcd0a.vbs"
        23⤵
        
        PID:2716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\81d5cb64-f49a-470c-a8b4-8e6d823ef285.vbs"
        23⤵
        
        PID:2936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\410a45ee-62ef-4151-88d2-322036e44c3f.vbs"
        21⤵
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6e7fbc2-2fc9-4bae-b63a-17256f443607.vbs"
        19⤵
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\853c87ba-1f3e-4dc3-a41c-a59ad9e68545.vbs"
        17⤵
        
        PID:2240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcf08196-b154-442c-8097-69a51c894531.vbs"
        15⤵
        
        PID:2280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fc26d047-8352-4025-8556-d9ae2e41aebb.vbs"
        13⤵
        
        PID:1500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a697ae2-0196-4a0e-8ad0-344dc7a4d212.vbs"
        11⤵
        
        PID:2416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cebae0c9-9155-41f6-9427-bbcc1fd18543.vbs"
        9⤵
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8a074670-be34-4686-9bcf-f5dcea1b1408.vbs"
        7⤵
        
        PID:2620
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\01833e58-9e24-4ec5-8f69-655dc4a0647d.vbs"
        5⤵
        
        PID:352
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a650078b-4866-4af3-9ea3-d067ddfb9530.vbs"
    3⤵
    PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Documents\My Music\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\en-US\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f908" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f908" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Pictures\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Custom\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\AppPatch\Custom\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\Custom\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1820ca52-76e8-407d-89d9-e6b20abfcd0a.vbs

Filesize
750B

MD5
1895db3c3e04610c6bdb963cd8252aa7

SHA1
11088fed24a19ec6cc015fd78bfa678a5c6288f6

SHA256
845c2a2a2f79529143539b3cffcb9deb592bb0d345acb7f457596adc0c38e7b8

SHA512
5795db3fdbc3ddecd3030c60b406f65fa85275a00803603f56e29f5bff57611405d7256e65777231694963aea3b67a6fd8f44dcfb37d9fab5d6e84354fbe2515

Download Submit
C:\Users\Admin\AppData\Local\Temp\49c691a1-56bf-4aae-a264-dcf6c1fd2184.vbs

Filesize
750B

MD5
c64441ba430d54cd263546d7385ec87c

SHA1
d8ed1b78bc27d30cbb28ab1180f134a70eaca847

SHA256
036ea18a9317af682e4319fb4537ad9bab3f2920966b01514cc3b5c7a9de3b1d

SHA512
29ebe16760ca333a0f52c6a591658b21c5cb05e6e6e80777360d345dbe5965c9534e7d6a2dd01f3fc58b40cea1af6bf2a3dbcc4594b44a05ddf47999cf6a4693

Download Submit
C:\Users\Admin\AppData\Local\Temp\50db9f4a-5fd4-4b93-a7be-a4d190990ba0.vbs

Filesize
750B

MD5
baebc10604d392bfa9783bfc5d1aa02f

SHA1
dde7481136ae0b5c3b0b9c5507e6831a4f05db30

SHA256
46ebb011931c8169e7cc61199db50b50c4b0560053ee5616320f88aabf402e0d

SHA512
01485a6d1810eb9adda4e655a9f3f4ac5c88320d314220596a2f33a03a39cde5e8fabb8e66463465ed741b657393fb3e1816545e4aae9f33b4517da03cf42bc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\58e347e8-bab6-44d7-bcc9-757689ce7522.vbs

Filesize
750B

MD5
c939eeb11b6b6035f68e1a7e5580b080

SHA1
1da0414960319355a62b7b442d3443cccfc4ec8e

SHA256
ef4ffe5bd7c385bd51d40f93f0f0b78ddd9eeccdb202e4260fef503cb42e0475

SHA512
bfdb59883d35a9fdc83f7d60401b04402acc71ca8a7e7640cf4701b62dd19e8e06d43e8e063583cce95e9c4e9bb613583a54b8b76991e3518534a6eaf6084c9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5c6e43c1-b859-4542-8613-02e04f155ab6.vbs

Filesize
750B

MD5
5ec6ae91e10ccac9f1faa17cc5ac82c9

SHA1
ed50e4eb9762351a85bdf0191d073af7cf0400da

SHA256
345b6ef6e973ae6deb6bd5444e7c99d35ee7372901d48c84017f20f8cbcae42f

SHA512
b34dffb41f0a78c7d1f76bbcdd8c610d75dd9e200af825fdecb25b8e6d2d5742bf35a4bda4f273f990d61b2a9dbd39e325270499b8f5a896b97477aaa08cf414

Download Submit
C:\Users\Admin\AppData\Local\Temp\688b3b69-bb79-42aa-886d-5497e52411d8.vbs

Filesize
750B

MD5
ad6545ed317e8df4826c8dedd99c499a

SHA1
9f836877582fcdb91051dac34f06224f653e78ed

SHA256
7f74c866abacf6392da24753b90a86ef478ad8405051bb74ae5754fcaa4061d6

SHA512
6a8f9065d6ba504914cda1c3bc0533153ac3dbb9883dca761d34fbd46120a032cd03ef974135d634cef8eb033c05f4a9dba6c6581741ab2cb8c466283d2bc620

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2af059c-b2a0-4cfd-a105-a4d89652026d.vbs

Filesize
750B

MD5
8aac01692f83031e3138709190da56bb

SHA1
aae875798d85b98270fba25e8b9ac873cfb05bb0

SHA256
4f66001a6f4ab18cd5cea12de43060436e17cd1a48bdf242f6fd6b93a303da15

SHA512
248f33a027a7ee96b8f08dbfd5a35e15ba0d7f3ba8dcd408b041ac8f40d03a9b72cd4ab2d216aa05d35632ddb2283c9c6a304d6d5f8879a4b6f212bc2cd6fe46

Download Submit
C:\Users\Admin\AppData\Local\Temp\a650078b-4866-4af3-9ea3-d067ddfb9530.vbs

Filesize
526B

MD5
946fd6e3fec1a946c6e558ba8b11d261

SHA1
00109d8a4ba99eb72f5c299e71a51511bb523f4a

SHA256
58580cc0b8ddcce1f81af08338d5a38fbf4134852c9a346bf4d529c6c56e3066

SHA512
3d808b1c28b98703b7e9cc3df1fef072b0b083ffcca76d87fcb94e1fd1d0be5cad8f4c768e08fb67fe1ab1a8d87d4eb7b474736b3813a114b7cdf6e3f328fe72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ab34e10e-f762-466b-9e21-aa4e0c58650a.vbs

Filesize
750B

MD5
d7a9ae2c8e35bd5f4e263b13ed694533

SHA1
225761d80120575ae74b55f835af145cb633b1cc

SHA256
f960a891e9db0699c33502ddaf77d2bc111a00e1725bddd5941eda43250fec84

SHA512
c0c0a60fec18c0d24b8c3831767eba0f914334fedeac7dbbcff488bc66970136c5d4169a880c9dbac8345b35c109197d522b26e2690b34172f0235bab9cc987b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5f01588-9b4a-4028-8d8d-af3a12fbddda.vbs

Filesize
750B

MD5
6da1036b39b7b29dc8eaae9d32d33e64

SHA1
3ec13f9bcb519ceb78f900a337c78aef89b343e1

SHA256
83027cd8e2664ee5fb3010fde605b4506d60267c68efd26211b6a1664b3179e4

SHA512
ce523a4f7f53634ac22c51e663da9aed293b0dcef54ad2882d719e0f23ce1ee4ce4b66e714ce0ed7a5021a8632d82b8295b7a4ffc30df5c555fee21feab12382

Download Submit
C:\Users\Admin\AppData\Local\Temp\d22add68-ac8c-4877-9517-2bdebea427d3.vbs

Filesize
750B

MD5
af70de9ee46d3dbc2a010031bf2b4d04

SHA1
0c348b2cedcc6e8cbffbd11a77e6fed0d33c7f20

SHA256
e662401ae5c1074959b29090756e8f82542a86cc04b20dace70b227dcea47cc8

SHA512
54aee515acd4ae98fcc6e7ad1412d3f83cb9baba6571559e7da48b8ff03b39612739179d1587a8d6e0d842291925da87e670c4aeaef4fa51499e18ff9bcb46d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb2b1f5b-bc0d-49b0-8fbd-4bb278ef4ab7.vbs

Filesize
750B

MD5
70398f813fe4323fea05479f4fe7aa37

SHA1
02d7a65c000cebb116691659206df9f942e86fca

SHA256
af89c0e9e6567706951ff3f8bc9c5f9d114a9f630a839ada16e1950eac7f9823

SHA512
f96e7ffe2b791d97ea9205ea487f659f50663c723027f781f78a5ce931c73a52dde24a43793d4863adcd220e7575e475165dcd731b28d6e9db0328c5f0353c87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
444cf13f0711494f1ff47ddb86cd5bc6

SHA1
319b775bd4cf3aa15800972596b4b051a73c41ab

SHA256
b0719ea4bb6fd3062c77bb6bba22f5d7d481a493f602fe1cce0d3ba11fb22084

SHA512
ae12478729cef09e6899c01a1993091c84353fe7ad46ac78ede566d1007ef1bbbedcc3bbe339cbcb2eed06c74fb2e2e52788bbabc3c270558c5600fbcbc97768

Download Submit
C:\Users\Public\Music\RCXF5B2.tmp

Filesize
1.6MB

MD5
2e5aa6d9e3ebb0e8d023e44c51e3656a

SHA1
b22df4edc15987dcb6734c557cfab6e7a6b9fa4f

SHA256
c404694ac97376178727127cf603161f1a08f90ecc39ab76e5212ee19e350105

SHA512
58b10f7c3eea2dd523e654c0325ef8297ea5ce7cb523982e4fc6c5f2407394c814345d9fb7b4b7286190179c7be3157cc1779819dbb4e1a636cc71f6fa3428c5

Download Submit
C:\Windows\LiveKernelReports\lsass.exe

Filesize
1.6MB

MD5
30483dd90f8a4cb7f2946ca5bca77f62

SHA1
d457b7afa2565c12ce56bec88348f04f3a45a858

SHA256
705ab4f43a7fedf20e4a807c4f327f26cc3d9a37b3c23f559ad08f118ff70675

SHA512
85a9880dfea98f6678fd97f9fd7aa148953ecca1376ebebed10d7cb52f51e5197ac2bc9f96cf21f0c5c0e58ee18755405d9b363ecac0f7ea578696d913c71131

Download Submit
C:\Windows\fr-FR\sppsvc.exe

Filesize
1.6MB

MD5
7a68a0b1e1af972126a1c98c654ce0b1

SHA1
5571bdcacd5cc7606479f1d10f04da83e6a38fd3

SHA256
635de6545725f229e6f460d0d2c8cf12d4fc18f5d3d60e4713b448299ae6461d

SHA512
ef083582cc3d051a9e217c7adaca75dc7aa1b5ea85f8eb34f22b3f5c6e8ca4a93c9175ab7f55f2e158238c625f026609e9a80c09af428f0e882eed05b642c4fd

Download Submit
C:\Windows\ja-JP\winlogon.exe

Filesize
1.6MB

MD5
cd1634a0788a7e0c1120930a46dcceed

SHA1
5e990eda55dd6b4f6001898f8f4d828518d05c9b

SHA256
832a48a191a3e98e1914659c9a2c9098e73dd164c4e84d97899a6051a6515f90

SHA512
7c4758fdb7fdc7fe06e542b0e64e245c6dae141b4355458e90fb7a600db94ef0d53cb0b18760833112d1e21e42528b03bce6f6196bbe9fe0aa228803e5ac2335

Download Submit
C:\Windows\ja-JP\winlogon.exe

Filesize
1.6MB

MD5
ac9fd8e109804869af8123e89de9f3ad

SHA1
cc11b16fc0fda8457aaaeeef59802ea7248b2e81

SHA256
8bbc523bc684e25dc3cf982a4de0e7376a984d22c87f413f51bc0b69d8250bd6

SHA512
a50c4e89abae1cfad4f69bb5ffb04d269490cacd8609c682f385a540e9ef94f7e5b6c07ac99bd7a8f94d51b71f801e0a6e011c5c61d89f4843641cbb6e5efb58

Download Submit
memory/588-278-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/1588-454-0x00000000003C0000-0x0000000000562000-memory.dmp

Filesize
1.6MB

Download
memory/1672-489-0x0000000001230000-0x00000000013D2000-memory.dmp

Filesize
1.6MB

Download
memory/1848-280-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2460-11-0x0000000000E90000-0x0000000000E9A000-memory.dmp

Filesize
40KB

Download
memory/2460-8-0x0000000000D30000-0x0000000000D38000-memory.dmp

Filesize
32KB

Download
memory/2460-186-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2460-16-0x000000001AAE0000-0x000000001AAEC000-memory.dmp

Filesize
48KB

Download
memory/2460-14-0x000000001AAC0000-0x000000001AAC8000-memory.dmp

Filesize
32KB

Download
memory/2460-375-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2460-1-0x0000000000EC0000-0x0000000001062000-memory.dmp

Filesize
1.6MB

Download
memory/2460-15-0x000000001AAD0000-0x000000001AADA000-memory.dmp

Filesize
40KB

Download
memory/2460-12-0x0000000000EA0000-0x0000000000EAE000-memory.dmp

Filesize
56KB

Download
memory/2460-2-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2460-13-0x0000000000EB0000-0x0000000000EB8000-memory.dmp

Filesize
32KB

Download
memory/2460-0-0x000007FEF5803000-0x000007FEF5804000-memory.dmp

Filesize
4KB

Download
memory/2460-10-0x0000000000E80000-0x0000000000E8C000-memory.dmp

Filesize
48KB

Download
memory/2460-9-0x0000000000D50000-0x0000000000D5C000-memory.dmp

Filesize
48KB

Download
memory/2460-5-0x0000000000B50000-0x0000000000B66000-memory.dmp

Filesize
88KB

Download
memory/2460-6-0x0000000000490000-0x0000000000498000-memory.dmp

Filesize
32KB

Download
memory/2460-204-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp

Filesize
9.9MB

Download
memory/2460-7-0x0000000000D40000-0x0000000000D50000-memory.dmp

Filesize
64KB

Download
memory/2460-3-0x0000000000460000-0x000000000047C000-memory.dmp

Filesize
112KB

Download
memory/2460-4-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/2540-376-0x0000000000CD0000-0x0000000000E72000-memory.dmp

Filesize
1.6MB

Download
memory/2924-387-0x0000000001130000-0x00000000012D2000-memory.dmp

Filesize
1.6MB

Download
memory/2928-466-0x00000000011C0000-0x0000000001362000-memory.dmp

Filesize
1.6MB

Download