dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Size

1.6MB
MD5

517861702fe0a89aa5e3af35d9f96661
SHA1

50101d8bff153320694baf54bc7b68e585720d4d
SHA256

1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4
SHA512

da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2636	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2636	schtasks.exe	30

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral11/memory/1948-1-0x0000000000980000-0x0000000000B22000-memory.dmp	dcrat
behavioral11/files/0x000500000001a4bd-25.dat	dcrat
behavioral11/files/0x000700000001c764-106.dat	dcrat
behavioral11/files/0x000600000001a4cb-140.dat	dcrat
behavioral11/files/0x000700000001a4cf-151.dat	dcrat
behavioral11/files/0x000700000001a4d7-162.dat	dcrat
behavioral11/files/0x000f00000001a4de-222.dat	dcrat
behavioral11/memory/2748-315-0x0000000000EA0000-0x0000000001042000-memory.dmp	dcrat
behavioral11/memory/2396-343-0x0000000000090000-0x0000000000232000-memory.dmp	dcrat
behavioral11/memory/2504-376-0x0000000001320000-0x00000000014C2000-memory.dmp	dcrat
behavioral11/memory/1436-402-0x00000000000E0000-0x0000000000282000-memory.dmp	dcrat
behavioral11/memory/316-414-0x0000000000D60000-0x0000000000F02000-memory.dmp	dcrat
behavioral11/memory/2988-437-0x0000000000220000-0x00000000003C2000-memory.dmp	dcrat
behavioral11/memory/1020-449-0x0000000000230000-0x00000000003D2000-memory.dmp	dcrat
behavioral11/memory/2336-461-0x0000000000BB0000-0x0000000000D52000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1192	powershell.exe
1308	powershell.exe
1676	powershell.exe
2436	powershell.exe
3068	powershell.exe
952	powershell.exe
2364	powershell.exe
2608	powershell.exe
2648	powershell.exe
900	powershell.exe
696	powershell.exe
1316	powershell.exe
2972	powershell.exe
2864	powershell.exe
2320	powershell.exe
1732	powershell.exe
3052	powershell.exe
1776	powershell.exe
2352	powershell.exe
2440	powershell.exe
792	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2748	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
2396	lsm.exe
2504	lsm.exe
2292	lsm.exe
1944	lsm.exe
1436	lsm.exe
316	lsm.exe
2040	lsm.exe
2988	lsm.exe
1020	lsm.exe
2336	lsm.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MSBuild\RCX5583.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\RCX72CC.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX753F.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\MSBuild\101b941d020240	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX6EC3.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\RCX72CD.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files\MSBuild\lsm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\MSBuild\dwm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\RCX74D1.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files\MSBuild\lsm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\MSBuild\dwm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\MSBuild\6cb0b6c459d5d3	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\c5b4cb5e9653cc	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\MSBuild\RCX5582.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\RCX6EC4.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\5940a34987c991	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\26a8967c8ba04a	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\cc11b995f2a76d	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\LiveKernelReports\1610b97d3ab4a7	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\ShellNew\winlogon.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\Offline Web Pages\taskhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\LiveKernelReports\OSPPSVC.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX62F6.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX62F7.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\LiveKernelReports\lsm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Offline Web Pages\RCX6ABA.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Offline Web Pages\taskhost.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\ShellNew\RCX6CBF.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\LiveKernelReports\lsm.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\servicing\en-US\wininit.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\Offline Web Pages\RCX6A4C.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX70C7.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\LiveKernelReports\RCX70C8.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\twain_32\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\twain_32\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\LiveKernelReports\101b941d020240	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\Offline Web Pages\b75386f1303e64	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\ShellNew\winlogon.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\ShellNew\RCX6CBE.tmp	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File opened for modification	C:\Windows\LiveKernelReports\OSPPSVC.exe	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
File created	C:\Windows\twain_32\26a8967c8ba04a	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe
2328	schtasks.exe
1640	schtasks.exe
2188	schtasks.exe
2072	schtasks.exe
1248	schtasks.exe
2536	schtasks.exe
2068	schtasks.exe
1672	schtasks.exe
2156	schtasks.exe
2664	schtasks.exe
2908	schtasks.exe
2420	schtasks.exe
700	schtasks.exe
2272	schtasks.exe
484	schtasks.exe
1952	schtasks.exe
292	schtasks.exe
2988	schtasks.exe
2660	schtasks.exe
2724	schtasks.exe
1696	schtasks.exe
2040	schtasks.exe
684	schtasks.exe
2444	schtasks.exe
2060	schtasks.exe
2176	schtasks.exe
1816	schtasks.exe
3024	schtasks.exe
3028	schtasks.exe
2972	schtasks.exe
2628	schtasks.exe
2152	schtasks.exe
2152	schtasks.exe
1824	schtasks.exe
2380	schtasks.exe
1540	schtasks.exe
2880	schtasks.exe
3020	schtasks.exe
1208	schtasks.exe
2884	schtasks.exe
2228	schtasks.exe
1564	schtasks.exe
2180	schtasks.exe
2612	schtasks.exe
2560	schtasks.exe
2784	schtasks.exe
2384	schtasks.exe
2928	schtasks.exe
1644	schtasks.exe
2704	schtasks.exe
1320	schtasks.exe
1808	schtasks.exe
3044	schtasks.exe
1272	schtasks.exe
1836	schtasks.exe
1944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
2436	powershell.exe
900	powershell.exe
3068	powershell.exe
1192	powershell.exe
952	powershell.exe
1308	powershell.exe
2608	powershell.exe
792	powershell.exe
1316	powershell.exe
2364	powershell.exe
2440	powershell.exe
2352	powershell.exe
1732	powershell.exe
2320	powershell.exe
3052	powershell.exe
696	powershell.exe
2748	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
1776	powershell.exe
1676	powershell.exe
2648	powershell.exe
2972	powershell.exe
2864	powershell.exe
2396	lsm.exe
2504	lsm.exe
1944	lsm.exe
1436	lsm.exe
316	lsm.exe
2040	lsm.exe
2988	lsm.exe
1020	lsm.exe
2336	lsm.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	2748	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2396	lsm.exe
Token: SeDebugPrivilege	2504	lsm.exe
Token: SeDebugPrivilege	1944	lsm.exe
Token: SeDebugPrivilege	1436	lsm.exe
Token: SeDebugPrivilege	316	lsm.exe
Token: SeDebugPrivilege	2040	lsm.exe
Token: SeDebugPrivilege	2988	lsm.exe
Token: SeDebugPrivilege	1020	lsm.exe
Token: SeDebugPrivilege	2336	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 2436	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	76
PID 1948 wrote to memory of 2436	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	76
PID 1948 wrote to memory of 2436	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	76
PID 1948 wrote to memory of 900	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	77
PID 1948 wrote to memory of 900	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	77
PID 1948 wrote to memory of 900	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	77
PID 1948 wrote to memory of 3068	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	78
PID 1948 wrote to memory of 3068	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	78
PID 1948 wrote to memory of 3068	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	78
PID 1948 wrote to memory of 952	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	79
PID 1948 wrote to memory of 952	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	79
PID 1948 wrote to memory of 952	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	79
PID 1948 wrote to memory of 696	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	80
PID 1948 wrote to memory of 696	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	80
PID 1948 wrote to memory of 696	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	80
PID 1948 wrote to memory of 792	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	81
PID 1948 wrote to memory of 792	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	81
PID 1948 wrote to memory of 792	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	81
PID 1948 wrote to memory of 2320	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	82
PID 1948 wrote to memory of 2320	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	82
PID 1948 wrote to memory of 2320	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	82
PID 1948 wrote to memory of 2440	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	84
PID 1948 wrote to memory of 2440	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	84
PID 1948 wrote to memory of 2440	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	84
PID 1948 wrote to memory of 2352	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	86
PID 1948 wrote to memory of 2352	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	86
PID 1948 wrote to memory of 2352	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	86
PID 1948 wrote to memory of 2364	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	88
PID 1948 wrote to memory of 2364	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	88
PID 1948 wrote to memory of 2364	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	88
PID 1948 wrote to memory of 1192	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	89
PID 1948 wrote to memory of 1192	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	89
PID 1948 wrote to memory of 1192	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	89
PID 1948 wrote to memory of 1732	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	90
PID 1948 wrote to memory of 1732	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	90
PID 1948 wrote to memory of 1732	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	90
PID 1948 wrote to memory of 1316	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	91
PID 1948 wrote to memory of 1316	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	91
PID 1948 wrote to memory of 1316	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	91
PID 1948 wrote to memory of 1308	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	93
PID 1948 wrote to memory of 1308	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	93
PID 1948 wrote to memory of 1308	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	93
PID 1948 wrote to memory of 2608	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	94
PID 1948 wrote to memory of 2608	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	94
PID 1948 wrote to memory of 2608	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	94
PID 1948 wrote to memory of 3052	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	95
PID 1948 wrote to memory of 3052	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	95
PID 1948 wrote to memory of 3052	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	95
PID 1948 wrote to memory of 1028	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	108
PID 1948 wrote to memory of 1028	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	108
PID 1948 wrote to memory of 1028	1948	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	108
PID 1028 wrote to memory of 2316	1028	cmd.exe	110
PID 1028 wrote to memory of 2316	1028	cmd.exe	110
PID 1028 wrote to memory of 2316	1028	cmd.exe	110
PID 1028 wrote to memory of 2748	1028	cmd.exe	111
PID 1028 wrote to memory of 2748	1028	cmd.exe	111
PID 1028 wrote to memory of 2748	1028	cmd.exe	111
PID 2748 wrote to memory of 1676	2748	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	124
PID 2748 wrote to memory of 1676	2748	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	124
PID 2748 wrote to memory of 1676	2748	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	124
PID 2748 wrote to memory of 2972	2748	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	125
PID 2748 wrote to memory of 2972	2748	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	125
PID 2748 wrote to memory of 2972	2748	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	125
PID 2748 wrote to memory of 2864	2748	1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
"C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:900
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3068
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PjeqD3hzkr.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:2316
- - C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe
    "C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2972
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\taskhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2864
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\lsm.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2648
  - - C:\Program Files\MSBuild\lsm.exe
      "C:\Program Files\MSBuild\lsm.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2396
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2f0eaef-6db0-4e34-90be-371512e9041e.vbs"
        5⤵
        
        PID:1744
      - C:\Program Files\MSBuild\lsm.exe
        
        "C:\Program Files\MSBuild\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aaae2e9c-63db-4937-aaaa-87a109741517.vbs"
        7⤵
        
        PID:3000
        
        C:\Program Files\MSBuild\lsm.exe
        
        "C:\Program Files\MSBuild\lsm.exe"
        8⤵
        Executes dropped EXE
        
        PID:2292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f9effefd-4b23-4848-840c-26afd2e7e6d3.vbs"
        9⤵
        
        PID:1236
        
        C:\Program Files\MSBuild\lsm.exe
        
        "C:\Program Files\MSBuild\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\5802f38e-1f19-4913-996d-91ec1ebd039b.vbs"
        11⤵
        
        PID:1492
        
        C:\Program Files\MSBuild\lsm.exe
        
        "C:\Program Files\MSBuild\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\629d6336-c9a0-41b2-8b0d-3b2478947b9f.vbs"
        13⤵
        
        PID:2008
        
        C:\Program Files\MSBuild\lsm.exe
        
        "C:\Program Files\MSBuild\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0de8b96c-d843-42ab-8a9b-16df130e0548.vbs"
        15⤵
        
        PID:2536
        
        C:\Program Files\MSBuild\lsm.exe
        
        "C:\Program Files\MSBuild\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ba63d757-f63f-4d8e-abec-3a96c3fe0a98.vbs"
        17⤵
        
        PID:1940
        
        C:\Program Files\MSBuild\lsm.exe
        
        "C:\Program Files\MSBuild\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c5386074-fd01-4d13-b95f-1bd553b518b6.vbs"
        19⤵
        
        PID:2456
        
        C:\Program Files\MSBuild\lsm.exe
        
        "C:\Program Files\MSBuild\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\65d7aab7-6c52-41fd-b285-7351b2fed014.vbs"
        21⤵
        
        PID:3044
        
        C:\Program Files\MSBuild\lsm.exe
        
        "C:\Program Files\MSBuild\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\67fc300a-53be-4fc5-af1b-7eb0b1e41e0e.vbs"
        23⤵
        
        PID:2908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0574c8ad-aa04-48bc-b217-11188ff0dd90.vbs"
        23⤵
        
        PID:1696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ec7371e5-0996-4e5c-9f27-07e85540cd69.vbs"
        21⤵
        
        PID:2836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\fcd0348b-595e-49c1-a2a4-d55da69d533a.vbs"
        19⤵
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e286fa0d-0028-43fc-8f22-a95e73174242.vbs"
        17⤵
        
        PID:2308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f3782fdd-fba8-48f3-85d9-a0a6a98d4c03.vbs"
        15⤵
        
        PID:2904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c79c879e-c0b1-4021-989f-e129c8ff525a.vbs"
        13⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\285cea6f-87bb-4bdc-98d6-017208fb7a87.vbs"
        11⤵
        
        PID:2584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2a42f194-6728-45cf-b598-885f3230c2f3.vbs"
        9⤵
        
        PID:2232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d6353ebd-2727-43a1-9817-a32d2d38f0ab.vbs"
        7⤵
        
        PID:2624
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4291f409-b979-4e64-b501-4d12a58cdb2b.vbs"
        5⤵
        
        PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Offline Web Pages\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Offline Web Pages\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\ShellNew\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ShellNew\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Windows\ShellNew\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Cookies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 9 /tr "'C:\Windows\twain_32\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4" /sc ONLOGON /tr "'C:\Windows\twain_32\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e41" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\services.exe

Filesize
1.6MB

MD5
feda1214eafa52828a14ed96739572ea

SHA1
842c421868bef32374644dab600c8131c7e5053a

SHA256
328f9df2c37792320de2afd772314ee4c7d4d42fbec045c8467f182615a4d777

SHA512
90de0a35d98165d9965861b43ab2b7a1ba8c190bd7b50acf5e056d1101af4da8b5d7cc045e673aaa0a816b14ea0e7d8e84f574f96c9fc6db92eac18a52622339

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe

Filesize
1.6MB

MD5
517861702fe0a89aa5e3af35d9f96661

SHA1
50101d8bff153320694baf54bc7b68e585720d4d

SHA256
1e055435efe74e0a6ad32eb91f5d7a78850f0989a79902ea725e684d4d3af2e4

SHA512
da7ee6a8120f6a874c3f018580c05d37412a3cf7ec4346ffcee861bd9a415937c89734864b7d9fc84f09c6262a66f7a945377cf589831a765a2b3d90a48ea488

Download Submit
C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\spoolsv.exe

Filesize
1.6MB

MD5
bc571a2de7e86c68b82142c80cfe350c

SHA1
cec700cb8523587d7a953c24acae2d215ec48cd4

SHA256
8325d330854fb9e533e00c5b15b6504cb697f7809a35e8bbb4c9004de6b66ea2

SHA512
1aa8a53284889b587329cf4bfa70f0f4f2c1262726672d170d25c21ed803c1eaf940383c226dcdb9d39bc93466b52fed44824f03a9dd74372617f194719bd971

Download Submit
C:\Users\Admin\AppData\Local\Temp\0de8b96c-d843-42ab-8a9b-16df130e0548.vbs

Filesize
707B

MD5
07a6ce11beb25b799c2d4e0605ce0c9b

SHA1
2eac900af5b8dde98a77520a72754206a93df04e

SHA256
902e8e19ca153055db7b25796d44a08c5e10ab3b6ed3564b1185f1cd2008884f

SHA512
f693351942719b3731b7a75893ec4c3487e08aa98c66372033b52eaa5b7267c372a4d65b233433a2667f1967ca62647632d672cf7cfa2550302a120b5606ead9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4291f409-b979-4e64-b501-4d12a58cdb2b.vbs

Filesize
484B

MD5
325806752c0ac7df2b23f49cd75f74c1

SHA1
197257ecf2468b655a42d5ba17e967e8a484b687

SHA256
8bbb218449b1d5a6acfb0bb80ef22000ab8d3d28381875523ceb341bda08a52c

SHA512
7abad7e0dbc627869077790c6571767751f64c8eab773ca59646c65cd77192e9e2ce454ef74a6435ace6d611bd4e02a41fa6a26c68a8d73033c6cad2f0384363

Download Submit
C:\Users\Admin\AppData\Local\Temp\5802f38e-1f19-4913-996d-91ec1ebd039b.vbs

Filesize
708B

MD5
f6cb180d53ab5fe84ffa8fd0e03ed324

SHA1
17d604fec464a0dc2731f99ebfa53ecc962ed28c

SHA256
62e1b8dfe2552376f454806407dafaba7647929156c792a8a4cf7c2a0454d184

SHA512
cad857099dacafe1a7ad4179a1fbe95b6c113ede7c14945c20cd412c12cdd7753d70ad3b33d1a5ebd60175c2f041c262000db40b810ff0a9a2756bfdebd429ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\629d6336-c9a0-41b2-8b0d-3b2478947b9f.vbs

Filesize
708B

MD5
4d85f598a06334b0390da2ea0fb3b51d

SHA1
668f5e6893e364b0772b9350df3b3e2669186c64

SHA256
819f133031e71cee2bebcffab1e2740a1681cc4ae0bab2df1ffcd4c1f354fb41

SHA512
1be419e30468e5fce65de0a72a7f050df95197e7f106a9fd46c8e4463e9829305bf2e2045397e612ad624cdec989b8fd427ababbb1fd735afeb2d7381092e2c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\65d7aab7-6c52-41fd-b285-7351b2fed014.vbs

Filesize
708B

MD5
f5eb5463446808923a6bac8c4d5261f9

SHA1
22d734cff358235c3d006619dc00200ebb29e896

SHA256
1d00c96f72b0dd5f922e76e0f5b4cee89c16c2de596bf867c6c593a307fb5520

SHA512
b9a05080c7212406b4ea492939e41e036b86a96f415855d5a2c51d70b4dae1a685131cecb5e9f77ef169510b812abe68b81710ece03d3b300f2ca78e1795df43

Download Submit
C:\Users\Admin\AppData\Local\Temp\67fc300a-53be-4fc5-af1b-7eb0b1e41e0e.vbs

Filesize
708B

MD5
c94c5e298ad683820cb327312197640f

SHA1
e3f80a0005b6f3e30ec8c96f33cf3444247bfb6e

SHA256
1071708c4ce12859a6e062aa87a2058d6d56b68daba36e17d49a9c8a93384418

SHA512
2eef7b92eefdf56837c226033743b1b206e5fde92614509e26af5003f05471e8aba42d8952eb67050998afd07e986fb0d8f3285d4600303cdf8cef42fe7ade61

Download Submit
C:\Users\Admin\AppData\Local\Temp\PjeqD3hzkr.bat

Filesize
267B

MD5
c2f4fea3fa246c4cac56675abd5a58ff

SHA1
021460bd6b9e5d68974cd1db572d1527046d4e63

SHA256
4ef63161a15f8db08f70b9b9e64b183caf03e4e0659dfc3a66e0304bc0c00546

SHA512
babe8c48ac936259fbd74704a8b297f5912a4a2fc870137a774ca1f20eedbf9c58192e7f44cd936f35aff8a8c512faff6064e22cddef2d57180b8e20a93a8143

Download Submit
C:\Users\Admin\AppData\Local\Temp\aaae2e9c-63db-4937-aaaa-87a109741517.vbs

Filesize
708B

MD5
b1cc8a773640ecb3f91c7f7f304aa62a

SHA1
36116b9294a0296c742a2b05b2ef74dff61fd8ad

SHA256
a49974324bb4804f16d8d8fbda8d1b96ba8394b2afdfb0560d23f76eac12f20b

SHA512
7c6cc719baa02316a423c131bc18d2ade622af5f2cb3a4bc77379b63a3cabb7b7aa5b88cc26635bfd25bda7cb09294414d0ab4c8efbd8ade677c94769c74aa7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\b2f0eaef-6db0-4e34-90be-371512e9041e.vbs

Filesize
708B

MD5
9bd12ddb0f261e06f4704e9b6047dd12

SHA1
0e6b45c5faf9f14405114f3a81eb71304f2d6280

SHA256
802c42f946ef903b66c5fdf2026ac5d96beff6d85fe971f604a4a1acc20f1c0a

SHA512
0a7398099e9a5a7b786cc2289ce1ab4afc5536a61bb454adc425cb681b6d1d51dd06fcebc92323e6a99c9380befe0aaa6b871a72e30f0f71404bdd4ba83955b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba63d757-f63f-4d8e-abec-3a96c3fe0a98.vbs

Filesize
708B

MD5
6ee890b3da62e5c6a4ece76b0562d251

SHA1
46252c34cf9b748e077e49656b33597b36fef9c8

SHA256
c1e3ddc571966dc97625355debb91a0c5fd0ca5fe80fb6bed9c81ff5c06473c7

SHA512
2378262f36b84df31eb9574cfb3a1f78ee025bd72bfbe8ecfd3338d563c864b32dc6afe5c680a67faebc9edaae07287a8f96c7a2b3eb6844eed84fbc56be70d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\c5386074-fd01-4d13-b95f-1bd553b518b6.vbs

Filesize
708B

MD5
b7a6057db4340aa45f622e43d7168390

SHA1
9bc683a4ff2cd16df4995eb8c43f7dcd433ba5f9

SHA256
a7a280ee0ba461dd85465d899e2763d2e5428050b42ac19739b9294fef25e365

SHA512
45f4c752c6ae0c03248a70fd85bc7320d7436f58d90317b1724af5071d559ab0b267fcfb31c19b529e82c9f3fe891b6b8a2a7b81766f433f412fd92c4f124da1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b9be8d00c2024d5746489dc5539a5a7e

SHA1
2e096a503f396a72c836ee8fec662ddf8e2cc9b4

SHA256
60bb964435310b575164b09ad204e9e372ebdd3f3bb411f049126ca00de87af6

SHA512
72689db1350b5bf7491441b5687ce3ecead5b690364b4c154e57970b94f22d5718edb8320351300f4b53da540b63ecf3c785725e352f66a3eb9faa6ee3d5559e

Download Submit
C:\Users\Default\csrss.exe

Filesize
1.6MB

MD5
3ab01349987d708fa83843e011c94075

SHA1
f25d0fa9f3720d66eeb663b821c49cf235f6a68f

SHA256
f41abbd12d8d603cd8cd2f7edd564335eeac388fdbd734c31d6ceba6991f0a30

SHA512
56f7657fe789e3a508d49bf3a39e35b0b4a5471f9510b751c24098844781c5d0c2da0a0fcb8e54d337d908d07ba0a1d2a1dc605dc48dc5f8099939bb55a7ede5

Download Submit
C:\Users\Default\lsm.exe

Filesize
1.6MB

MD5
9404fa901bb383c087bf1320c62739e4

SHA1
34f5516ee6e85193874afb0a346d948e8d95044f

SHA256
3a363cac038fa379fa9da99a302e4653cf6a289618bcb87a6d944db94a41a4c8

SHA512
38fa2569f36dac5ba15c0a9d7d6d6ec073c25d8f1b2e6219fec7c1de60e3e0ae77d63a4de28a49ada7ccb5fa0bc219ef4c88cfe6c41daa91551ae4efab80ad13

Download Submit
C:\Windows\Offline Web Pages\taskhost.exe

Filesize
1.6MB

MD5
a4098240ae131791926383daeeb801a4

SHA1
bbe2393e63fb3179cb56c00ee62589746250d684

SHA256
d10a19403059df563abb11e1e9ffb8f4f8fe7c40b9d0e965304180ea611da749

SHA512
3aecc4d4905b1ce0c888f0efe8986fd395cc689dfc0691517eae37eaf29100620cdbd1801a2cf55636ff8d832e53bd3124cf380dcc79320d21d17b1a054752f6

Download Submit
memory/316-414-0x0000000000D60000-0x0000000000F02000-memory.dmp

Filesize
1.6MB

Download
memory/1020-449-0x0000000000230000-0x00000000003D2000-memory.dmp

Filesize
1.6MB

Download
memory/1436-402-0x00000000000E0000-0x0000000000282000-memory.dmp

Filesize
1.6MB

Download
memory/1776-344-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/1776-346-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1948-12-0x0000000000650000-0x000000000065E000-memory.dmp

Filesize
56KB

Download
memory/1948-14-0x0000000000810000-0x0000000000818000-memory.dmp

Filesize
32KB

Download
memory/1948-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/1948-201-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp

Filesize
4KB

Download
memory/1948-231-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/1948-4-0x0000000000420000-0x0000000000430000-memory.dmp

Filesize
64KB

Download
memory/1948-13-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/1948-1-0x0000000000980000-0x0000000000B22000-memory.dmp

Filesize
1.6MB

Download
memory/1948-16-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/1948-15-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/1948-5-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/1948-2-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/1948-0-0x000007FEF5C03000-0x000007FEF5C04000-memory.dmp

Filesize
4KB

Download
memory/1948-225-0x000007FEF5C00000-0x000007FEF65EC000-memory.dmp

Filesize
9.9MB

Download
memory/1948-11-0x0000000000640000-0x000000000064A000-memory.dmp

Filesize
40KB

Download
memory/1948-10-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/1948-9-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1948-8-0x00000000005E0000-0x00000000005E8000-memory.dmp

Filesize
32KB

Download
memory/1948-7-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/1948-6-0x0000000000450000-0x0000000000458000-memory.dmp

Filesize
32KB

Download
memory/2336-461-0x0000000000BB0000-0x0000000000D52000-memory.dmp

Filesize
1.6MB

Download
memory/2396-343-0x0000000000090000-0x0000000000232000-memory.dmp

Filesize
1.6MB

Download
memory/2436-238-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2436-237-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2504-376-0x0000000001320000-0x00000000014C2000-memory.dmp

Filesize
1.6MB

Download
memory/2748-315-0x0000000000EA0000-0x0000000001042000-memory.dmp

Filesize
1.6MB

Download
memory/2988-437-0x0000000000220000-0x00000000003C2000-memory.dmp

Filesize
1.6MB

Download