dcrat | 400c24bdb9b7dabfcd9a8a2f137550f338014d833d169c6e6f4252910fb95feb

Analysis

max time kernel
146s
max time network
154s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2e433f395cc3b1c1ccf0cc50a676434.exe
Size

1.6MB
MD5

a2e433f395cc3b1c1ccf0cc50a676434
SHA1

1995c6f844060333376d1cbf7a20bacbc8d713ef
SHA256

259c93890754af6391901806acbdf6215a3f5210cb9a27fa6852f5c0aa73435b
SHA512

a5433232b4cd34e56ead2e7c04ab3290545e7dd93504ceac92b7ce5b090298b31245ac336cae789ec5419abc5d4e00bf6c0111456f5b772aca5e8deeb346be81
SSDEEP

24576:qsm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:qD8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2156	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2156	schtasks.exe	31

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/2268-1-0x0000000000AB0000-0x0000000000C52000-memory.dmp	dcrat
behavioral11/files/0x000500000001944d-25.dat	dcrat
behavioral11/files/0x000800000001937b-81.dat	dcrat
behavioral11/files/0x0007000000019438-92.dat	dcrat
behavioral11/files/0x000b00000001944d-125.dat	dcrat
behavioral11/memory/1396-220-0x00000000013B0000-0x0000000001552000-memory.dmp	dcrat
behavioral11/memory/2900-253-0x0000000000130000-0x00000000002D2000-memory.dmp	dcrat
behavioral11/memory/688-265-0x00000000010D0000-0x0000000001272000-memory.dmp	dcrat
behavioral11/memory/540-277-0x00000000013E0000-0x0000000001582000-memory.dmp	dcrat
behavioral11/memory/2696-311-0x0000000000300000-0x00000000004A2000-memory.dmp	dcrat
behavioral11/memory/2808-323-0x00000000001C0000-0x0000000000362000-memory.dmp	dcrat
behavioral11/memory/1748-335-0x00000000013D0000-0x0000000001572000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2420	powershell.exe
2224	powershell.exe
2680	powershell.exe
936	powershell.exe
920	powershell.exe
2452	powershell.exe
2860	powershell.exe
2188	powershell.exe
2312	powershell.exe
620	powershell.exe
1548	powershell.exe
2540	powershell.exe
2856	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2872	a2e433f395cc3b1c1ccf0cc50a676434.exe
1396	dllhost.exe
2384	dllhost.exe
1992	dllhost.exe
2900	dllhost.exe
688	dllhost.exe
540	dllhost.exe
968	dllhost.exe
1648	dllhost.exe
2696	dllhost.exe
2808	dllhost.exe
1748	dllhost.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\OSPPSVC.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXDD6F.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files (x86)\Google\Temp\csrss.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files\Windows Photo Viewer\1610b97d3ab4a7	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\RCXD88B.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\RCXDD01.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXDF73.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\fr-FR\WMIADAP.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\75a57c1bdf437c	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files\Windows Journal\de-DE\taskhost.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files (x86)\Google\Temp\886983d96e3d3e	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\RCXDF74.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\OSPPSVC.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files\Windows Journal\de-DE\b75386f1303e64	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\RCXD88A.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files\Windows Journal\de-DE\taskhost.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\csrss.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\WMIADAP.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\setup.exe\explorer.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Windows\Resources\dllhost.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Windows\Resources\5940a34987c991	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Windows\Resources\dllhost.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Windows\Panther\setup.exe\explorer.exe	a2e433f395cc3b1c1ccf0cc50a676434.exe
File created	C:\Windows\Panther\setup.exe\7a0fd90576e088	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Windows\Panther\setup.exe\RCXE37C.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe
File opened for modification	C:\Windows\Panther\setup.exe\RCXE3EB.tmp	a2e433f395cc3b1c1ccf0cc50a676434.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe
2044	schtasks.exe
1856	schtasks.exe
752	schtasks.exe
2616	schtasks.exe
3008	schtasks.exe
2588	schtasks.exe
1212	schtasks.exe
2780	schtasks.exe
1512	schtasks.exe
1244	schtasks.exe
1656	schtasks.exe
2576	schtasks.exe
1652	schtasks.exe
2404	schtasks.exe
2552	schtasks.exe
1472	schtasks.exe
2696	schtasks.exe
1684	schtasks.exe
2324	schtasks.exe
2652	schtasks.exe
1952	schtasks.exe
576	schtasks.exe
2784	schtasks.exe
3000	schtasks.exe
2800	schtasks.exe
1472	schtasks.exe
1072	schtasks.exe
1412	schtasks.exe
1696	schtasks.exe
2700	schtasks.exe
1424	schtasks.exe
1692	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2268	a2e433f395cc3b1c1ccf0cc50a676434.exe
2188	powershell.exe
936	powershell.exe
2224	powershell.exe
620	powershell.exe
1548	powershell.exe
2420	powershell.exe
920	powershell.exe
2312	powershell.exe
2680	powershell.exe
2872	a2e433f395cc3b1c1ccf0cc50a676434.exe
2856	powershell.exe
2452	powershell.exe
2540	powershell.exe
2860	powershell.exe
1396	dllhost.exe
2384	dllhost.exe
1992	dllhost.exe
2900	dllhost.exe
688	dllhost.exe
540	dllhost.exe
968	dllhost.exe
1648	dllhost.exe
2696	dllhost.exe
2808	dllhost.exe
1748	dllhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1396	dllhost.exe
Token: SeDebugPrivilege	2384	dllhost.exe
Token: SeDebugPrivilege	1992	dllhost.exe
Token: SeDebugPrivilege	2900	dllhost.exe
Token: SeDebugPrivilege	688	dllhost.exe
Token: SeDebugPrivilege	540	dllhost.exe
Token: SeDebugPrivilege	968	dllhost.exe
Token: SeDebugPrivilege	1648	dllhost.exe
Token: SeDebugPrivilege	2696	dllhost.exe
Token: SeDebugPrivilege	2808	dllhost.exe
Token: SeDebugPrivilege	1748	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 1548	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	56
PID 2268 wrote to memory of 1548	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	56
PID 2268 wrote to memory of 1548	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	56
PID 2268 wrote to memory of 620	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	57
PID 2268 wrote to memory of 620	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	57
PID 2268 wrote to memory of 620	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	57
PID 2268 wrote to memory of 920	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	58
PID 2268 wrote to memory of 920	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	58
PID 2268 wrote to memory of 920	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	58
PID 2268 wrote to memory of 936	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	60
PID 2268 wrote to memory of 936	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	60
PID 2268 wrote to memory of 936	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	60
PID 2268 wrote to memory of 2680	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	62
PID 2268 wrote to memory of 2680	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	62
PID 2268 wrote to memory of 2680	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	62
PID 2268 wrote to memory of 2312	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	63
PID 2268 wrote to memory of 2312	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	63
PID 2268 wrote to memory of 2312	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	63
PID 2268 wrote to memory of 2224	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	65
PID 2268 wrote to memory of 2224	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	65
PID 2268 wrote to memory of 2224	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	65
PID 2268 wrote to memory of 2188	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	66
PID 2268 wrote to memory of 2188	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	66
PID 2268 wrote to memory of 2188	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	66
PID 2268 wrote to memory of 2420	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	67
PID 2268 wrote to memory of 2420	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	67
PID 2268 wrote to memory of 2420	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	67
PID 2268 wrote to memory of 2872	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	74
PID 2268 wrote to memory of 2872	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	74
PID 2268 wrote to memory of 2872	2268	a2e433f395cc3b1c1ccf0cc50a676434.exe	74
PID 2872 wrote to memory of 2856	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	84
PID 2872 wrote to memory of 2856	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	84
PID 2872 wrote to memory of 2856	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	84
PID 2872 wrote to memory of 2860	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	85
PID 2872 wrote to memory of 2860	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	85
PID 2872 wrote to memory of 2860	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	85
PID 2872 wrote to memory of 2540	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	86
PID 2872 wrote to memory of 2540	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	86
PID 2872 wrote to memory of 2540	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	86
PID 2872 wrote to memory of 2452	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	88
PID 2872 wrote to memory of 2452	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	88
PID 2872 wrote to memory of 2452	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	88
PID 2872 wrote to memory of 1396	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	92
PID 2872 wrote to memory of 1396	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	92
PID 2872 wrote to memory of 1396	2872	a2e433f395cc3b1c1ccf0cc50a676434.exe	92
PID 1396 wrote to memory of 2136	1396	dllhost.exe	93
PID 1396 wrote to memory of 2136	1396	dllhost.exe	93
PID 1396 wrote to memory of 2136	1396	dllhost.exe	93
PID 1396 wrote to memory of 2972	1396	dllhost.exe	94
PID 1396 wrote to memory of 2972	1396	dllhost.exe	94
PID 1396 wrote to memory of 2972	1396	dllhost.exe	94
PID 2136 wrote to memory of 2384	2136	WScript.exe	95
PID 2136 wrote to memory of 2384	2136	WScript.exe	95
PID 2136 wrote to memory of 2384	2136	WScript.exe	95
PID 2384 wrote to memory of 2352	2384	dllhost.exe	96
PID 2384 wrote to memory of 2352	2384	dllhost.exe	96
PID 2384 wrote to memory of 2352	2384	dllhost.exe	96
PID 2384 wrote to memory of 3008	2384	dllhost.exe	97
PID 2384 wrote to memory of 3008	2384	dllhost.exe	97
PID 2384 wrote to memory of 3008	2384	dllhost.exe	97
PID 2352 wrote to memory of 1992	2352	WScript.exe	98
PID 2352 wrote to memory of 1992	2352	WScript.exe	98
PID 2352 wrote to memory of 1992	2352	WScript.exe	98
PID 1992 wrote to memory of 2620	1992	dllhost.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe
"C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\de-DE\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\explorer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe
  "C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\a2e433f395cc3b1c1ccf0cc50a676434.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fr-FR\WMIADAP.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\dllhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2452
- - C:\Windows\Resources\dllhost.exe
    "C:\Windows\Resources\dllhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e5baa152-566f-4578-b812-0d1b818be5d9.vbs"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2136
    - - C:\Windows\Resources\dllhost.exe
        
        C:\Windows\Resources\dllhost.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6f123b78-1947-4a0c-9876-5b619777b9a3.vbs"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\Resources\dllhost.exe
        
        C:\Windows\Resources\dllhost.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d4ceadc1-9975-4511-82b7-3f39ddb58f67.vbs"
        8⤵
        
        PID:2620
        
        C:\Windows\Resources\dllhost.exe
        
        C:\Windows\Resources\dllhost.exe
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fe35bbdb-03cf-4ba7-84e6-9474d5fde669.vbs"
        10⤵
        
        PID:3000
        
        C:\Windows\Resources\dllhost.exe
        
        C:\Windows\Resources\dllhost.exe
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5df3b8a7-aaa0-4801-82e7-c797d50c497c.vbs"
        12⤵
        
        PID:572
        
        C:\Windows\Resources\dllhost.exe
        
        C:\Windows\Resources\dllhost.exe
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\32ede980-96e0-4310-a69c-694e10b14aeb.vbs"
        14⤵
        
        PID:884
        
        C:\Windows\Resources\dllhost.exe
        
        C:\Windows\Resources\dllhost.exe
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9fe5d8b5-eee0-4202-a477-ae4e83a7d640.vbs"
        16⤵
        
        PID:1636
        
        C:\Windows\Resources\dllhost.exe
        
        C:\Windows\Resources\dllhost.exe
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14642853-c0e4-417b-93af-3e2ab7296ee6.vbs"
        18⤵
        
        PID:2316
        
        C:\Windows\Resources\dllhost.exe
        
        C:\Windows\Resources\dllhost.exe
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cbf14bb8-245b-43cf-a938-829f75959c31.vbs"
        20⤵
        
        PID:2752
        
        C:\Windows\Resources\dllhost.exe
        
        C:\Windows\Resources\dllhost.exe
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ca4b567d-c495-423f-9821-01cecf7a3fbd.vbs"
        22⤵
        
        PID:2652
        
        C:\Windows\Resources\dllhost.exe
        
        C:\Windows\Resources\dllhost.exe
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\33b2cecc-cfc8-44f4-a99d-18c34ee05cd7.vbs"
        24⤵
        
        PID:1932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dbc57db4-28be-485d-9bb6-c73575279915.vbs"
        24⤵
        
        PID:1212
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\680861ea-9989-4430-889d-300dd7da404a.vbs"
        22⤵
        
        PID:572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d0559f58-ba60-4468-8aab-cf08d7c70b51.vbs"
        20⤵
        
        PID:2152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3fcf9420-b9d7-4f8a-ab46-b57f5360b837.vbs"
        18⤵
        
        PID:2492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\714ca499-e001-4597-b1af-fc0c6cbad57b.vbs"
        16⤵
        
        PID:2364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3018cca2-723f-4234-8890-702fe6b89cb7.vbs"
        14⤵
        
        PID:2592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b1e78b96-d2fc-4fbf-8d45-6aa9d8ebd206.vbs"
        12⤵
        
        PID:1760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f7566353-d39f-4864-91f0-9bd674efea7a.vbs"
        10⤵
        
        PID:2672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e4a48639-edd6-4782-8b95-70c47b67f766.vbs"
        8⤵
        
        PID:1952
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dae30187-87d7-4933-848d-bb7bf62f2b86.vbs"
        6⤵
        
        PID:3008
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7a772e2e-0899-4f1b-8f2e-519c0c660ea8.vbs"
      4⤵
      PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Windows\Panther\setup.exe\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\setup.exe\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Resources\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Temp\csrss.exe

Filesize
1.6MB

MD5
a2e433f395cc3b1c1ccf0cc50a676434

SHA1
1995c6f844060333376d1cbf7a20bacbc8d713ef

SHA256
259c93890754af6391901806acbdf6215a3f5210cb9a27fa6852f5c0aa73435b

SHA512
a5433232b4cd34e56ead2e7c04ab3290545e7dd93504ceac92b7ce5b090298b31245ac336cae789ec5419abc5d4e00bf6c0111456f5b772aca5e8deeb346be81

Download Submit
C:\Program Files (x86)\Google\Temp\csrss.exe

Filesize
1.6MB

MD5
6e93f6ea57f079b3b6bd5540ffb6f5e6

SHA1
0f36b9f2e901623bbf57e607a047082bf54b8b49

SHA256
041bdcd3faf2031da1924e19ef509b1c61eff9d4876cf7f272370e60ea5dbcb6

SHA512
9502957c838f83744c4c429c11ebc06673f6911ca85eee09aec713ca819c940ca1b222e0a089877bd04594404968e7ef88397b82791be2d2ab4ef33827d6fab2

Download Submit
C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe

Filesize
1.6MB

MD5
3a0c9a782ac8081ed5e3fff0b47315c8

SHA1
f88774df6b14463506077f43229e2a15c183dfaa

SHA256
f4529db39fd994bd83b8754d5b8e790a497f29d6af1146abd2ea661f3fd6c38f

SHA512
89d4876be07f728b7ba7c6dd867970ac57fb67ca992fa23112dba745bf1b9f6b3a2d08d570c331d25975ffe4b41910ca5322f33592ba56f7956626869a55d804

Download Submit
C:\Users\Admin\AppData\Local\Temp\14642853-c0e4-417b-93af-3e2ab7296ee6.vbs

Filesize
708B

MD5
d3c701d5217ec1615c7d1aec723ca4cd

SHA1
ee9f0234b9c1666118c03cc22a9e5d69b306c084

SHA256
3b3738678c20ceed742d175439397090ac5cf7bcf5f724da259d788199c76e06

SHA512
87a3dcbf281e9a61c42941b64f8852da90d96d208479e0fa87f57b688c7d27cd5817d6d65a9017ac3a811d5882bd999e736f6572bd7f438db2aa7935629ddc05

Download Submit
C:\Users\Admin\AppData\Local\Temp\32ede980-96e0-4310-a69c-694e10b14aeb.vbs

Filesize
707B

MD5
77e207e1df3a4af9adcb9c73ceb50236

SHA1
81460828496f799c0c1a287932842b623070580e

SHA256
e3936ad72967833cc8147ea603f5d147de6f387b92dcef784c468f9594bf623a

SHA512
1b860195031063ff5e713fc6837676ddeaf8d140a57c40870ab22b7b1cc23ef488b4e80d5ec27aecd1093b9840522a54d49eb9b692396c33f21da4a3710b28f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\33b2cecc-cfc8-44f4-a99d-18c34ee05cd7.vbs

Filesize
708B

MD5
5c583bccc5013427c3bcd03b78f80efd

SHA1
bf0ddae71c4130603657de81a6432f388a505c37

SHA256
c05e675e0d1dad3511af6feca71bbc14e755056e28810d2b59a880ef0b2c7486

SHA512
2bb6f86aa02c3669cd61567a673c5d848d2af089c7b72d662e51cd2e36f2849cd77d6474e68d89a5872445c1b67af79c8c25f64aa09b519e7663df19d10d548e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5df3b8a7-aaa0-4801-82e7-c797d50c497c.vbs

Filesize
707B

MD5
553fb08359a90c3a25375f79c7379d19

SHA1
88addba11e951498b5276329940ab21fe9da7417

SHA256
73cb81a290a13f471d46635145c029dea46c9fc63ef8154f294a8809cf8bb09e

SHA512
025ac95b630e196c497b0020bb1d9b0dd97d3a094a5cae948c6f539648803102a68760690b008df657fd1b68a816a029136550ec125a98d85b8ac448862aafd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6f123b78-1947-4a0c-9876-5b619777b9a3.vbs

Filesize
708B

MD5
b01d6049d774fb21420906f5527f546e

SHA1
d4e235ebeba50e565f956383df50079222881dd9

SHA256
f7bb238465e7f3bd408fc15b579a32f51e00fcb0c2f854d0f32958a3667afe7b

SHA512
bee3514f73c0895951c3c96c4a559c2f54e170fa5201758cd245da3bc101fcc2634bdc08b621e95e196aee7e376ab214e0a3730b3c278f1b1edb56a6a3e627c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a772e2e-0899-4f1b-8f2e-519c0c660ea8.vbs

Filesize
484B

MD5
828e3c23186289ac68f2ccdaf3da243e

SHA1
26b5011e5c318a6f01acf194a89d8a6e2cc256b1

SHA256
d07cc35df6d9e171cd9d4802d4ad549c386e68b6756886f6fd5c48c1f0beeebc

SHA512
c096c87c2a2e3114606742d16002002f1fc2e64f74bf9ba809273d1b76a2e5acdb0d83f2bfd1ad086860ced89394e1f61f37d8366103ead2b533dee472130af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9fe5d8b5-eee0-4202-a477-ae4e83a7d640.vbs

Filesize
707B

MD5
c1aa9ad9b1c85fc322e4838f994c94cf

SHA1
1ba9b01e568c7109075183f1023d34ad04ab5ba5

SHA256
ef86b3db2f43992dc3ff5c5270c8ce99c8f269aaf79cdbade50b28b6bf8876f8

SHA512
a6daaf26174bbde0e96011a9f86640f43888bcd07e77a65e6cdd9d0b59a5814dcb447a8a5050eb0ba4c7bf0c242f26ee1fe20f1e3f4c8ad2ae0ad18fe73296b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ca4b567d-c495-423f-9821-01cecf7a3fbd.vbs

Filesize
708B

MD5
03e51881106be31b21e3a24224c01ccc

SHA1
8e6a84a9395d420fc00f2b677622135b288a6d44

SHA256
7efc2d47b33e6e10c4f4cede3f053e06a8f6efa461f62768556eba27561f0261

SHA512
f75b79a00472dea5ebfa3ff86d4e6f5efc6082d49da2387f920ad885f7bd44847f9b9ea9eee20f34df5b56a8cc927f2143b96e41d45de95c9427a978c370d764

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbf14bb8-245b-43cf-a938-829f75959c31.vbs

Filesize
708B

MD5
a79d8c6059695fd19ef6c429264ffeb4

SHA1
7d6b68c79c64b3ceefcc3105f61475b7c86fdbc2

SHA256
e5d739546262d1a5a3460ff51b8d4ed5f0253f523d2616c183e8b0975520579e

SHA512
dc60989d839968c97d7260b15839383fbc789315f500c7237b2d335f5948612946d64a6e63e18d70d44f7c6d5c02dfbf5e9c426fb61c02ee7d3ca74118e36bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\d4ceadc1-9975-4511-82b7-3f39ddb58f67.vbs

Filesize
708B

MD5
e6244fcd2f0a5bbe1d8ac0e8bf67e840

SHA1
3d5d1db32d68d1574234286c619e13478be8c4cf

SHA256
079f5730539806e3d536863ae5c8050439e84695a9e877862063bf716b593c0c

SHA512
61602f06cceb34fc70ee8cdc860a2407770000bde53014ef47353339ae3bb0b6714be4b90aaa168dc458fd8d13f15a2f3f19269209e2dc972c661ef35ae6ce9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\e5baa152-566f-4578-b812-0d1b818be5d9.vbs

Filesize
708B

MD5
1da2e0cb5e4278a80d53c41f6d00eff7

SHA1
f5fdf537f4874675a913b2254a25680573f0f2a3

SHA256
3a7b5f61e82d5b61e4646c2fd054893e5d73b01631e80b54ad57448915093d39

SHA512
a671785734a03fb8205dcd941bba7aabd686e5cdca7560ab2f57dd0a12006acada5dd0306420b0a30a7cc280a005319210bc1d671475bcde9e891a2a1d10610a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fe35bbdb-03cf-4ba7-84e6-9474d5fde669.vbs

Filesize
708B

MD5
822010e212d1051751431bfd7c60c13e

SHA1
0d6a9568317a3de4229ef5ad64bcc86b88eee43d

SHA256
c4a67eef6f871aa8fc2206ba5bf1772682181cb7b0bfac1aca8c4afc17636e68

SHA512
430e87de44e95faed2b2defae11dab6f0ee596f8fbaf2f9b7036a73b74ce229e91f05c7d2415f723440db79d9bff4bf78f3d3a88e288418a3c580a144e9cd544

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
050c52ffde746b37ceeb67b27abdde41

SHA1
08362d2835a91b2ee7f63f12f6df2f656c770ccd

SHA256
9c22efa5f9fdb623b33c8e7c1080f0db41867b0dcd673c14f191a2df0c95ee89

SHA512
5f17801c9011d33b025e1496ee6cfc398348e1ef74ffce9293de9bd9256289dbe3fb526cf643edc9c575da83b194e6ee69dd5659543e42e773338151d2cc8f76

Download Submit
C:\Windows\Panther\setup.exe\explorer.exe

Filesize
1.6MB

MD5
e13ad31cf20f660bc34b2b7c186ab55f

SHA1
bcb0bc7207b2b2081503d33e505ca0a9524644aa

SHA256
efd8c49a19faaf970c73c8ca5091e08928ba96d6d6c019142f6513755ddaadda

SHA512
24726706a29d96d7cf016fcd6b47c4cd17066cbe9f536f2a54b5a5e8404eafe3fff5b4ed95da91e68fa4d9926b9650aa76a33ff961bb2f14fe254443d7ca5036

Download Submit
memory/540-277-0x00000000013E0000-0x0000000001582000-memory.dmp

Filesize
1.6MB

Download
memory/620-156-0x000000001B440000-0x000000001B722000-memory.dmp

Filesize
2.9MB

Download
memory/688-265-0x00000000010D0000-0x0000000001272000-memory.dmp

Filesize
1.6MB

Download
memory/936-157-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/1396-220-0x00000000013B0000-0x0000000001552000-memory.dmp

Filesize
1.6MB

Download
memory/1748-335-0x00000000013D0000-0x0000000001572000-memory.dmp

Filesize
1.6MB

Download
memory/2268-12-0x0000000000A10000-0x0000000000A1E000-memory.dmp

Filesize
56KB

Download
memory/2268-0-0x000007FEF5CD3000-0x000007FEF5CD4000-memory.dmp

Filesize
4KB

Download
memory/2268-1-0x0000000000AB0000-0x0000000000C52000-memory.dmp

Filesize
1.6MB

Download
memory/2268-3-0x0000000000350000-0x000000000036C000-memory.dmp

Filesize
112KB

Download
memory/2268-2-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-5-0x00000000005F0000-0x0000000000606000-memory.dmp

Filesize
88KB

Download
memory/2268-6-0x0000000000330000-0x0000000000338000-memory.dmp

Filesize
32KB

Download
memory/2268-8-0x0000000000610000-0x0000000000618000-memory.dmp

Filesize
32KB

Download
memory/2268-9-0x00000000009C0000-0x00000000009CC000-memory.dmp

Filesize
48KB

Download
memory/2268-4-0x0000000000140000-0x0000000000150000-memory.dmp

Filesize
64KB

Download
memory/2268-11-0x0000000000A00000-0x0000000000A0A000-memory.dmp

Filesize
40KB

Download
memory/2268-178-0x000007FEF5CD0000-0x000007FEF66BC000-memory.dmp

Filesize
9.9MB

Download
memory/2268-13-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/2268-14-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/2268-15-0x0000000000A40000-0x0000000000A4A000-memory.dmp

Filesize
40KB

Download
memory/2268-16-0x0000000000A50000-0x0000000000A5C000-memory.dmp

Filesize
48KB

Download
memory/2268-10-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/2268-7-0x0000000000810000-0x0000000000820000-memory.dmp

Filesize
64KB

Download
memory/2696-311-0x0000000000300000-0x00000000004A2000-memory.dmp

Filesize
1.6MB

Download
memory/2808-323-0x00000000001C0000-0x0000000000362000-memory.dmp

Filesize
1.6MB

Download
memory/2856-208-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2856-214-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/2900-253-0x0000000000130000-0x00000000002D2000-memory.dmp

Filesize
1.6MB

Download