dcrat | 5c63933553e1452d634beb2b295333e4db5742e571322d823648d4e5c94b2828

Analysis

max time kernel
149s
max time network
158s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
Size

885KB
MD5

7f653aa47f3ef4d091f38ed9e5dcc6d4
SHA1

68ec9ab071cd6429ff3da60901ca80b283a7943a
SHA256

91e17c8d5d7f65ef395f929f499b1d53eeabdc4cb909a3bb5eeeea0e470214c1
SHA512

3622e31c5d688dbb7b247a0d43d7ea0f06b7710a1b92ef176c7c0a137b08bbb3b976ac7aced4bec393107c88a8d851d4073d793d56b3c4b6d69dd028265f357d
SSDEEP

12288:clNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:clNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1908	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1908	schtasks.exe	31

DCRat payload 17 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral17/memory/1484-1-0x00000000010F0000-0x00000000011D4000-memory.dmp	dcrat
behavioral17/files/0x0005000000019d69-18.dat	dcrat
behavioral17/files/0x001100000001a4f1-139.dat	dcrat
behavioral17/files/0x000500000001a509-155.dat	dcrat
behavioral17/files/0x000500000001a515-168.dat	dcrat
behavioral17/files/0x000600000001ad94-191.dat	dcrat
behavioral17/memory/2940-200-0x0000000000F30000-0x0000000001014000-memory.dmp	dcrat
behavioral17/memory/2484-212-0x0000000000250000-0x0000000000334000-memory.dmp	dcrat
behavioral17/memory/1520-224-0x00000000008E0000-0x00000000009C4000-memory.dmp	dcrat
behavioral17/memory/2952-236-0x0000000000130000-0x0000000000214000-memory.dmp	dcrat
behavioral17/memory/2676-248-0x0000000000E20000-0x0000000000F04000-memory.dmp	dcrat
behavioral17/memory/2136-260-0x0000000001100000-0x00000000011E4000-memory.dmp	dcrat
behavioral17/memory/1916-283-0x00000000013C0000-0x00000000014A4000-memory.dmp	dcrat
behavioral17/memory/2116-295-0x0000000000080000-0x0000000000164000-memory.dmp	dcrat
behavioral17/memory/1160-307-0x0000000000BD0000-0x0000000000CB4000-memory.dmp	dcrat
behavioral17/memory/2464-319-0x00000000001D0000-0x00000000002B4000-memory.dmp	dcrat
behavioral17/memory/376-331-0x0000000000F00000-0x0000000000FE4000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

pid	Process
2940	winlogon.exe
2484	winlogon.exe
1520	winlogon.exe
2952	winlogon.exe
2676	winlogon.exe
2136	winlogon.exe
2972	winlogon.exe
1916	winlogon.exe
2116	winlogon.exe
1160	winlogon.exe
2464	winlogon.exe
376	winlogon.exe
2376	winlogon.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\en-US\spoolsv.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\cc11b995f2a76d	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files\7-Zip\1610b97d3ab4a7	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXEF32.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\RCXEFAF.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\winlogon.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\Idle.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\6ccacd8608530f	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RCXEEFA.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXEF1E.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files\7-Zip\RCXEFB0.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files\Windows Sidebar\en-US\f3b6ecef712a24	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files\7-Zip\OSPPSVC.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RCXEEE5.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files\Windows Sidebar\en-US\RCXEEE6.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RCXEEF9.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\en-US\RCXEF1F.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Program Files\7-Zip\RCXEFB1.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Vss\Writers\RCXEF0D.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Windows\ServiceProfiles\RCXEF20.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\Vss\Writers\886983d96e3d3e	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\ServiceProfiles\1610b97d3ab4a7	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\Boot\lsass.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\diagnostics\index\csrss.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Windows\addins\RCXEF0B.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Windows\ServiceProfiles\RCXEF21.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\addins\csrss.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\addins\886983d96e3d3e	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\Vss\Writers\csrss.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File created	C:\Windows\ServiceProfiles\OSPPSVC.exe	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Windows\addins\RCXEF0A.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
File opened for modification	C:\Windows\Vss\Writers\RCXEF0C.tmp	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2948	schtasks.exe
2724	schtasks.exe
376	schtasks.exe
1712	schtasks.exe
1440	schtasks.exe
2852	schtasks.exe
2568	schtasks.exe
2916	schtasks.exe
2940	schtasks.exe
2696	schtasks.exe
1436	schtasks.exe
1068	schtasks.exe
332	schtasks.exe
1936	schtasks.exe
1704	schtasks.exe
2784	schtasks.exe
2308	schtasks.exe
1036	schtasks.exe
2068	schtasks.exe
2104	schtasks.exe
3028	schtasks.exe
2980	schtasks.exe
1620	schtasks.exe
2112	schtasks.exe
1980	schtasks.exe
1508	schtasks.exe
2456	schtasks.exe
1752	schtasks.exe
2280	schtasks.exe
1020	schtasks.exe
2180	schtasks.exe
2820	schtasks.exe
920	schtasks.exe
2976	schtasks.exe
2448	schtasks.exe
1676	schtasks.exe
2816	schtasks.exe
1500	schtasks.exe
640	schtasks.exe
1000	schtasks.exe
2676	schtasks.exe
2020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1484	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
1484	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
1484	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
1484	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
1484	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
1484	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
1484	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
2940	winlogon.exe
2484	winlogon.exe
1520	winlogon.exe
2952	winlogon.exe
2676	winlogon.exe
2136	winlogon.exe
2972	winlogon.exe
1916	winlogon.exe
2116	winlogon.exe
1160	winlogon.exe
2464	winlogon.exe
376	winlogon.exe
2376	winlogon.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
Token: SeDebugPrivilege	2940	winlogon.exe
Token: SeDebugPrivilege	2484	winlogon.exe
Token: SeDebugPrivilege	1520	winlogon.exe
Token: SeDebugPrivilege	2952	winlogon.exe
Token: SeDebugPrivilege	2676	winlogon.exe
Token: SeDebugPrivilege	2136	winlogon.exe
Token: SeDebugPrivilege	2972	winlogon.exe
Token: SeDebugPrivilege	1916	winlogon.exe
Token: SeDebugPrivilege	2116	winlogon.exe
Token: SeDebugPrivilege	1160	winlogon.exe
Token: SeDebugPrivilege	2464	winlogon.exe
Token: SeDebugPrivilege	376	winlogon.exe
Token: SeDebugPrivilege	2376	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 2940	1484	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe	74
PID 1484 wrote to memory of 2940	1484	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe	74
PID 1484 wrote to memory of 2940	1484	7f653aa47f3ef4d091f38ed9e5dcc6d4.exe	74
PID 2940 wrote to memory of 1552	2940	winlogon.exe	75
PID 2940 wrote to memory of 1552	2940	winlogon.exe	75
PID 2940 wrote to memory of 1552	2940	winlogon.exe	75
PID 2940 wrote to memory of 2456	2940	winlogon.exe	76
PID 2940 wrote to memory of 2456	2940	winlogon.exe	76
PID 2940 wrote to memory of 2456	2940	winlogon.exe	76
PID 1552 wrote to memory of 2484	1552	WScript.exe	77
PID 1552 wrote to memory of 2484	1552	WScript.exe	77
PID 1552 wrote to memory of 2484	1552	WScript.exe	77
PID 2484 wrote to memory of 2780	2484	winlogon.exe	78
PID 2484 wrote to memory of 2780	2484	winlogon.exe	78
PID 2484 wrote to memory of 2780	2484	winlogon.exe	78
PID 2484 wrote to memory of 2316	2484	winlogon.exe	79
PID 2484 wrote to memory of 2316	2484	winlogon.exe	79
PID 2484 wrote to memory of 2316	2484	winlogon.exe	79
PID 2780 wrote to memory of 1520	2780	WScript.exe	80
PID 2780 wrote to memory of 1520	2780	WScript.exe	80
PID 2780 wrote to memory of 1520	2780	WScript.exe	80
PID 1520 wrote to memory of 2920	1520	winlogon.exe	81
PID 1520 wrote to memory of 2920	1520	winlogon.exe	81
PID 1520 wrote to memory of 2920	1520	winlogon.exe	81
PID 1520 wrote to memory of 1072	1520	winlogon.exe	82
PID 1520 wrote to memory of 1072	1520	winlogon.exe	82
PID 1520 wrote to memory of 1072	1520	winlogon.exe	82
PID 2920 wrote to memory of 2952	2920	WScript.exe	83
PID 2920 wrote to memory of 2952	2920	WScript.exe	83
PID 2920 wrote to memory of 2952	2920	WScript.exe	83
PID 2952 wrote to memory of 1344	2952	winlogon.exe	84
PID 2952 wrote to memory of 1344	2952	winlogon.exe	84
PID 2952 wrote to memory of 1344	2952	winlogon.exe	84
PID 2952 wrote to memory of 1980	2952	winlogon.exe	85
PID 2952 wrote to memory of 1980	2952	winlogon.exe	85
PID 2952 wrote to memory of 1980	2952	winlogon.exe	85
PID 1344 wrote to memory of 2676	1344	WScript.exe	86
PID 1344 wrote to memory of 2676	1344	WScript.exe	86
PID 1344 wrote to memory of 2676	1344	WScript.exe	86
PID 2676 wrote to memory of 2044	2676	winlogon.exe	87
PID 2676 wrote to memory of 2044	2676	winlogon.exe	87
PID 2676 wrote to memory of 2044	2676	winlogon.exe	87
PID 2676 wrote to memory of 1396	2676	winlogon.exe	88
PID 2676 wrote to memory of 1396	2676	winlogon.exe	88
PID 2676 wrote to memory of 1396	2676	winlogon.exe	88
PID 2044 wrote to memory of 2136	2044	WScript.exe	89
PID 2044 wrote to memory of 2136	2044	WScript.exe	89
PID 2044 wrote to memory of 2136	2044	WScript.exe	89
PID 2136 wrote to memory of 2436	2136	winlogon.exe	90
PID 2136 wrote to memory of 2436	2136	winlogon.exe	90
PID 2136 wrote to memory of 2436	2136	winlogon.exe	90
PID 2136 wrote to memory of 1040	2136	winlogon.exe	91
PID 2136 wrote to memory of 1040	2136	winlogon.exe	91
PID 2136 wrote to memory of 1040	2136	winlogon.exe	91
PID 2436 wrote to memory of 2972	2436	WScript.exe	92
PID 2436 wrote to memory of 2972	2436	WScript.exe	92
PID 2436 wrote to memory of 2972	2436	WScript.exe	92
PID 2972 wrote to memory of 1844	2972	winlogon.exe	93
PID 2972 wrote to memory of 1844	2972	winlogon.exe	93
PID 2972 wrote to memory of 1844	2972	winlogon.exe	93
PID 2972 wrote to memory of 2632	2972	winlogon.exe	94
PID 2972 wrote to memory of 2632	2972	winlogon.exe	94
PID 2972 wrote to memory of 2632	2972	winlogon.exe	94
PID 1844 wrote to memory of 1916	1844	WScript.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe
"C:\Users\Admin\AppData\Local\Temp\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
  "C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb1d6e8c-fb2d-42d6-8525-185a2a2808a3.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
      C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c4996240-fc9e-4512-bc57-fd84b2c083c7.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb5a622b-a762-4e29-9655-93ea5b67d6fe.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67470deb-6c2d-4fa8-8889-ac53f7cb2dc7.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1344
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\72aa3a3a-6493-4517-93c5-c1f1e88c9e5e.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5270d0ae-6ce8-43ca-864d-d789efce7a62.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6eda7f42-6003-432b-a93e-35019413181a.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\699de04f-ac98-4be3-9d57-4602c002aebb.vbs"
        17⤵
        
        PID:2692
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\553153dc-4f1a-4de4-8e92-dc106ce100b6.vbs"
        19⤵
        
        PID:1856
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\02fc7538-1c38-4e0c-9377-8961d76bd5d1.vbs"
        21⤵
        
        PID:444
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e01db80d-d4ff-4ff3-8107-226cd6c40230.vbs"
        23⤵
        
        PID:2800
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9244a1b-323b-4562-8846-f036c45d48e3.vbs"
        25⤵
        
        PID:2328
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        
        C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a2d7f352-7976-4278-81e0-e502a9073b3d.vbs"
        27⤵
        
        PID:1372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bd53b585-4bf9-4353-b3b7-50028b9116be.vbs"
        27⤵
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a224635d-3539-42f8-8d89-4037118af52c.vbs"
        25⤵
        
        PID:1844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d2de15c9-1233-4264-9815-f2f1c67a79ba.vbs"
        23⤵
        
        PID:1384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b3fcb4ad-2294-41c7-ab95-4f13fb3f6daa.vbs"
        21⤵
        
        PID:1388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1a82962c-5ad3-48a5-80f6-238bd01147f8.vbs"
        19⤵
        
        PID:1784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\317cde73-2d70-4529-9563-46201de33061.vbs"
        17⤵
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3797a0c-89d8-4db8-9ef1-be6877cb3ab2.vbs"
        15⤵
        
        PID:2632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fc1e6c4-5fa1-420d-9466-e29b08eb9c37.vbs"
        13⤵
        
        PID:1040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2c953b11-b6da-47da-add9-399cb2b5dfef.vbs"
        11⤵
        
        PID:1396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\afc9d6c5-46e9-4cf3-a40d-31ace907189f.vbs"
        9⤵
        
        PID:1980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4ec69ca4-b89e-4fb3-afde-a7937a49c81a.vbs"
        7⤵
        
        PID:1072
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e5e3a06-7fe9-4655-9025-fb201f52e2b4.vbs"
        5⤵
        
        PID:2316
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a7c82d87-67c7-43bd-930d-fb7f684fc940.vbs"
    3⤵
    PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\en-US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Media Renderer\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Media Renderer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\ServiceProfiles\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\7-Zip\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f653aa47f3ef4d091f38ed9e5dcc6d47" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f653aa47f3ef4d091f38ed9e5dcc6d4" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "7f653aa47f3ef4d091f38ed9e5dcc6d47" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\7f653aa47f3ef4d091f38ed9e5dcc6d4.exe

Filesize
885KB

MD5
f1604af4e081f43e4425cc131f32b095

SHA1
6a387bad04ac50c16e050e700c1a64a7117afe42

SHA256
8098cee7cec9f21b01329f7ee96b1be960f63612d8122fe752d6d7083fb34b0e

SHA512
9172a88db117f6d6b41a99f625d86fa49d731fda7309605dd6d8a6ac343286aa2130537a05887a28a71e1cb1b2133616cbd90636ec794d3281a0c46b9a196177

Download Submit
C:\Program Files (x86)\Windows Portable Devices\csrss.exe

Filesize
885KB

MD5
da0e999c10795d65385b178e4cf33161

SHA1
1258c289f78c3dad316a27393616f74f7a75b05d

SHA256
5a1c9986d839e9487708cdd3a3d4a55d134e8ce4d2df57468c415196462ca9b6

SHA512
06ef542b8d32d3ed648320583a40493ac7cf11a24bff7a207515f29427473a62eff2aa62922304de21342c8d2f8b7e437483da4aeb6ddb603aa5ede49bbc8199

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\RCXEFB2.tmp

Filesize
885KB

MD5
b94ce007068c689051b97c1c625a1cb7

SHA1
b573b3a9b6593b45c678e766f9657980e05d92a4

SHA256
27b2b58d9cc0d93421d00a6b8a9a307aed00e280f39a562e48c8396706e46163

SHA512
55d712cf1acac10017d589aa2b236b6629b7f68065e5255969f392844151f78ae90268bb50f47edd14232cbc2c92d7e214815179412bf23be8a9f03c95d3f3f0

Download Submit
C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe

Filesize
885KB

MD5
41c3461a88257ce09b5ef99b6ef052c3

SHA1
4e30dd7c95349c1bdd9282756b0b4198911d8def

SHA256
22668a2d2907e4dd3f174aa24719219261f14e8419f91aceff94216494c0fb18

SHA512
3741377cf5a64cfd1fab4a3cfa77c9466ba9a21eee3c34513c2c5b25ce9513d9e5ee4e2d18e9b7942e3363d4836312c22fe4d46b1af8db0f3dec8cc8e3fce684

Download Submit
C:\Users\Admin\AppData\Local\Temp\02fc7538-1c38-4e0c-9377-8961d76bd5d1.vbs

Filesize
737B

MD5
673aa51a00e325dbfa54095718ba736a

SHA1
2eb692cba2012e377487b42cb9dba98a3b0b791f

SHA256
61eeb43fa789f3c426490024192c37327b092f21f1f7a7f0e84b64280a9d5376

SHA512
56268a398a3e0175edb1ad3531236023288487156126180351d528401ef54740461daec2e8958a2bbba3ee0609f99b21a8687cfa5f33d9bd1696caef1438901c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5270d0ae-6ce8-43ca-864d-d789efce7a62.vbs

Filesize
737B

MD5
0e106a298ec1932a82442665cc467bba

SHA1
fb6049bacb4000c4bcb0340bda4370410f8ddb4c

SHA256
526f2080eeaf00eebd9f9885e710db79031e06120f6bc7dc40c69bf4a819c89d

SHA512
3136890edbaa154f83e4de0ae71cbdd09c3114cf4de1d1ba1b376f9855e8aeb4e0222a9fe13888de4e955df7e14f5e93144d7282f56b7c028f40f1606a7ea546

Download Submit
C:\Users\Admin\AppData\Local\Temp\553153dc-4f1a-4de4-8e92-dc106ce100b6.vbs

Filesize
737B

MD5
6ba60d3f35c69ee8d14071ea3523d21e

SHA1
875bcef86d3ced7e15f6bf5817b0d15ec7c86a31

SHA256
9768dac078eb9526830f0b25fd9cdd66a39abc430d008a2b038f0463df8bfc22

SHA512
8009feae26e57a1c4eb7e795eb071a26b98cb012bb4b8c247ed97971efadc6172b1b44cb07d1f4864e322ebde16aee9b7d8394ccb849637712206466ec57c545

Download Submit
C:\Users\Admin\AppData\Local\Temp\67470deb-6c2d-4fa8-8889-ac53f7cb2dc7.vbs

Filesize
737B

MD5
881f5e6046cfe1a3beec243b0189c681

SHA1
836929d2324f8c2eb04dcd9ff4be96d857117cb8

SHA256
146457cfcad2f7bbc32c945bf2dd20721cf925bfca813d1787170f89f6bec02d

SHA512
1c2d5ba04db8ba94fec3cc6d25069376909e9ca8971ea188f3f6e82a20e43b2b134a84984285364271dde20874b2513f600abc58df2c0d58aa62735b3d64eaea

Download Submit
C:\Users\Admin\AppData\Local\Temp\699de04f-ac98-4be3-9d57-4602c002aebb.vbs

Filesize
737B

MD5
c93ebb197c89d8df721aff2fc7e29634

SHA1
c15dfe4417fd1811683dc3845de8fd7d890117a3

SHA256
b2a57bc17683edaf77834671c0f0ccdbf77dc4a45c1212d31ca1cacde1592242

SHA512
eedb62d2e406a1eb9a5c95fc698f81e823fc7d52fe9da0ba66431b47ec200849b51f2ce82ef640be4c3bab115a77ae56fe102ee26aee770962f7d8ffc8e96d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\6eda7f42-6003-432b-a93e-35019413181a.vbs

Filesize
737B

MD5
84c06da508d39b79b2860f8441d2fab6

SHA1
e0e9bec566dd09a3260da1b2996f3ed8db6d1c9e

SHA256
fba471c0e7bf8867156bb49ba785eb32b5a2a0fc66d7bd43c498170b6462bade

SHA512
26790c35d3a3eed55b767bd118ecf4579b63458dc9fcc21f660ab2e5c4212b8da9f30134ab09cb75ab4e1a76f4bf20022a6334dcf1347fcb5b2854bf80a222b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\72aa3a3a-6493-4517-93c5-c1f1e88c9e5e.vbs

Filesize
737B

MD5
702743fe335cdcfa79dd1c024373fca4

SHA1
f599d52e2a4009e61af6590ae77de3ca1866d11b

SHA256
9a6ca4cfc066aa9c44fce823e64ca8682b19a64e9034e1b99307bd24f3122d0b

SHA512
171ef433883e223daaa04bc2470e8e6175f1a8210d222db3dda63a12fa1d3a2184cd553c95481e98d557f6ccc6e8b64b5c609e485e28d6d1eaa064e13e277270

Download Submit
C:\Users\Admin\AppData\Local\Temp\a2d7f352-7976-4278-81e0-e502a9073b3d.vbs

Filesize
737B

MD5
0dc3d6986314ad7e9b4d5dbd5f036512

SHA1
4aa95cbf9698ac5fcd24128b3a14c66935a0c159

SHA256
ffc712b1ad69b8285d55474d8b98f12639342e229d302578c087f5135fa1e729

SHA512
d4c7d67a061fac0c260c790a90e3775778ed9c06acbb7f2ce6728be9f73b08ed0e87e9fff4ae06c959bb723e5f818a4dda860d6175b22f9c03db5ca1b233dede

Download Submit
C:\Users\Admin\AppData\Local\Temp\a7c82d87-67c7-43bd-930d-fb7f684fc940.vbs

Filesize
513B

MD5
4ced2572cc1a2f6a8db547297124ba66

SHA1
806c49388f728c60611d0de74344526571b4b65a

SHA256
7263d8b78db1986110c169105841645146adcb5690e0fa67b5fd4519109f007e

SHA512
4f7c10ca915b9cc2ca649a165425e24a0eb0f1d701643a6fcd99a9e730cce8ad59317a9887494fa1772d0daca4f757884f0066944bc3cdb954b3a960cf5f5ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\c4996240-fc9e-4512-bc57-fd84b2c083c7.vbs

Filesize
737B

MD5
4e3daee4cf1fe933190ac21dcdcb605b

SHA1
23dfdd88750033e3f1e83c320b9cea92964b0448

SHA256
9ff4b241ab305286ff3c383a26027b1b80fbe395c32a22d0ffb08b6970f4a536

SHA512
5fbe497f5a21421301fe15dfa2ed7da3842ed6452c1810f9101e63b2588454e8e1eedaac0c0f63c60c4824a4216db0789e734ecdf290db5ef092e05aa21b4640

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb5a622b-a762-4e29-9655-93ea5b67d6fe.vbs

Filesize
737B

MD5
101a788d976de2ba2228743fb5fe6bfb

SHA1
f7c1004d93eb195ad41df52b944c6f05654b027e

SHA256
3cb8b73df2f4f7e6f9c055ff30e72aeeb594023d3c65bcfe7c7bdc82957f1213

SHA512
4c84f29cf6f9649176ed1c4168e6c1b1bba19226e79fe16e7d6ebb898d497150f8f6e2f862c4c9d6f5fcc6a5c37d49104f16407375fc250adde5bfacf39bd2f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e01db80d-d4ff-4ff3-8107-226cd6c40230.vbs

Filesize
737B

MD5
a85e044f79eaed7486f6f8d952825628

SHA1
d5f86860248e09d3814b9c98dd6c668bf6215d85

SHA256
c6640a876143145e72acffdafe8c3cb09900aa949c7b916e1c3edc04df8cc663

SHA512
261fc8f5280e51ec7166188c84a566d15475780828366bf5a5a4be6fc3bc0505fcb9f96539c884c65a99f27621c5d2bb0f4d12e2970b7cfbbaba23ff25cd6f2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eb1d6e8c-fb2d-42d6-8525-185a2a2808a3.vbs

Filesize
737B

MD5
e24a80d37d7b8e109b5ed1d6f2441af9

SHA1
25e6dd5db7faa8abcd0b103c170ae8ed8da716e1

SHA256
fb6d659ff8e38651fde6c32b06e931deb849d2cae182e3eaa5e323d6ca943aa0

SHA512
4328808bcb4d92f58db49bce504817f43bbbcd7d4bb01482db3a333ff96d8f6e585acd83a0170d22aa8fbdde2bad946089587a9d2c6fa5438614709215d8904b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f9244a1b-323b-4562-8846-f036c45d48e3.vbs

Filesize
736B

MD5
d3a965a06729b7a8e8bbfee466bd53db

SHA1
ad65a34f4069fc5135818e5d0191c969f9138b42

SHA256
fc882d6df1a66efa9a7a05d5d2d3eed19c1e8906a4d3ba32052e6f0197850f7f

SHA512
0406d5ebd8df170a1d3152071ea4e6cc70c54b3a9edaf276914124bb259c7b7ccf703e0bef04b045a605178e56d5b5416173fc3c9c6b390020fe4b70520583c3

Download Submit
C:\Windows\addins\csrss.exe

Filesize
885KB

MD5
7f653aa47f3ef4d091f38ed9e5dcc6d4

SHA1
68ec9ab071cd6429ff3da60901ca80b283a7943a

SHA256
91e17c8d5d7f65ef395f929f499b1d53eeabdc4cb909a3bb5eeeea0e470214c1

SHA512
3622e31c5d688dbb7b247a0d43d7ea0f06b7710a1b92ef176c7c0a137b08bbb3b976ac7aced4bec393107c88a8d851d4073d793d56b3c4b6d69dd028265f357d

Download Submit
memory/376-331-0x0000000000F00000-0x0000000000FE4000-memory.dmp

Filesize
912KB

Download
memory/1160-307-0x0000000000BD0000-0x0000000000CB4000-memory.dmp

Filesize
912KB

Download
memory/1484-0-0x000007FEF5CB3000-0x000007FEF5CB4000-memory.dmp

Filesize
4KB

Download
memory/1484-9-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download
memory/1484-1-0x00000000010F0000-0x00000000011D4000-memory.dmp

Filesize
912KB

Download
memory/1484-2-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1484-201-0x000007FEF5CB0000-0x000007FEF669C000-memory.dmp

Filesize
9.9MB

Download
memory/1484-5-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/1484-3-0x0000000000160000-0x000000000017C000-memory.dmp

Filesize
112KB

Download
memory/1484-6-0x0000000000490000-0x000000000049A000-memory.dmp

Filesize
40KB

Download
memory/1484-7-0x00000000004A0000-0x00000000004AE000-memory.dmp

Filesize
56KB

Download
memory/1484-4-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/1484-8-0x00000000004B0000-0x00000000004B8000-memory.dmp

Filesize
32KB

Download
memory/1520-224-0x00000000008E0000-0x00000000009C4000-memory.dmp

Filesize
912KB

Download
memory/1916-283-0x00000000013C0000-0x00000000014A4000-memory.dmp

Filesize
912KB

Download
memory/2116-295-0x0000000000080000-0x0000000000164000-memory.dmp

Filesize
912KB

Download
memory/2136-260-0x0000000001100000-0x00000000011E4000-memory.dmp

Filesize
912KB

Download
memory/2464-319-0x00000000001D0000-0x00000000002B4000-memory.dmp

Filesize
912KB

Download
memory/2484-212-0x0000000000250000-0x0000000000334000-memory.dmp

Filesize
912KB

Download
memory/2676-248-0x0000000000E20000-0x0000000000F04000-memory.dmp

Filesize
912KB

Download
memory/2940-200-0x0000000000F30000-0x0000000001014000-memory.dmp

Filesize
912KB

Download
memory/2952-236-0x0000000000130000-0x0000000000214000-memory.dmp

Filesize
912KB

Download