dcrat | 56eaeb544a5b324a1b498dc1839a346277ea0ba6840f6d5ceb898b823f14d2d5

Analysis

max time kernel
82s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

72ff89c7cdaac70515ac184accbd4c9f.exe
Size

1.6MB
MD5

72ff89c7cdaac70515ac184accbd4c9f
SHA1

e6306a7c6d40ae9036ced594b938a12f8ab57b1c
SHA256

5db5b45d3fbb3a20e8fb589356e8c5ad9cfe79cbe2f9ba46a3d5c1d312f72504
SHA512

aacbc1a9ea04889d3d1552ccf9d4634eb0baaf57715dfc7686922058a485eedd868c0578cf8b438187cf8b3b2ebf3d32dcd963ef77ec1de278231ab19f584be4
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	1648	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1648	schtasks.exe	31

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/2744-1-0x0000000001160000-0x0000000001302000-memory.dmp	dcrat
behavioral11/files/0x000500000001960c-25.dat	dcrat
behavioral11/files/0x0008000000019441-91.dat	dcrat
behavioral11/files/0x000a000000019c53-197.dat	dcrat
behavioral11/memory/2900-282-0x0000000000130000-0x00000000002D2000-memory.dmp	dcrat
behavioral11/memory/1000-293-0x0000000000120000-0x00000000002C2000-memory.dmp	dcrat
behavioral11/memory/1124-305-0x0000000000370000-0x0000000000512000-memory.dmp	dcrat
behavioral11/memory/1656-317-0x0000000000320000-0x00000000004C2000-memory.dmp	dcrat
behavioral11/memory/2560-329-0x0000000000E30000-0x0000000000FD2000-memory.dmp	dcrat
behavioral11/memory/2096-341-0x00000000011B0000-0x0000000001352000-memory.dmp	dcrat
behavioral11/memory/664-353-0x00000000012C0000-0x0000000001462000-memory.dmp	dcrat
behavioral11/memory/1908-387-0x00000000002F0000-0x0000000000492000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1852	powershell.exe
1120	powershell.exe
1652	powershell.exe
332	powershell.exe
2260	powershell.exe
600	powershell.exe
2988	powershell.exe
2632	powershell.exe
1792	powershell.exe
3000	powershell.exe
1716	powershell.exe
2780	powershell.exe
3040	powershell.exe
1732	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
2900	Idle.exe
1000	Idle.exe
1124	Idle.exe
1656	Idle.exe
2560	Idle.exe
2096	Idle.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Portable Devices\csrss.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Program Files\Windows Portable Devices\csrss.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Program Files\Windows Portable Devices\886983d96e3d3e	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCX1E9.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\27d1bcfc3c54e0	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXAD7.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\RCXEE0.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\RCXEE1.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Program Files\Internet Explorer\ja-JP\Idle.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Program Files\Internet Explorer\ja-JP\6ccacd8608530f	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\RCX1E8.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Program Files\Windows Portable Devices\RCXAD6.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\Idle.exe	72ff89c7cdaac70515ac184accbd4c9f.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system\smss.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Windows\system\69ddcba757bf72	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-fsutil.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_97d05fa8ed72c0ab\72ff89c7cdaac70515ac184accbd4c9f.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\system\RCX45B.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\system\smss.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\Installer\RCXCDC.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Windows\Installer\lsm.exe	72ff89c7cdaac70515ac184accbd4c9f.exe
File created	C:\Windows\Installer\101b941d020240	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\system\RCX45A.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\Installer\RCXCDB.tmp	72ff89c7cdaac70515ac184accbd4c9f.exe
File opened for modification	C:\Windows\Installer\lsm.exe	72ff89c7cdaac70515ac184accbd4c9f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2656	schtasks.exe
2764	schtasks.exe
2976	schtasks.exe
1000	schtasks.exe
1420	schtasks.exe
2120	schtasks.exe
2500	schtasks.exe
484	schtasks.exe
2720	schtasks.exe
2552	schtasks.exe
3016	schtasks.exe
2592	schtasks.exe
1124	schtasks.exe
940	schtasks.exe
2004	schtasks.exe
2516	schtasks.exe
2164	schtasks.exe
2360	schtasks.exe
576	schtasks.exe
2252	schtasks.exe
1784	schtasks.exe
1508	schtasks.exe
1792	schtasks.exe
2884	schtasks.exe
2844	schtasks.exe
1468	schtasks.exe
956	schtasks.exe
2404	schtasks.exe
2488	schtasks.exe
1736	schtasks.exe
1620	schtasks.exe
2536	schtasks.exe
2044	schtasks.exe
1924	schtasks.exe
2632	schtasks.exe
1292	schtasks.exe
2064	schtasks.exe
2260	schtasks.exe
2936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2744	72ff89c7cdaac70515ac184accbd4c9f.exe
2780	powershell.exe
332	powershell.exe
3040	powershell.exe
1732	powershell.exe
1652	powershell.exe
600	powershell.exe
1792	powershell.exe
1120	powershell.exe
1852	powershell.exe
3000	powershell.exe
2260	powershell.exe
1716	powershell.exe
2632	powershell.exe
2988	powershell.exe
2900	Idle.exe
1000	Idle.exe
1124	Idle.exe
1656	Idle.exe
2560	Idle.exe
2096	Idle.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	72ff89c7cdaac70515ac184accbd4c9f.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2900	Idle.exe
Token: SeDebugPrivilege	1000	Idle.exe
Token: SeDebugPrivilege	1124	Idle.exe
Token: SeDebugPrivilege	1656	Idle.exe
Token: SeDebugPrivilege	2560	Idle.exe
Token: SeDebugPrivilege	2096	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2744 wrote to memory of 1732	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	71
PID 2744 wrote to memory of 1732	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	71
PID 2744 wrote to memory of 1732	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	71
PID 2744 wrote to memory of 3040	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	72
PID 2744 wrote to memory of 3040	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	72
PID 2744 wrote to memory of 3040	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	72
PID 2744 wrote to memory of 332	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	73
PID 2744 wrote to memory of 332	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	73
PID 2744 wrote to memory of 332	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	73
PID 2744 wrote to memory of 2780	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	74
PID 2744 wrote to memory of 2780	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	74
PID 2744 wrote to memory of 2780	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	74
PID 2744 wrote to memory of 1652	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	78
PID 2744 wrote to memory of 1652	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	78
PID 2744 wrote to memory of 1652	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	78
PID 2744 wrote to memory of 1716	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	79
PID 2744 wrote to memory of 1716	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	79
PID 2744 wrote to memory of 1716	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	79
PID 2744 wrote to memory of 2260	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	80
PID 2744 wrote to memory of 2260	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	80
PID 2744 wrote to memory of 2260	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	80
PID 2744 wrote to memory of 1120	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	81
PID 2744 wrote to memory of 1120	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	81
PID 2744 wrote to memory of 1120	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	81
PID 2744 wrote to memory of 3000	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	82
PID 2744 wrote to memory of 3000	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	82
PID 2744 wrote to memory of 3000	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	82
PID 2744 wrote to memory of 2632	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	83
PID 2744 wrote to memory of 2632	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	83
PID 2744 wrote to memory of 2632	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	83
PID 2744 wrote to memory of 2988	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	84
PID 2744 wrote to memory of 2988	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	84
PID 2744 wrote to memory of 2988	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	84
PID 2744 wrote to memory of 600	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	85
PID 2744 wrote to memory of 600	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	85
PID 2744 wrote to memory of 600	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	85
PID 2744 wrote to memory of 1852	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	86
PID 2744 wrote to memory of 1852	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	86
PID 2744 wrote to memory of 1852	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	86
PID 2744 wrote to memory of 1792	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	87
PID 2744 wrote to memory of 1792	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	87
PID 2744 wrote to memory of 1792	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	87
PID 2744 wrote to memory of 1688	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	99
PID 2744 wrote to memory of 1688	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	99
PID 2744 wrote to memory of 1688	2744	72ff89c7cdaac70515ac184accbd4c9f.exe	99
PID 1688 wrote to memory of 2040	1688	cmd.exe	101
PID 1688 wrote to memory of 2040	1688	cmd.exe	101
PID 1688 wrote to memory of 2040	1688	cmd.exe	101
PID 1688 wrote to memory of 2900	1688	cmd.exe	102
PID 1688 wrote to memory of 2900	1688	cmd.exe	102
PID 1688 wrote to memory of 2900	1688	cmd.exe	102
PID 2900 wrote to memory of 1016	2900	Idle.exe	103
PID 2900 wrote to memory of 1016	2900	Idle.exe	103
PID 2900 wrote to memory of 1016	2900	Idle.exe	103
PID 2900 wrote to memory of 2944	2900	Idle.exe	104
PID 2900 wrote to memory of 2944	2900	Idle.exe	104
PID 2900 wrote to memory of 2944	2900	Idle.exe	104
PID 1016 wrote to memory of 1000	1016	WScript.exe	105
PID 1016 wrote to memory of 1000	1016	WScript.exe	105
PID 1016 wrote to memory of 1000	1016	WScript.exe	105
PID 1000 wrote to memory of 1924	1000	Idle.exe	106
PID 1000 wrote to memory of 1924	1000	Idle.exe	106
PID 1000 wrote to memory of 1924	1000	Idle.exe	106
PID 1000 wrote to memory of 984	1000	Idle.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\72ff89c7cdaac70515ac184accbd4c9f.exe
"C:\Users\Admin\AppData\Local\Temp\72ff89c7cdaac70515ac184accbd4c9f.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\72ff89c7cdaac70515ac184accbd4c9f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\72ff89c7cdaac70515ac184accbd4c9f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\AppData\Local\Temp\72ff89c7cdaac70515ac184accbd4c9f.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1852
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fI8Bd254w6.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2040
- - C:\Program Files\Internet Explorer\ja-JP\Idle.exe
    "C:\Program Files\Internet Explorer\ja-JP\Idle.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\925a1f26-706d-413a-b383-dcddd2eda483.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1016
    - - C:\Program Files\Internet Explorer\ja-JP\Idle.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0b61633-6f48-4f63-9247-2f6890daa455.vbs"
        6⤵
        
        PID:1924
        
        C:\Program Files\Internet Explorer\ja-JP\Idle.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\214e8eb9-0dd4-4e29-b303-b4d36a323af7.vbs"
        8⤵
        
        PID:2456
        
        C:\Program Files\Internet Explorer\ja-JP\Idle.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\967c9c3c-b18d-4755-a18f-58179773e416.vbs"
        10⤵
        
        PID:2928
        
        C:\Program Files\Internet Explorer\ja-JP\Idle.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d854474-4e07-468d-b4a5-7f4f57501a65.vbs"
        12⤵
        
        PID:2688
        
        C:\Program Files\Internet Explorer\ja-JP\Idle.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5d55cc52-2cfc-41bc-81dd-3f3cdee19d42.vbs"
        14⤵
        
        PID:1652
        
        C:\Program Files\Internet Explorer\ja-JP\Idle.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\Idle.exe"
        15⤵
        
        PID:664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7c34f28d-f7a6-47dd-a3ba-6f4a822a4578.vbs"
        16⤵
        
        PID:1640
        
        C:\Program Files\Internet Explorer\ja-JP\Idle.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\Idle.exe"
        17⤵
        
        PID:268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f1bd8970-d83d-4983-bf6f-a232b4f4131a.vbs"
        18⤵
        
        PID:2244
        
        C:\Program Files\Internet Explorer\ja-JP\Idle.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\Idle.exe"
        19⤵
        
        PID:792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c6198226-4fb3-4935-a150-9cb9f14ec8ed.vbs"
        20⤵
        
        PID:620
        
        C:\Program Files\Internet Explorer\ja-JP\Idle.exe
        
        "C:\Program Files\Internet Explorer\ja-JP\Idle.exe"
        21⤵
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ce6fd513-fcac-41ec-8bc5-1cbb851a80b4.vbs"
        22⤵
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8efe42a8-3c64-4e76-b690-82216fc91ec3.vbs"
        22⤵
        
        PID:1940
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\05cd0e7f-8d42-428b-be9d-dadcbd79fe02.vbs"
        20⤵
        
        PID:1892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1425cbc6-4967-4f47-9a5f-2a5c46d679f3.vbs"
        18⤵
        
        PID:1740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\29434198-6170-4286-9dcb-02a8d737fea5.vbs"
        16⤵
        
        PID:1124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d39b7e93-fdde-466d-8823-261d282d4497.vbs"
        14⤵
        
        PID:2276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d3a5c3b-9a3b-4f02-b247-729653122459.vbs"
        12⤵
        
        PID:2528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\07f9d044-027b-47ed-aff7-a868605763ce.vbs"
        10⤵
        
        PID:2500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2412f1e-6da4-4283-b894-d285c6b5bf52.vbs"
        8⤵
        
        PID:1848
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed9ac0f3-088e-4cab-9a74-ba5439208981.vbs"
        6⤵
        
        PID:984
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c10ace97-8893-4066-8677-43ec9b01838b.vbs"
      4⤵
      PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\system\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\system\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\system\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\Installer\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Installer\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Installer\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "72ff89c7cdaac70515ac184accbd4c9f7" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\72ff89c7cdaac70515ac184accbd4c9f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "72ff89c7cdaac70515ac184accbd4c9f" /sc ONLOGON /tr "'C:\MSOCache\All Users\72ff89c7cdaac70515ac184accbd4c9f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "72ff89c7cdaac70515ac184accbd4c9f7" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\72ff89c7cdaac70515ac184accbd4c9f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "72ff89c7cdaac70515ac184accbd4c9f7" /sc MINUTE /mo 12 /tr "'C:\Users\Default\AppData\Local\Temp\72ff89c7cdaac70515ac184accbd4c9f.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "72ff89c7cdaac70515ac184accbd4c9f" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Temp\72ff89c7cdaac70515ac184accbd4c9f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "72ff89c7cdaac70515ac184accbd4c9f7" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Local\Temp\72ff89c7cdaac70515ac184accbd4c9f.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe

Filesize
1.6MB

MD5
29ec7b584f61405a0e513243500d18a5

SHA1
85a9533c8ff5e86f9aa6125885e20c337efdcba8

SHA256
86c9037d62cb403f126d049524a921a07217e4c970641d60ac050b4059c2355e

SHA512
59d6821c425a379e2700dd1118559069bb71fdb7f9c804a3e1131e44dd5ad3ae08a579c826d9b482c926f82b5e365679519549e804aca9a1d0033d99395cd7bc

Download Submit
C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\smss.exe

Filesize
1.6MB

MD5
72ff89c7cdaac70515ac184accbd4c9f

SHA1
e6306a7c6d40ae9036ced594b938a12f8ab57b1c

SHA256
5db5b45d3fbb3a20e8fb589356e8c5ad9cfe79cbe2f9ba46a3d5c1d312f72504

SHA512
aacbc1a9ea04889d3d1552ccf9d4634eb0baaf57715dfc7686922058a485eedd868c0578cf8b438187cf8b3b2ebf3d32dcd963ef77ec1de278231ab19f584be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d854474-4e07-468d-b4a5-7f4f57501a65.vbs

Filesize
725B

MD5
17f752c7dbb17607cad5b619db8221e2

SHA1
d29a3fe0776982d9bb070bcfe77e5a5f1c8f6bcf

SHA256
153d97b8ba7ec712b6a57d1df6492000d4f7a9bed79ec7bc2c61b4ed0e0e6c39

SHA512
046f2544034b4f0cd5dbeae8a3b54767260c0ca3f72e22986579540ff3f40ef990cd9578a0fa67d7f8036bbda9632a36cb6857109465d1a98a658e43cf7b968f

Download Submit
C:\Users\Admin\AppData\Local\Temp\214e8eb9-0dd4-4e29-b303-b4d36a323af7.vbs

Filesize
725B

MD5
27562b97ce8aaff47f36235419592500

SHA1
00a44babb845bf356829230d4934b548d8518e51

SHA256
6c14c14e78c911f8a1770b6193999c17823ad31f62ee6506e30094f7e3dc9f07

SHA512
752be315869c8c7df52282909cc277a4196b589a45f70945102e204e21bb7d00066ad92c6d8829f87fd9bb0113b25faebb1d9674994f373b21f72163c5daeec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d55cc52-2cfc-41bc-81dd-3f3cdee19d42.vbs

Filesize
725B

MD5
7cfdaedd2061ed63723162069951387e

SHA1
007dcda3c103b529ffa4a7441f363911ff685abf

SHA256
b71f8328e5441c72fdad74eac12b1f341ae87c9735eac8b8d516cc716d2c1ccf

SHA512
ebf3fce83802d3e26851e5bcbf241ea65ca55819379d5c30d9439ca82885c24feb21118580220c0d46e1c86cf30f1bd4a0e2c17c832a9d71663374c7cdc43c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7c34f28d-f7a6-47dd-a3ba-6f4a822a4578.vbs

Filesize
724B

MD5
aa216e9db12253f0add0be5dbc1999f9

SHA1
6791384d5e1aa199c394ba056854122a640c0ecc

SHA256
e9afb12e6130f8c1dddf343f93abe894be4df7c40347fde74c3ad7f37717677b

SHA512
a84f200fbe9dba79308c032efc77753dcddf5a517d0ab4c2eaae0ce4b4b6a03915b48a3a147eb6a6d0e087973416a621db01a72b9277587347b4c03eea2808ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\925a1f26-706d-413a-b383-dcddd2eda483.vbs

Filesize
725B

MD5
9ed16ab8d9db6e07209c265eb43380a3

SHA1
5056fea49e8d19f9ddb531d52c11d56bc7825d5a

SHA256
b61745cc6fa3cddd6d1c1d95955d656304abb266cc8569427b23dbd8ec7b09e4

SHA512
ab38bd17c7f1bacb53421a87de106f2bd59dd2416d9973bf15f25535e7c3692dd70ac7ac5654a746bfe6ae8206c6e1a283e2b5fadbe20f39b502960498aaaa01

Download Submit
C:\Users\Admin\AppData\Local\Temp\967c9c3c-b18d-4755-a18f-58179773e416.vbs

Filesize
725B

MD5
cb2b5fa42c65b7fb4f1db50ba813686e

SHA1
63ac67254dcfa750caa5cdb541cf5e8b9a339ee1

SHA256
06d5d65ae37b597b4b9cb22c2b84ec8822ac58a319ada1825cfda8ce9d97b755

SHA512
042965ee830374761547e0ffb96cc8921a3b325728a12f78a6fa7cc14339a18234292da3e24fc50771bec357cb862d913e924349bcb970d09b1c138a5a05727f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c10ace97-8893-4066-8677-43ec9b01838b.vbs

Filesize
501B

MD5
0949476d1fe60ce1875e58307e23bbea

SHA1
6fbe23e747b648e689e3aaabfaf3e474b60fba7f

SHA256
590b735765f69cbc930dd96caa8d9274ea4c1a3d1bd38a8fc80b8b02cd80ad61

SHA512
aca3773876dd495cf1dda4a264bc68f81a3b75bed32f65e359dd4c696a142af6bc8a42bac9bb195c223a142d019e3febd9fbbac58bfb5d93f99da11a3c10599a

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6198226-4fb3-4935-a150-9cb9f14ec8ed.vbs

Filesize
724B

MD5
0b2ca1b17d54cc23944e611fddfbd432

SHA1
cdcd624e9531e1707b05ae5bfac61abee70f14ea

SHA256
4d28bd0c10c3db6bab4f6e6baa8f152d31c4755b62efaca53ba2d8c344f7731c

SHA512
b087da18c535c910f1881eee19e908eda99ac8e3877c96a06a5f3ce0284a8d8761cb496f8d2550eb3e33bac9d68d558356251a2deed422a471bd31fb242e04aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ce6fd513-fcac-41ec-8bc5-1cbb851a80b4.vbs

Filesize
725B

MD5
23978e62877d23f7ef69848096f68f0c

SHA1
3a6502324044ba9de1bd7de56ecf89031ced8c5a

SHA256
ed805503f1c3a71b29f4cf1ef356285a35098fc8bad2f8cd47dab8e6e861361c

SHA512
5bab5dd21fbe52f0750648c022ee36d23f537ef57c9853feb52ed85da763e6e6c5e18e0f9fdeb8326c7f0012110a1f50fa257ba303989535be894f957bd78099

Download Submit
C:\Users\Admin\AppData\Local\Temp\d0b61633-6f48-4f63-9247-2f6890daa455.vbs

Filesize
725B

MD5
8c4664401b651b9af0a4754c7c16c5af

SHA1
3c349cfb6ab03c7dd7db0128dd0944b2ac58d069

SHA256
1ca7b69ff6e3391d41563ab6a13c5a5c31fed1d65e8c58b61deba34b55538af1

SHA512
00ece15a07862e35d906cc51adf795b5a44812a4add3213da46ac1b2b7eaeb396dc00f8807100ccd201c3c966e49b5aa60f50986259ed0aa00239e8af9e3b90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1bd8970-d83d-4983-bf6f-a232b4f4131a.vbs

Filesize
724B

MD5
5b027d80ce3c209040fb342b245eecb7

SHA1
318f0fe37c149995a30fec81fc64df40917f8e5c

SHA256
fa0be692405b59a1b1428df49665e4ec49b736c2ec5eafe397784185a69b4c3a

SHA512
422d972c0eff64a4218713b655cc8638f55a020c0172adbe7086a74f3e4a93525db915052bd589b3037138a98927b41cb2aa205e5109d30f927561a06b01f78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fI8Bd254w6.bat

Filesize
214B

MD5
f00cb70035e550df6006d06a176863fb

SHA1
55ed881a3db9091b289946c5237d06a49abbf777

SHA256
613390c6f8d4505480c7210337d0e8c89d442694bc8a74791c29348d024f5c81

SHA512
5f2905152af9b6610cd8e4f39a9235b1af58eadcb5cddcc824adb36633dd0a334e35f7415dc20e0513ed7bb218938db72b32ecacf4c4c3c4c877817f1b55ca70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b5baa3cdff9b5978785cf4690018a7aa

SHA1
a840590d3da651b9a01553d0499aa88df7907b4a

SHA256
2895e2cef26d41b5d30399868581b2c78ae41bbf970df96e459c45720ba7c017

SHA512
74a04b1812651028c35e8aee4c9b2b6810e0c39502218f69e739dc23bd5c07c3ad3f68627f2590bd618fb6f6733b7db683b06490f15262ee76df635d6716a54a

Download Submit
C:\Users\Admin\spoolsv.exe

Filesize
1.6MB

MD5
d8db05266d3a4e305069d876507c962a

SHA1
b860e71bf883f7ccf2584a97e68eff1397ead76e

SHA256
f58a6c97a2d9929fa3ac6e860bb6776463ca49ac3ddaeefc1d1633d83913d5ce

SHA512
ed59f084abb7165c144016bfb71a7384aff29eb355e0cc94b63276f818db64c35c7d0f8f0c0ecf2ed19d6a4d73e70780b6d27d6e8f1f2477d4b7b90d36497bc6

Download Submit
memory/332-225-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/664-353-0x00000000012C0000-0x0000000001462000-memory.dmp

Filesize
1.6MB

Download
memory/1000-293-0x0000000000120000-0x00000000002C2000-memory.dmp

Filesize
1.6MB

Download
memory/1124-305-0x0000000000370000-0x0000000000512000-memory.dmp

Filesize
1.6MB

Download
memory/1656-317-0x0000000000320000-0x00000000004C2000-memory.dmp

Filesize
1.6MB

Download
memory/1908-387-0x00000000002F0000-0x0000000000492000-memory.dmp

Filesize
1.6MB

Download
memory/2096-341-0x00000000011B0000-0x0000000001352000-memory.dmp

Filesize
1.6MB

Download
memory/2560-329-0x0000000000E30000-0x0000000000FD2000-memory.dmp

Filesize
1.6MB

Download
memory/2744-0-0x000007FEF6623000-0x000007FEF6624000-memory.dmp

Filesize
4KB

Download
memory/2744-15-0x000000001A770000-0x000000001A77A000-memory.dmp

Filesize
40KB

Download
memory/2744-1-0x0000000001160000-0x0000000001302000-memory.dmp

Filesize
1.6MB

Download
memory/2744-176-0x000007FEF6623000-0x000007FEF6624000-memory.dmp

Filesize
4KB

Download
memory/2744-10-0x000000001A720000-0x000000001A72C000-memory.dmp

Filesize
48KB

Download
memory/2744-11-0x000000001A730000-0x000000001A73A000-memory.dmp

Filesize
40KB

Download
memory/2744-12-0x000000001A740000-0x000000001A74E000-memory.dmp

Filesize
56KB

Download
memory/2744-13-0x000000001A750000-0x000000001A758000-memory.dmp

Filesize
32KB

Download
memory/2744-200-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-14-0x000000001A760000-0x000000001A768000-memory.dmp

Filesize
32KB

Download
memory/2744-9-0x0000000000CD0000-0x0000000000CDC000-memory.dmp

Filesize
48KB

Download
memory/2744-242-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2744-5-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

Filesize
88KB

Download
memory/2744-16-0x000000001A780000-0x000000001A78C000-memory.dmp

Filesize
48KB

Download
memory/2744-4-0x00000000001D0000-0x00000000001E0000-memory.dmp

Filesize
64KB

Download
memory/2744-8-0x0000000000CC0000-0x0000000000CC8000-memory.dmp

Filesize
32KB

Download
memory/2744-6-0x0000000000CA0000-0x0000000000CA8000-memory.dmp

Filesize
32KB

Download
memory/2744-7-0x0000000000CB0000-0x0000000000CC0000-memory.dmp

Filesize
64KB

Download
memory/2744-3-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/2744-2-0x000007FEF6620000-0x000007FEF700C000-memory.dmp

Filesize
9.9MB

Download
memory/2780-231-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2900-282-0x0000000000130000-0x00000000002D2000-memory.dmp

Filesize
1.6MB

Download