dcrat | 286e0821c9dff60f28f608fbc48788495e4fc25616f718991a9b1979fce08cac

Analysis

max time kernel
148s
max time network
158s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b31fb95009cabc0f3df1aa933306bd32.exe
Size

1.6MB
MD5

b31fb95009cabc0f3df1aa933306bd32
SHA1

6500d8051a4fa58e907f78782c8f64036d936f73
SHA256

fb65fd84e33f32f49ae865e640a957886b51e895fecbf7a6539f7a1e780181f8
SHA512

278c02052dbc4e45331cd0c345cefa9a6b82af032f11500885eb088ed35b7250059f38801270249c534cabe49ba94b5ae741108750ed8c6e2810a1dea3e4d8a1
SSDEEP

24576:Ksm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:KD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2692	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2692	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral31/memory/2316-1-0x0000000001200000-0x00000000013A2000-memory.dmp	dcrat
behavioral31/files/0x000500000001ad50-25.dat	dcrat
behavioral31/files/0x000600000001c6d4-129.dat	dcrat
behavioral31/files/0x000a00000001c73a-165.dat	dcrat
behavioral31/files/0x000600000001c854-177.dat	dcrat
behavioral31/memory/1992-269-0x0000000000A10000-0x0000000000BB2000-memory.dmp	dcrat
behavioral31/memory/2968-280-0x0000000000C10000-0x0000000000DB2000-memory.dmp	dcrat
behavioral31/memory/704-292-0x0000000000130000-0x00000000002D2000-memory.dmp	dcrat
behavioral31/memory/2168-304-0x0000000000FB0000-0x0000000001152000-memory.dmp	dcrat
behavioral31/memory/2796-327-0x00000000013C0000-0x0000000001562000-memory.dmp	dcrat
behavioral31/memory/2168-361-0x0000000000210000-0x00000000003B2000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
592	powershell.exe
3068	powershell.exe
2624	powershell.exe
3052	powershell.exe
1904	powershell.exe
2068	powershell.exe
2904	powershell.exe
1216	powershell.exe
2464	powershell.exe
1688	powershell.exe
1200	powershell.exe
1768	powershell.exe
2420	powershell.exe
524	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
1992	sppsvc.exe
2968	sppsvc.exe
704	sppsvc.exe
2168	sppsvc.exe
2816	sppsvc.exe
2796	sppsvc.exe
2568	sppsvc.exe
1364	sppsvc.exe
2168	sppsvc.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX8E52.tmp	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX9066.tmp	b31fb95009cabc0f3df1aa933306bd32.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\56085415360792	b31fb95009cabc0f3df1aa933306bd32.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe	b31fb95009cabc0f3df1aa933306bd32.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\101b941d020240	b31fb95009cabc0f3df1aa933306bd32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\0a1fd5f707cd16	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\RCX7D07.tmp	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\b31fb95009cabc0f3df1aa933306bd32.exe	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	b31fb95009cabc0f3df1aa933306bd32.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe	b31fb95009cabc0f3df1aa933306bd32.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\886983d96e3d3e	b31fb95009cabc0f3df1aa933306bd32.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\RCX7D17.tmp	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\wininit.exe	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RCX8893.tmp	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\RCX88A4.tmp	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX8DD5.tmp	b31fb95009cabc0f3df1aa933306bd32.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\wininit.exe	b31fb95009cabc0f3df1aa933306bd32.exe
File created	C:\Program Files\DVD Maker\de-DE\b31fb95009cabc0f3df1aa933306bd32.exe	b31fb95009cabc0f3df1aa933306bd32.exe
File created	C:\Program Files\DVD Maker\de-DE\4a1a2ff20ae385	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\RCX9086.tmp	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX81DB.tmp	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\RCX8259.tmp	b31fb95009cabc0f3df1aa933306bd32.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe	b31fb95009cabc0f3df1aa933306bd32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
876	schtasks.exe
2412	schtasks.exe
1436	schtasks.exe
1772	schtasks.exe
2208	schtasks.exe
2704	schtasks.exe
2892	schtasks.exe
700	schtasks.exe
2128	schtasks.exe
1120	schtasks.exe
2828	schtasks.exe
1252	schtasks.exe
2192	schtasks.exe
2404	schtasks.exe
2092	schtasks.exe
1116	schtasks.exe
2396	schtasks.exe
2428	schtasks.exe
2400	schtasks.exe
976	schtasks.exe
1536	schtasks.exe
3068	schtasks.exe
704	schtasks.exe
1720	schtasks.exe
2624	schtasks.exe
576	schtasks.exe
2168	schtasks.exe
2908	schtasks.exe
2580	schtasks.exe
2956	schtasks.exe
2440	schtasks.exe
2760	schtasks.exe
1784	schtasks.exe
2212	schtasks.exe
2176	schtasks.exe
1288	schtasks.exe
1148	schtasks.exe
1716	schtasks.exe
2392	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1992	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2316	b31fb95009cabc0f3df1aa933306bd32.exe
2316	b31fb95009cabc0f3df1aa933306bd32.exe
2316	b31fb95009cabc0f3df1aa933306bd32.exe
2316	b31fb95009cabc0f3df1aa933306bd32.exe
2316	b31fb95009cabc0f3df1aa933306bd32.exe
1768	powershell.exe
524	powershell.exe
1200	powershell.exe
3052	powershell.exe
2464	powershell.exe
2624	powershell.exe
592	powershell.exe
2068	powershell.exe
1688	powershell.exe
2420	powershell.exe
3068	powershell.exe
2904	powershell.exe
1216	powershell.exe
1904	powershell.exe
1992	sppsvc.exe
2968	sppsvc.exe
704	sppsvc.exe
2168	sppsvc.exe
2816	sppsvc.exe
2796	sppsvc.exe
2568	sppsvc.exe
1364	sppsvc.exe
2168	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2316	b31fb95009cabc0f3df1aa933306bd32.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1992	sppsvc.exe
Token: SeDebugPrivilege	2968	sppsvc.exe
Token: SeDebugPrivilege	704	sppsvc.exe
Token: SeDebugPrivilege	2168	sppsvc.exe
Token: SeDebugPrivilege	2816	sppsvc.exe
Token: SeDebugPrivilege	2796	sppsvc.exe
Token: SeDebugPrivilege	2568	sppsvc.exe
Token: SeDebugPrivilege	1364	sppsvc.exe
Token: SeDebugPrivilege	2168	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1768	2316	b31fb95009cabc0f3df1aa933306bd32.exe	70
PID 2316 wrote to memory of 1768	2316	b31fb95009cabc0f3df1aa933306bd32.exe	70
PID 2316 wrote to memory of 1768	2316	b31fb95009cabc0f3df1aa933306bd32.exe	70
PID 2316 wrote to memory of 3052	2316	b31fb95009cabc0f3df1aa933306bd32.exe	71
PID 2316 wrote to memory of 3052	2316	b31fb95009cabc0f3df1aa933306bd32.exe	71
PID 2316 wrote to memory of 3052	2316	b31fb95009cabc0f3df1aa933306bd32.exe	71
PID 2316 wrote to memory of 2624	2316	b31fb95009cabc0f3df1aa933306bd32.exe	72
PID 2316 wrote to memory of 2624	2316	b31fb95009cabc0f3df1aa933306bd32.exe	72
PID 2316 wrote to memory of 2624	2316	b31fb95009cabc0f3df1aa933306bd32.exe	72
PID 2316 wrote to memory of 1200	2316	b31fb95009cabc0f3df1aa933306bd32.exe	73
PID 2316 wrote to memory of 1200	2316	b31fb95009cabc0f3df1aa933306bd32.exe	73
PID 2316 wrote to memory of 1200	2316	b31fb95009cabc0f3df1aa933306bd32.exe	73
PID 2316 wrote to memory of 3068	2316	b31fb95009cabc0f3df1aa933306bd32.exe	74
PID 2316 wrote to memory of 3068	2316	b31fb95009cabc0f3df1aa933306bd32.exe	74
PID 2316 wrote to memory of 3068	2316	b31fb95009cabc0f3df1aa933306bd32.exe	74
PID 2316 wrote to memory of 1688	2316	b31fb95009cabc0f3df1aa933306bd32.exe	75
PID 2316 wrote to memory of 1688	2316	b31fb95009cabc0f3df1aa933306bd32.exe	75
PID 2316 wrote to memory of 1688	2316	b31fb95009cabc0f3df1aa933306bd32.exe	75
PID 2316 wrote to memory of 592	2316	b31fb95009cabc0f3df1aa933306bd32.exe	77
PID 2316 wrote to memory of 592	2316	b31fb95009cabc0f3df1aa933306bd32.exe	77
PID 2316 wrote to memory of 592	2316	b31fb95009cabc0f3df1aa933306bd32.exe	77
PID 2316 wrote to memory of 524	2316	b31fb95009cabc0f3df1aa933306bd32.exe	79
PID 2316 wrote to memory of 524	2316	b31fb95009cabc0f3df1aa933306bd32.exe	79
PID 2316 wrote to memory of 524	2316	b31fb95009cabc0f3df1aa933306bd32.exe	79
PID 2316 wrote to memory of 2464	2316	b31fb95009cabc0f3df1aa933306bd32.exe	80
PID 2316 wrote to memory of 2464	2316	b31fb95009cabc0f3df1aa933306bd32.exe	80
PID 2316 wrote to memory of 2464	2316	b31fb95009cabc0f3df1aa933306bd32.exe	80
PID 2316 wrote to memory of 1216	2316	b31fb95009cabc0f3df1aa933306bd32.exe	81
PID 2316 wrote to memory of 1216	2316	b31fb95009cabc0f3df1aa933306bd32.exe	81
PID 2316 wrote to memory of 1216	2316	b31fb95009cabc0f3df1aa933306bd32.exe	81
PID 2316 wrote to memory of 2904	2316	b31fb95009cabc0f3df1aa933306bd32.exe	82
PID 2316 wrote to memory of 2904	2316	b31fb95009cabc0f3df1aa933306bd32.exe	82
PID 2316 wrote to memory of 2904	2316	b31fb95009cabc0f3df1aa933306bd32.exe	82
PID 2316 wrote to memory of 2068	2316	b31fb95009cabc0f3df1aa933306bd32.exe	83
PID 2316 wrote to memory of 2068	2316	b31fb95009cabc0f3df1aa933306bd32.exe	83
PID 2316 wrote to memory of 2068	2316	b31fb95009cabc0f3df1aa933306bd32.exe	83
PID 2316 wrote to memory of 2420	2316	b31fb95009cabc0f3df1aa933306bd32.exe	85
PID 2316 wrote to memory of 2420	2316	b31fb95009cabc0f3df1aa933306bd32.exe	85
PID 2316 wrote to memory of 2420	2316	b31fb95009cabc0f3df1aa933306bd32.exe	85
PID 2316 wrote to memory of 1904	2316	b31fb95009cabc0f3df1aa933306bd32.exe	87
PID 2316 wrote to memory of 1904	2316	b31fb95009cabc0f3df1aa933306bd32.exe	87
PID 2316 wrote to memory of 1904	2316	b31fb95009cabc0f3df1aa933306bd32.exe	87
PID 2316 wrote to memory of 1508	2316	b31fb95009cabc0f3df1aa933306bd32.exe	98
PID 2316 wrote to memory of 1508	2316	b31fb95009cabc0f3df1aa933306bd32.exe	98
PID 2316 wrote to memory of 1508	2316	b31fb95009cabc0f3df1aa933306bd32.exe	98
PID 1508 wrote to memory of 2820	1508	cmd.exe	100
PID 1508 wrote to memory of 2820	1508	cmd.exe	100
PID 1508 wrote to memory of 2820	1508	cmd.exe	100
PID 1508 wrote to memory of 1992	1508	cmd.exe	101
PID 1508 wrote to memory of 1992	1508	cmd.exe	101
PID 1508 wrote to memory of 1992	1508	cmd.exe	101
PID 1508 wrote to memory of 1992	1508	cmd.exe	101
PID 1508 wrote to memory of 1992	1508	cmd.exe	101
PID 1992 wrote to memory of 2200	1992	sppsvc.exe	102
PID 1992 wrote to memory of 2200	1992	sppsvc.exe	102
PID 1992 wrote to memory of 2200	1992	sppsvc.exe	102
PID 1992 wrote to memory of 2708	1992	sppsvc.exe	103
PID 1992 wrote to memory of 2708	1992	sppsvc.exe	103
PID 1992 wrote to memory of 2708	1992	sppsvc.exe	103
PID 2200 wrote to memory of 2968	2200	WScript.exe	104
PID 2200 wrote to memory of 2968	2200	WScript.exe	104
PID 2200 wrote to memory of 2968	2200	WScript.exe	104
PID 2200 wrote to memory of 2968	2200	WScript.exe	104
PID 2200 wrote to memory of 2968	2200	WScript.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b31fb95009cabc0f3df1aa933306bd32.exe
"C:\Users\Admin\AppData\Local\Temp\b31fb95009cabc0f3df1aa933306bd32.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b31fb95009cabc0f3df1aa933306bd32.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1768
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\b31fb95009cabc0f3df1aa933306bd32.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.151\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2464
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1216
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\de-DE\b31fb95009cabc0f3df1aa933306bd32.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNL0dL8YnE.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2820
- - C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe
    "C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\19b5127f-aa08-4f01-b34d-90891d599447.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6a33a7ae-ec27-4d34-b7c0-3720c0bd8993.vbs"
        6⤵
        
        PID:2868
        
        C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4163f05-38eb-4877-a64f-1065891ccde3.vbs"
        8⤵
        
        PID:2480
        
        C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5f08faf8-56f7-4992-ad34-223ac2c42ce2.vbs"
        10⤵
        
        PID:1904
        
        C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\12fc9f7f-fbda-4887-ab48-e99faa221b20.vbs"
        12⤵
        
        PID:1148
        
        C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6fcf5857-9a8f-46c1-a9cd-14752e6239c4.vbs"
        14⤵
        
        PID:1848
        
        C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\514814c9-f541-46ca-a71d-58fe97094dbc.vbs"
        16⤵
        
        PID:2632
        
        C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e044484f-9f7a-47a3-98b1-e6c2784ae455.vbs"
        18⤵
        
        PID:1332
        
        C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8dfb4c3d-eeb6-48b2-9ec3-4c6490891332.vbs"
        20⤵
        
        PID:2024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cfa49c45-f241-411a-80fd-a2f4cb5d4962.vbs"
        20⤵
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b21fcacd-0840-4de3-a9c0-a0dc3fc264a7.vbs"
        18⤵
        
        PID:2368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0e0dc188-82cf-4979-a1a5-51add18b98e8.vbs"
        16⤵
        
        PID:2644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\64f3c7bd-4c1f-4fb8-94ee-057fb573cd10.vbs"
        14⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ed2a7cbf-205f-4562-a190-aa65ad808125.vbs"
        12⤵
        
        PID:700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b15ffb99-f06d-46f6-9121-a93deae35f87.vbs"
        10⤵
        
        PID:2340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0a640d5a-9dff-4383-ad22-61f035039f00.vbs"
        8⤵
        
        PID:2920
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\379bb754-1aad-4962-8534-dcc93c30ddb3.vbs"
        6⤵
        
        PID:2896
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\898f6c2d-1be0-450c-b92f-30f0ee082218.vbs"
      4⤵
      PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b31fb95009cabc0f3df1aa933306bd32b" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\b31fb95009cabc0f3df1aa933306bd32.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b31fb95009cabc0f3df1aa933306bd32" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\b31fb95009cabc0f3df1aa933306bd32.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b31fb95009cabc0f3df1aa933306bd32b" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\b31fb95009cabc0f3df1aa933306bd32.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b31fb95009cabc0f3df1aa933306bd32b" /sc MINUTE /mo 12 /tr "'C:\Program Files\DVD Maker\de-DE\b31fb95009cabc0f3df1aa933306bd32.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b31fb95009cabc0f3df1aa933306bd32" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\b31fb95009cabc0f3df1aa933306bd32.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b31fb95009cabc0f3df1aa933306bd32b" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\de-DE\b31fb95009cabc0f3df1aa933306bd32.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe

Filesize
1.6MB

MD5
a753a474d5e59aee8f2b570693aa85d9

SHA1
8fa0da1e127bb58935bdfcc225bc0a406c3f33e3

SHA256
bd75cd2b4d0b1d39e6a1ab3a25882460737e47c663d933dbfda734c75a91b6ba

SHA512
1563cb59ab6795714eed10c8e8acf650051a43772aef7537549ba0a312b62549c5d66ed6899bba4f947752ce3607e802f454601d0cacece583811efc998210aa

Download Submit
C:\Program Files (x86)\Google\Update\1.3.36.151\wininit.exe

Filesize
1.6MB

MD5
b31fb95009cabc0f3df1aa933306bd32

SHA1
6500d8051a4fa58e907f78782c8f64036d936f73

SHA256
fb65fd84e33f32f49ae865e640a957886b51e895fecbf7a6539f7a1e780181f8

SHA512
278c02052dbc4e45331cd0c345cefa9a6b82af032f11500885eb088ed35b7250059f38801270249c534cabe49ba94b5ae741108750ed8c6e2810a1dea3e4d8a1

Download Submit
C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\RCX8E52.tmp

Filesize
1.6MB

MD5
42b65f627ddc3b66a3960128a96bd803

SHA1
f2f384d0248bbf5911c46c0fa758e452b2ea4270

SHA256
33a805c906714b7163553a0f5973df2ae99132e1ed9540bf57f171a866784a6d

SHA512
90bcb519b2a9f3748b2441c4dfbc7485d2362c8354e101719cba7cc6a097e7f26591efb27e818d03ec9acf4c4286d8ae4282855ee7802e82fde6b2528a034d36

Download Submit
C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe

Filesize
1.6MB

MD5
7be93403b880ac1b1bfe15ff8d52d614

SHA1
165724d45afc965b607a8037195c0bce39b77852

SHA256
eea92cf607e6a49864d81a9f8a025f0cbdf4888a491beeac60b991781d9333e6

SHA512
1f0bc096c5d9f0ad01e84802811f88bae46ff3995c9b5339141db590ddf5e57210fdabeab3474329373e39a692bbb9fd1bf8c3984a1a3526071bbe0974c8eaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\12fc9f7f-fbda-4887-ab48-e99faa221b20.vbs

Filesize
727B

MD5
b9da8e3bdc88487b32897fdf8357a38b

SHA1
5782a6bac6b6a7a632916004d38bc92e721c84c1

SHA256
6b54a32b5fe3a815eb9b5ec2beb3b60d7040b46ebe164838cde19b96212a0a92

SHA512
c58660e391a05ab1e2bde2231b720bdeb4654393a973f7c2b28351ffb329c221b3e3c91f524b68d4db78f220828811f46d8613415cc2649e5682008a256344cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\19b5127f-aa08-4f01-b34d-90891d599447.vbs

Filesize
727B

MD5
45e43948db84ff733f2c70a93fd0dfe6

SHA1
d7d7fd1a4cfdf285df701e711d924cbcd896842a

SHA256
0ac32e3ad6120316062e83cda9cf91d083de1624b7f6a3f2fae5e30e9baa5076

SHA512
74d63f173b042b0502639ee38b2c1e541253c08c11e49f14e2d167e229de312c4a9abec51538ef8984735bf7ea302d2cc622534b92837d257c6678b434f49db8

Download Submit
C:\Users\Admin\AppData\Local\Temp\514814c9-f541-46ca-a71d-58fe97094dbc.vbs

Filesize
727B

MD5
4fa6a24b0981e06bb94534ea0faef1f9

SHA1
b1b0e0cdf82f0410707b9619d194dba6b9509fe9

SHA256
13e8c92df9b3c20d6e737e2c9d230e9de89f6381a69766e7281cae4561e0a830

SHA512
491bb5e88a0534740110991ee8e5d0e98950f5ff6ad8c58d187b5d4d9f75abe7502db203348239f8d50a76f681aa69d04201c98c88899b3118c9c4dceee84558

Download Submit
C:\Users\Admin\AppData\Local\Temp\5f08faf8-56f7-4992-ad34-223ac2c42ce2.vbs

Filesize
727B

MD5
ba6edaf12c5e9340614778e1da183bde

SHA1
a621070c6658f104b68ba14149794a0d9649c069

SHA256
28e3ccb5160cd3b34afbfb3446b3f84fd2ac93536cd6f302979c8f30ddf29a35

SHA512
c7fca2e9b4e621df0568ae476e4ddeff137800f7f8c302bf64788d8a3900cb8aafd6b79df2cd2ade23eac27b33e79336ad8d549c2bba16cd0ca72a5f1134477e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6a33a7ae-ec27-4d34-b7c0-3720c0bd8993.vbs

Filesize
727B

MD5
bea8bad1e52f7998920d80df068721e6

SHA1
603429a92ddfe52def72dd1db7aef8fe2df0eaa2

SHA256
bc3a9448d2ef5725bc36fdca7e92909c1ce17305d34d1500a06592cc198e6652

SHA512
61f7b3d2022c978328a67a791455ff375ab49e93896d8e9649c47915636cba2047a2bb25b335b0d6c5c2ecdf3db800c7c7eeb91bd80ec957ea7424c304485aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6fcf5857-9a8f-46c1-a9cd-14752e6239c4.vbs

Filesize
727B

MD5
384c804c0bde34cc48604164fafca5c9

SHA1
6af9e3d22e65f9e05acc8b6e2ef334365a37ae4c

SHA256
bbdd6a41329bd491cd2a196111a185d18aa383f78091d4e5520f2c612fd85dc1

SHA512
d7b0b821259cfdf87ec23ced42cc612bc082e4bec4b06f2ed5418a9d8abdbf1c040d92d38408e86a7b1e445454933e89e1409d013ba5d054cd19c93207c79813

Download Submit
C:\Users\Admin\AppData\Local\Temp\898f6c2d-1be0-450c-b92f-30f0ee082218.vbs

Filesize
503B

MD5
e856d1a2cde00bb46806b9457832ac42

SHA1
0c1a66527efd85bd11ea291e3137e4260611e72c

SHA256
ed0f00afd1581c022e6785a8973ac5c0fc512a2d37a08aecffe1e06f42f8fe4f

SHA512
5bd2db5e271a24aaccbe42944c54e4bc6a64beec59b4bbc07c70f592e994bdebf941ee892a7495a2c0894bac758b9fa30dca9cfe02d61acefe75e0943cf4101c

Download Submit
C:\Users\Admin\AppData\Local\Temp\e044484f-9f7a-47a3-98b1-e6c2784ae455.vbs

Filesize
727B

MD5
601bef170730bd5c7da964c5caa0273c

SHA1
c2d4619b59d0883f06e9bf269f7e25185ae045a0

SHA256
da5bdb714bbe0e767520df50d925f183140d8fd56de8c54c66034f95dad786bf

SHA512
94602476bab17025bd722f03fb0b377cd013e9ebd25195f94de29d9c543a04124b90199c1d27ea847431cd3d435b60ddc3fa2146788c5a55a523b13eb31532cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\e4163f05-38eb-4877-a64f-1065891ccde3.vbs

Filesize
726B

MD5
7358178a55ac9958f7e92cec9dc1db7c

SHA1
8be565c4882d6c4e49f692cf3734575bcea07f3d

SHA256
0ee258a93fae369aaabd714d55cc37d2661f1115f3496573336ae4b88761377a

SHA512
adfcd209a13fdaf65e1817c9aeb9e8a92750362343f81e941c380f07b32c3dd0f83f7fca5c81269b4764cf06d8bac8a1b324438c32a47d9e040594c707bd2214

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNL0dL8YnE.bat

Filesize
216B

MD5
eba47ec9ccf577c7015c4a3638d91e72

SHA1
b02ed2d7012c0d1b2b787ae469dd9e1d4a2b3e15

SHA256
387de46699daba9aa3ac43544357c051a920646c4a685f4869de57803f2a469b

SHA512
3dec4a5c672ffee3413ae3aa06cbda5f300974c57a441e99c3d815e44f5f76c7136bfe6eef2672475642303f18725d128e4c0b635f43ea44964be38fe6f6a2af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1c070c482279f128a96d641c28b3bfd6

SHA1
f4ed34c10922348f9935c7e66d560e06b26cac69

SHA256
03971c6c684247e5ba5d449d91ee5573a3a6fc49effcf66b557646ded15a89b4

SHA512
0629863aab83bb49b3b8706638d60e017c25c6f0dc4df8cac4dd2f0854deb6999654ce12bc9253c161004bde51b245ea1c2f81b1bb1bb59383d56470a24bf5ee

Download Submit
memory/524-213-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/704-292-0x0000000000130000-0x00000000002D2000-memory.dmp

Filesize
1.6MB

Download
memory/1768-204-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download
memory/1992-269-0x0000000000A10000-0x0000000000BB2000-memory.dmp

Filesize
1.6MB

Download
memory/2168-361-0x0000000000210000-0x00000000003B2000-memory.dmp

Filesize
1.6MB

Download
memory/2168-304-0x0000000000FB0000-0x0000000001152000-memory.dmp

Filesize
1.6MB

Download
memory/2316-207-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-5-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2316-6-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/2316-7-0x0000000000450000-0x0000000000460000-memory.dmp

Filesize
64KB

Download
memory/2316-9-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2316-73-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-10-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2316-43-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/2316-8-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2316-4-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2316-16-0x0000000000CF0000-0x0000000000CFC000-memory.dmp

Filesize
48KB

Download
memory/2316-11-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/2316-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/2316-15-0x0000000000CE0000-0x0000000000CEA000-memory.dmp

Filesize
40KB

Download
memory/2316-14-0x0000000000CD0000-0x0000000000CD8000-memory.dmp

Filesize
32KB

Download
memory/2316-13-0x0000000000C40000-0x0000000000C48000-memory.dmp

Filesize
32KB

Download
memory/2316-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2316-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/2316-1-0x0000000001200000-0x00000000013A2000-memory.dmp

Filesize
1.6MB

Download
memory/2316-12-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/2796-327-0x00000000013C0000-0x0000000001562000-memory.dmp

Filesize
1.6MB

Download
memory/2968-280-0x0000000000C10000-0x0000000000DB2000-memory.dmp

Filesize
1.6MB

Download
memory/3068-265-0x0000000001EA0000-0x0000000001EA8000-memory.dmp

Filesize
32KB

Download