dcrat | 5c63933553e1452d634beb2b295333e4db5742e571322d823648d4e5c94b2828

Analysis

max time kernel
150s
max time network
160s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fa6bf4f199a845715d9f5807a98d9ab.exe
Size

885KB
MD5

7fa6bf4f199a845715d9f5807a98d9ab
SHA1

25652948f2c3d400323873cb41bbc6b2b609d96a
SHA256

06198c97d0afdc17232dc3ffc8d5b23b5b97d82cf01bcdf8ef1236f08812e702
SHA512

99a56b7ddd2ff25d220e25c2ae1b0b92d8ee68313b54a23a937587e2677a9a776b8e55593c9b9dbd3b01c7365d006bba81066c747398afa6f23a53f9530b276c
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2864	schtasks.exe	29
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2864	schtasks.exe	29

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral21/memory/1684-1-0x0000000000DC0000-0x0000000000EA4000-memory.dmp	dcrat
behavioral21/files/0x000500000001a438-18.dat	dcrat
behavioral21/files/0x000700000001a48f-111.dat	dcrat
behavioral21/files/0x000c00000001a459-173.dat	dcrat
behavioral21/files/0x000900000001c84b-217.dat	dcrat
behavioral21/memory/1680-256-0x0000000001140000-0x0000000001224000-memory.dmp	dcrat
behavioral21/memory/1700-289-0x0000000001240000-0x0000000001324000-memory.dmp	dcrat
behavioral21/memory/2552-323-0x0000000001340000-0x0000000001424000-memory.dmp	dcrat
behavioral21/memory/2912-335-0x00000000000D0000-0x00000000001B4000-memory.dmp	dcrat
behavioral21/memory/2896-347-0x0000000000F50000-0x0000000001034000-memory.dmp	dcrat
behavioral21/memory/2544-359-0x0000000001250000-0x0000000001334000-memory.dmp	dcrat
behavioral21/memory/1868-371-0x0000000001270000-0x0000000001354000-memory.dmp	dcrat

Executes dropped EXE 11 IoCs

pid	Process
1680	winlogon.exe
1640	winlogon.exe
1324	winlogon.exe
1700	winlogon.exe
2676	winlogon.exe
1588	winlogon.exe
2552	winlogon.exe
2912	winlogon.exe
2896	winlogon.exe
2544	winlogon.exe
1868	winlogon.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX2102.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCX2113.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\RCX229B.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\RCX22DE.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\RCX22DF.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\wininit.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\56085415360792	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files\Windows Mail\de-DE\csrss.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files\Windows Mail\de-DE\886983d96e3d3e	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files\Microsoft Office\Office14\csrss.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Program Files\Microsoft Office\Office14\886983d96e3d3e	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\RCX21C0.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\RCX2326.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Windows\Microsoft.NET\Framework64\1036\lsass.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Windows\Microsoft.NET\Framework64\1036\6203df4a6bafc7	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\services.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\c5b4cb5e9653cc	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\1036\RCX20A0.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\RCX2315.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe
File created	C:\Windows\rescache\wip\dwm.exe	7fa6bf4f199a845715d9f5807a98d9ab.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\1036\RCX208F.tmp	7fa6bf4f199a845715d9f5807a98d9ab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1748	schtasks.exe
2900	schtasks.exe
2148	schtasks.exe
304	schtasks.exe
1660	schtasks.exe
1656	schtasks.exe
2360	schtasks.exe
1596	schtasks.exe
760	schtasks.exe
3060	schtasks.exe
2568	schtasks.exe
1404	schtasks.exe
1496	schtasks.exe
2912	schtasks.exe
776	schtasks.exe
2364	schtasks.exe
1136	schtasks.exe
1120	schtasks.exe
1468	schtasks.exe
2860	schtasks.exe
1576	schtasks.exe
2652	schtasks.exe
2200	schtasks.exe
1160	schtasks.exe
872	schtasks.exe
2116	schtasks.exe
2224	schtasks.exe
2704	schtasks.exe
2660	schtasks.exe
1904	schtasks.exe
1716	schtasks.exe
2136	schtasks.exe
2448	schtasks.exe
892	schtasks.exe
2156	schtasks.exe
2840	schtasks.exe
1112	schtasks.exe
1532	schtasks.exe
952	schtasks.exe
2128	schtasks.exe
2608	schtasks.exe
832	schtasks.exe
2796	schtasks.exe
2556	schtasks.exe
876	schtasks.exe
2516	schtasks.exe
1472	schtasks.exe
2064	schtasks.exe
1436	schtasks.exe
2756	schtasks.exe
2000	schtasks.exe
2808	schtasks.exe
2472	schtasks.exe
2632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1684	7fa6bf4f199a845715d9f5807a98d9ab.exe
1684	7fa6bf4f199a845715d9f5807a98d9ab.exe
1684	7fa6bf4f199a845715d9f5807a98d9ab.exe
1684	7fa6bf4f199a845715d9f5807a98d9ab.exe
1684	7fa6bf4f199a845715d9f5807a98d9ab.exe
1680	winlogon.exe
1640	winlogon.exe
1324	winlogon.exe
1700	winlogon.exe
2676	winlogon.exe
1588	winlogon.exe
2552	winlogon.exe
2912	winlogon.exe
2896	winlogon.exe
2544	winlogon.exe
1868	winlogon.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	7fa6bf4f199a845715d9f5807a98d9ab.exe
Token: SeDebugPrivilege	1680	winlogon.exe
Token: SeDebugPrivilege	1640	winlogon.exe
Token: SeDebugPrivilege	1324	winlogon.exe
Token: SeDebugPrivilege	1700	winlogon.exe
Token: SeDebugPrivilege	2676	winlogon.exe
Token: SeDebugPrivilege	1588	winlogon.exe
Token: SeDebugPrivilege	2552	winlogon.exe
Token: SeDebugPrivilege	2912	winlogon.exe
Token: SeDebugPrivilege	2896	winlogon.exe
Token: SeDebugPrivilege	2544	winlogon.exe
Token: SeDebugPrivilege	1868	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1288	1684	7fa6bf4f199a845715d9f5807a98d9ab.exe	84
PID 1684 wrote to memory of 1288	1684	7fa6bf4f199a845715d9f5807a98d9ab.exe	84
PID 1684 wrote to memory of 1288	1684	7fa6bf4f199a845715d9f5807a98d9ab.exe	84
PID 1288 wrote to memory of 2840	1288	cmd.exe	86
PID 1288 wrote to memory of 2840	1288	cmd.exe	86
PID 1288 wrote to memory of 2840	1288	cmd.exe	86
PID 1288 wrote to memory of 1680	1288	cmd.exe	87
PID 1288 wrote to memory of 1680	1288	cmd.exe	87
PID 1288 wrote to memory of 1680	1288	cmd.exe	87
PID 1680 wrote to memory of 2980	1680	winlogon.exe	88
PID 1680 wrote to memory of 2980	1680	winlogon.exe	88
PID 1680 wrote to memory of 2980	1680	winlogon.exe	88
PID 1680 wrote to memory of 2972	1680	winlogon.exe	89
PID 1680 wrote to memory of 2972	1680	winlogon.exe	89
PID 1680 wrote to memory of 2972	1680	winlogon.exe	89
PID 2980 wrote to memory of 1640	2980	WScript.exe	90
PID 2980 wrote to memory of 1640	2980	WScript.exe	90
PID 2980 wrote to memory of 1640	2980	WScript.exe	90
PID 1640 wrote to memory of 2484	1640	winlogon.exe	91
PID 1640 wrote to memory of 2484	1640	winlogon.exe	91
PID 1640 wrote to memory of 2484	1640	winlogon.exe	91
PID 1640 wrote to memory of 560	1640	winlogon.exe	92
PID 1640 wrote to memory of 560	1640	winlogon.exe	92
PID 1640 wrote to memory of 560	1640	winlogon.exe	92
PID 2484 wrote to memory of 1324	2484	WScript.exe	93
PID 2484 wrote to memory of 1324	2484	WScript.exe	93
PID 2484 wrote to memory of 1324	2484	WScript.exe	93
PID 1324 wrote to memory of 1952	1324	winlogon.exe	94
PID 1324 wrote to memory of 1952	1324	winlogon.exe	94
PID 1324 wrote to memory of 1952	1324	winlogon.exe	94
PID 1324 wrote to memory of 1756	1324	winlogon.exe	95
PID 1324 wrote to memory of 1756	1324	winlogon.exe	95
PID 1324 wrote to memory of 1756	1324	winlogon.exe	95
PID 1952 wrote to memory of 1700	1952	WScript.exe	96
PID 1952 wrote to memory of 1700	1952	WScript.exe	96
PID 1952 wrote to memory of 1700	1952	WScript.exe	96
PID 1700 wrote to memory of 1136	1700	winlogon.exe	97
PID 1700 wrote to memory of 1136	1700	winlogon.exe	97
PID 1700 wrote to memory of 1136	1700	winlogon.exe	97
PID 1700 wrote to memory of 1656	1700	winlogon.exe	98
PID 1700 wrote to memory of 1656	1700	winlogon.exe	98
PID 1700 wrote to memory of 1656	1700	winlogon.exe	98
PID 1136 wrote to memory of 2676	1136	WScript.exe	99
PID 1136 wrote to memory of 2676	1136	WScript.exe	99
PID 1136 wrote to memory of 2676	1136	WScript.exe	99
PID 2676 wrote to memory of 1692	2676	winlogon.exe	100
PID 2676 wrote to memory of 1692	2676	winlogon.exe	100
PID 2676 wrote to memory of 1692	2676	winlogon.exe	100
PID 2676 wrote to memory of 2168	2676	winlogon.exe	101
PID 2676 wrote to memory of 2168	2676	winlogon.exe	101
PID 2676 wrote to memory of 2168	2676	winlogon.exe	101
PID 1692 wrote to memory of 1588	1692	WScript.exe	102
PID 1692 wrote to memory of 1588	1692	WScript.exe	102
PID 1692 wrote to memory of 1588	1692	WScript.exe	102
PID 1588 wrote to memory of 2800	1588	winlogon.exe	103
PID 1588 wrote to memory of 2800	1588	winlogon.exe	103
PID 1588 wrote to memory of 2800	1588	winlogon.exe	103
PID 1588 wrote to memory of 2112	1588	winlogon.exe	104
PID 1588 wrote to memory of 2112	1588	winlogon.exe	104
PID 1588 wrote to memory of 2112	1588	winlogon.exe	104
PID 2800 wrote to memory of 2552	2800	WScript.exe	105
PID 2800 wrote to memory of 2552	2800	WScript.exe	105
PID 2800 wrote to memory of 2552	2800	WScript.exe	105
PID 2552 wrote to memory of 1780	2552	winlogon.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7fa6bf4f199a845715d9f5807a98d9ab.exe
"C:\Users\Admin\AppData\Local\Temp\7fa6bf4f199a845715d9f5807a98d9ab.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xk1H8t4K12.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2840
- - C:\Users\Default User\winlogon.exe
    "C:\Users\Default User\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e12ed23-83ed-47f3-a15a-1b0511342199.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2db4e8d0-1dea-4eee-bf5b-19fe82c5334b.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\61fa0062-b0ae-461b-abd8-5ef17ea01eb3.vbs"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f8aeb13-f6c7-4c08-8c6c-ba95ddd32c79.vbs"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bbc01160-5257-45a7-8a50-365748fe08d9.vbs"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ee050952-ac39-4d15-be92-b5640f54fc0c.vbs"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8964e000-42e4-4ad6-b774-0942c9693e3b.vbs"
        16⤵
        
        PID:1780
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\253710d3-3624-441d-a5ed-0638bcb18bdd.vbs"
        18⤵
        
        PID:2120
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcf0915b-fe1f-45cd-84ce-8cd4b04b4dc6.vbs"
        20⤵
        
        PID:2876
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d1b556e7-9b18-4d35-bf93-e9ab22357907.vbs"
        22⤵
        
        PID:2780
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68a6e94a-e80b-448c-952d-507cfdb96cc8.vbs"
        24⤵
        
        PID:2628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\eb9ce0ce-688a-45ee-8277-5f3278948c80.vbs"
        24⤵
        
        PID:1312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1f55cb93-779d-4397-8e78-bb41f62788f2.vbs"
        22⤵
        
        PID:3048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a8cdfccb-1b33-4cab-8204-14c08a227ef0.vbs"
        20⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\180243ce-7417-4c16-8dfa-32baa6a68b35.vbs"
        18⤵
        
        PID:436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8976e9a0-3212-4b08-b8cd-b11afd0abfe6.vbs"
        16⤵
        
        PID:1872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c43446ff-d067-41ef-b391-646342c4514f.vbs"
        14⤵
        
        PID:2112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cca50ff2-9c78-44c4-a51b-f2daba225851.vbs"
        12⤵
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\009612e0-4601-470a-a733-19d2f9042322.vbs"
        10⤵
        
        PID:1656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4b81b1c3-f6eb-42f0-b265-d61a3b7fc026.vbs"
        8⤵
        
        PID:1756
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fa288008-c99e-407f-a116-9fcf02f6df68.vbs"
        6⤵
        
        PID:560
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2d47ddc8-edd0-46b3-a279-bbd193e62c80.vbs"
      4⤵
      PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\Framework64\1036\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\1036\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\Framework64\1036\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\RCX2313.tmp

Filesize
885KB

MD5
d6c9d7b53b6b89f311746e7ce8654f2b

SHA1
000f72000d3808205f38e0a2ae3caf6a5f329e71

SHA256
60dcc8b0aceaac546e94eae5926eefd208a946b8e1c67862b530f8b19bf229d5

SHA512
30ddd0dba5860a53a3c96116c58e65536ecec4e363695a30f3ac84fdf21f2836cc96395153ed22d17bef71007fe5b06f3a499598a6ba3a0a9fdef8ec440c6101

Download Submit
C:\Program Files (x86)\Windows Photo Viewer\it-IT\wininit.exe

Filesize
885KB

MD5
7fa6bf4f199a845715d9f5807a98d9ab

SHA1
25652948f2c3d400323873cb41bbc6b2b609d96a

SHA256
06198c97d0afdc17232dc3ffc8d5b23b5b97d82cf01bcdf8ef1236f08812e702

SHA512
99a56b7ddd2ff25d220e25c2ae1b0b92d8ee68313b54a23a937587e2677a9a776b8e55593c9b9dbd3b01c7365d006bba81066c747398afa6f23a53f9530b276c

Download Submit
C:\Program Files\Windows Mail\de-DE\csrss.exe

Filesize
885KB

MD5
7a57f136ff9f74cc9b2ad5fa7d3df67a

SHA1
915db35635e1a605a7b1bab2c3df750e84c51c16

SHA256
53e66c451b086721ce28cf46ee13f5c2dfd007e12b8cd34fdb382410e19885f2

SHA512
1393699eb541385dc87a2f5e672e1342c3a2c5534c2a5ae51095055dd3c41a58e778df06cd8b269075e7647a6a2a118f30552518f9a3fbcba501ba30b19c8503

Download Submit
C:\Users\Admin\AppData\Local\Temp\0e12ed23-83ed-47f3-a15a-1b0511342199.vbs

Filesize
710B

MD5
ab430474e4a97a230d677673a3e7cb22

SHA1
48daa34ccde283cf1cbcb14d630f884e6a868456

SHA256
18b45219550c218d7e91b0558df33f5d4ed597e09f172d98cdc01668a629210c

SHA512
d8f4b10f79301d9aa0e913a96d552e6e0edb9014a469af0ceb01aa8d85222aa2bd00213d569eaf39e96a81ce23af2e027f1c6e3bb68ab486ffbcfb18a07f0570

Download Submit
C:\Users\Admin\AppData\Local\Temp\1f8aeb13-f6c7-4c08-8c6c-ba95ddd32c79.vbs

Filesize
710B

MD5
a052766263ea3eddbef3416ee1bb1f3b

SHA1
1338041786e178b84eb6994782f505cbc7d78908

SHA256
5751a9e23a356b7a6941d28b74e561898eb624fa5fb311c64dcc6afbdfdc1ea6

SHA512
1e0b6c9d9f57bbe47f714e65866a169a868982e4859a4f8022ae6c5ab69c53bf60214ece35bb47268fc10dfdcdcc6336fced689f918e8226a7337dae8756ab0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\253710d3-3624-441d-a5ed-0638bcb18bdd.vbs

Filesize
710B

MD5
50cf6a01ddf4bb318bd09669f845af39

SHA1
c936b0c721b8bb0a41f9fac019dd29133b7f4032

SHA256
d0dfd7bfc872b738ccf4c098e05ac2d9e1632b6f7375bf0592d6d2a1ef5f0b1b

SHA512
15e94a48246991b34ad5bf1e8e801d66829316cd3cb8af53b7f1b8155bf7a029636bf1aac72de80b460508025e050353bd4d36bc08e127a3c3c5d103fa93fba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2d47ddc8-edd0-46b3-a279-bbd193e62c80.vbs

Filesize
486B

MD5
e50c38388df6ecde6808523b373af6e3

SHA1
9f5b9050f882be18937c25cff0cd4e2bede57e1b

SHA256
2271cfa8d487e3531a8e6ae03581c7811c3f3d651dc41c69b31fdde9b24f64af

SHA512
8c5347e0a0ebd2c5d4efaec8ba0ec806cae0aa91a987374fd510d1b742ed93e3794b57c394d39544babda9d892de604f5a3e188699be2b89ccedd5723fbe37d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2db4e8d0-1dea-4eee-bf5b-19fe82c5334b.vbs

Filesize
710B

MD5
a2f6ff4371405919f284c0639f8bd410

SHA1
b07f58ad313822e21348d772c65119c084a8b810

SHA256
840920a0fa67d1b055c49d7ec9e392934853c1ed530ec92f7f284fff8f7f26d6

SHA512
b1a1a7461b146cdd46329feb1a3bacadb43738bdc7fdcbdc97740641e7d38bf710dc36837d4aeb1b82dc0b2e0e06454eea4743924fe7208385cf5ff9acf60ff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\61fa0062-b0ae-461b-abd8-5ef17ea01eb3.vbs

Filesize
710B

MD5
39582c950df4eaec52e71c0a8855f151

SHA1
46d68a274a1b46837cd7af2d6892d6493769c486

SHA256
7fa52f9cc171b59dc41bc1a709ec2285b2d745fbe6597e87fc80f2966981578b

SHA512
842e91ffd0223fc2a6ce6b6ab43a7d4a78604ff760c9217191ea5fbc8e5b4443aaddd43c12c11c960d39e901320bec026eb51d81daff14cc27be7957110a39d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\68a6e94a-e80b-448c-952d-507cfdb96cc8.vbs

Filesize
710B

MD5
edf43bcb5251ae6b088d37b4f8d2614f

SHA1
4bfed9a0588e1dbbb3ffc8d6b5ab58774821a911

SHA256
cb4194c004e4135d0d6f7963e71919ed95ddeb218ba04cdbc83ff98a9d66d948

SHA512
94586987db8d6246f85b01585f0fd292a95c8e9991685b4914a4f2893f17a869a80f45f4819bb6e87fce859f4ce0bed4439033ab20cb1921548d8da7e80624e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\8964e000-42e4-4ad6-b774-0942c9693e3b.vbs

Filesize
710B

MD5
7c3885b3876183c6169edab0535f9109

SHA1
aeab6daa47acc9b4180c4b0798def3ebdcc0f27e

SHA256
d6dcf8f25b4d37efa88be27100283f0c748be137a046dfbfd138f4100581641c

SHA512
42fc5214e407af8659a96183d40c99ebd96f9215c151f6cc82f354d7d3f28f37711062dfee220def6c4dac6248a83fad50154219de7527973109c1e94e607f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xk1H8t4K12.bat

Filesize
199B

MD5
f860aac247db320023d33a9a8f58107c

SHA1
2d0b586a52e321779b5d5ef7fa1e82286b6c5f31

SHA256
2063c110f264a33f804f893e341b207181cff4b3c93f6a9b79ef0e4d4dcb1333

SHA512
9dd5b37a56bba32ddaca3ba0a8a633d904c813a5c656a38f6720543896bf0fc3efae6afbce021a98ce39eadc01bc37729c13d3f738e194a43a863b5bfc968db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbc01160-5257-45a7-8a50-365748fe08d9.vbs

Filesize
710B

MD5
5c2b2ec511009b0b4c69f33e53bfda91

SHA1
abe8725a93dc3b405c28ce41ebf2ea3b8195823b

SHA256
c2f0155d10550c5c8c41946803d124c5b30df677dee960671c1e400967a937ba

SHA512
f3f8a18ee925ab310759039924c490ce03ffe58948fd9e0a5184e53ad9c161684c0b3cc3168979a36c3ab430936aad1a4f439a5088e8655a8c4c637a6626742d

Download Submit
C:\Users\Admin\AppData\Local\Temp\c593460a1cc26114da33333df493100821daf2d0.exe

Filesize
885KB

MD5
dae423dcdf77c3ee1f88cf6ad17ab009

SHA1
4a7233065af4168332305dacc5ea6e20088c5be0

SHA256
8a23a12980d5668acce474ea6202521536e29e8a8271803e6294508621f4849a

SHA512
1d9750063ecb5601415212783887e49a0aa752d770ceac3b7f98d04835540bda1d6d6e821baf9a5d17ff2771cc7a386541c7d0923bd74684848d4bfd263d95b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1b556e7-9b18-4d35-bf93-e9ab22357907.vbs

Filesize
710B

MD5
dc9fec6cd13de6cd6a44e9849d637f17

SHA1
a1ba20d2e545b178ec3ffb0016c1951cb8602b67

SHA256
b1b926d7e0de4017edadd0b77d77b48f7ca2b613265ef28d07623e0daecbd93e

SHA512
f18ceea24c53104e11faf16191fc1e66d2dcd2e038147409b685e8702fffde714d3c5ccdbdcea252f3cc496f8229d4633aef943fabb61a92edb80fbb5ce06969

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcf0915b-fe1f-45cd-84ce-8cd4b04b4dc6.vbs

Filesize
710B

MD5
f470b4178292c2cf7ed415476454f740

SHA1
520325ba86eaaba733ecdc6a25cab0f2979c45de

SHA256
e59d6041e0b4b77b555e053ffd59d59f43cb17413394e4bbffe8d4fafb4260d6

SHA512
075061677ff69e6bab018ddad5ea46f7f57d34a30a5ea4327509732af8299566f4b8ed244b1342d6aea3720360180e0b839440e9b64b6298f5b1b4a303fa3929

Download Submit
C:\Users\Admin\AppData\Local\Temp\ee050952-ac39-4d15-be92-b5640f54fc0c.vbs

Filesize
710B

MD5
c071593c15529c7c26130cf4d173f1e8

SHA1
b109647eaf8e0bc8c71372cc9dafbe13e559f3b1

SHA256
1af1549335697c21c281272dc7dba088a72546f253db523ed813d52897dbdd44

SHA512
21a23a28777422ef6edf3712af63f7ce4f505a729005bebd13c1067ddb4fc0b5bba10ab555d8b1d0d6908dbd66c75e011ce57ba8a5c19b7b176555182fef88e0

Download Submit
C:\Users\Default\RCX234A.tmp

Filesize
885KB

MD5
59ebe4463281c471b5318b76efc96ebc

SHA1
10e0f100669b44ea44a2b9e0b5c2821fe7052ea5

SHA256
1ebfd70768fabf2cd8a1b11b0e4f5fbb6f134799a9aba1bb3d4252eb6d64adda

SHA512
3fc9fb26262dd1324294eb78a75fd2ecc1d58e29dc89fb233e1cfba96b956bc1d3e40e92b251d3a32b276907d5ff8076091c573b72bb673bcaf9bc3e4fa1b9dd

Download Submit
memory/1680-256-0x0000000001140000-0x0000000001224000-memory.dmp

Filesize
912KB

Download
memory/1684-3-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/1684-5-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/1684-4-0x0000000000150000-0x0000000000160000-memory.dmp

Filesize
64KB

Download
memory/1684-9-0x0000000000D70000-0x0000000000D7C000-memory.dmp

Filesize
48KB

Download
memory/1684-7-0x00000000005C0000-0x00000000005CE000-memory.dmp

Filesize
56KB

Download
memory/1684-6-0x00000000005B0000-0x00000000005BA000-memory.dmp

Filesize
40KB

Download
memory/1684-1-0x0000000000DC0000-0x0000000000EA4000-memory.dmp

Filesize
912KB

Download
memory/1684-0-0x000007FEF6423000-0x000007FEF6424000-memory.dmp

Filesize
4KB

Download
memory/1684-2-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1684-8-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/1684-253-0x000007FEF6420000-0x000007FEF6E0C000-memory.dmp

Filesize
9.9MB

Download
memory/1700-289-0x0000000001240000-0x0000000001324000-memory.dmp

Filesize
912KB

Download
memory/1868-371-0x0000000001270000-0x0000000001354000-memory.dmp

Filesize
912KB

Download
memory/2544-359-0x0000000001250000-0x0000000001334000-memory.dmp

Filesize
912KB

Download
memory/2552-323-0x0000000001340000-0x0000000001424000-memory.dmp

Filesize
912KB

Download
memory/2896-347-0x0000000000F50000-0x0000000001034000-memory.dmp

Filesize
912KB

Download
memory/2912-335-0x00000000000D0000-0x00000000001B4000-memory.dmp

Filesize
912KB

Download