dcrat | 01ffe9d6f323a1dafd7dbe75338596cb03cdbe970cdc964543ae03006c1ece85

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Size

1.6MB
MD5

2c4dbe075f37719580a096bf67bf048e
SHA1

71673f7af94683985e875f3db73cbf1a5509228e
SHA256

1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567
SHA512

6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70
SSDEEP

24576:6sm8JijftfWIqZpyh/X6bSmV2GKz1oncoiF9GFwUvpHk3tSfEybcswrJ4gOEGEk:6D8Jijt+xpS/ekYmLGdhEAf7bCcjE

Score

10^/10

dcrat execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2420	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2420	schtasks.exe	31

DCRat payload 15 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral25/memory/2540-1-0x0000000000AD0000-0x0000000000C72000-memory.dmp	dcrat
behavioral25/files/0x000500000001a4f3-25.dat	dcrat
behavioral25/files/0x000600000001a4e1-73.dat	dcrat
behavioral25/files/0x000600000001a4ed-95.dat	dcrat
behavioral25/files/0x000700000001a4f3-106.dat	dcrat
behavioral25/files/0x000800000001a5ad-129.dat	dcrat
behavioral25/files/0x000800000001ad6c-140.dat	dcrat
behavioral25/memory/1916-184-0x00000000013E0000-0x0000000001582000-memory.dmp	dcrat
behavioral25/memory/2452-226-0x00000000001B0000-0x0000000000352000-memory.dmp	dcrat
behavioral25/memory/2272-238-0x0000000000390000-0x0000000000532000-memory.dmp	dcrat
behavioral25/memory/2960-250-0x0000000000E10000-0x0000000000FB2000-memory.dmp	dcrat
behavioral25/memory/2760-262-0x00000000000A0000-0x0000000000242000-memory.dmp	dcrat
behavioral25/memory/2512-274-0x00000000012D0000-0x0000000001472000-memory.dmp	dcrat
behavioral25/memory/1844-330-0x00000000002E0000-0x0000000000482000-memory.dmp	dcrat
behavioral25/memory/1488-342-0x00000000010C0000-0x0000000001262000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2052	powershell.exe
2492	powershell.exe
3012	powershell.exe
1512	powershell.exe
2284	powershell.exe
788	powershell.exe
2556	powershell.exe
1724	powershell.exe
1520	powershell.exe
532	powershell.exe
2188	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1916	winlogon.exe
2452	winlogon.exe
2272	winlogon.exe
2960	winlogon.exe
2760	winlogon.exe
2512	winlogon.exe
2188	winlogon.exe
2360	winlogon.exe
2168	winlogon.exe
2944	winlogon.exe
1844	winlogon.exe
1488	winlogon.exe
2440	winlogon.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\AdvancedInstallers\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\WMIADAP.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXFBDB.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\75a57c1bdf437c	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\cc11b995f2a76d	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\RCXF6B8.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\RCXF726.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\RCXFBDA.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\fr-FR\WMIADAP.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Migration\WTR\RCXF242.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Migration\WTR\csrss.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\ja-JP\WMIADAP.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\ja-JP\75a57c1bdf437c	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Migration\WTR\csrss.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File created	C:\Windows\Migration\WTR\886983d96e3d3e	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\ja-JP\WMIADAP.exe	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\ja-JP\RCXEF62.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\ja-JP\RCXEF63.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
File opened for modification	C:\Windows\Migration\WTR\RCXF1D4.tmp	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1200	schtasks.exe
1936	schtasks.exe
1580	schtasks.exe
1912	schtasks.exe
1244	schtasks.exe
2092	schtasks.exe
1640	schtasks.exe
2812	schtasks.exe
1948	schtasks.exe
1412	schtasks.exe
236	schtasks.exe
1768	schtasks.exe
2176	schtasks.exe
2112	schtasks.exe
1840	schtasks.exe
2972	schtasks.exe
2920	schtasks.exe
2932	schtasks.exe
2680	schtasks.exe
1932	schtasks.exe
2272	schtasks.exe
2952	schtasks.exe
2796	schtasks.exe
2708	schtasks.exe
836	schtasks.exe
1368	schtasks.exe
2888	schtasks.exe
2020	schtasks.exe
2868	schtasks.exe
2988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
2188	powershell.exe
1512	powershell.exe
2492	powershell.exe
1520	powershell.exe
532	powershell.exe
2556	powershell.exe
2052	powershell.exe
788	powershell.exe
1724	powershell.exe
3012	powershell.exe
1916	winlogon.exe
2452	winlogon.exe
2272	winlogon.exe
2960	winlogon.exe
2760	winlogon.exe
2512	winlogon.exe
2188	winlogon.exe
2360	winlogon.exe
2168	winlogon.exe
2944	winlogon.exe
1844	winlogon.exe
1488	winlogon.exe
2440	winlogon.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1916	winlogon.exe
Token: SeDebugPrivilege	532	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2452	winlogon.exe
Token: SeDebugPrivilege	2272	winlogon.exe
Token: SeDebugPrivilege	2960	winlogon.exe
Token: SeDebugPrivilege	2760	winlogon.exe
Token: SeDebugPrivilege	2512	winlogon.exe
Token: SeDebugPrivilege	2188	winlogon.exe
Token: SeDebugPrivilege	2360	winlogon.exe
Token: SeDebugPrivilege	2168	winlogon.exe
Token: SeDebugPrivilege	2944	winlogon.exe
Token: SeDebugPrivilege	1844	winlogon.exe
Token: SeDebugPrivilege	1488	winlogon.exe
Token: SeDebugPrivilege	2440	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2052	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	62
PID 2540 wrote to memory of 2052	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	62
PID 2540 wrote to memory of 2052	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	62
PID 2540 wrote to memory of 2188	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	63
PID 2540 wrote to memory of 2188	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	63
PID 2540 wrote to memory of 2188	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	63
PID 2540 wrote to memory of 2284	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	64
PID 2540 wrote to memory of 2284	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	64
PID 2540 wrote to memory of 2284	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	64
PID 2540 wrote to memory of 532	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	65
PID 2540 wrote to memory of 532	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	65
PID 2540 wrote to memory of 532	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	65
PID 2540 wrote to memory of 1520	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	66
PID 2540 wrote to memory of 1520	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	66
PID 2540 wrote to memory of 1520	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	66
PID 2540 wrote to memory of 1512	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	67
PID 2540 wrote to memory of 1512	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	67
PID 2540 wrote to memory of 1512	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	67
PID 2540 wrote to memory of 1724	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	70
PID 2540 wrote to memory of 1724	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	70
PID 2540 wrote to memory of 1724	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	70
PID 2540 wrote to memory of 2556	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	71
PID 2540 wrote to memory of 2556	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	71
PID 2540 wrote to memory of 2556	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	71
PID 2540 wrote to memory of 3012	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	73
PID 2540 wrote to memory of 3012	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	73
PID 2540 wrote to memory of 3012	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	73
PID 2540 wrote to memory of 788	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	74
PID 2540 wrote to memory of 788	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	74
PID 2540 wrote to memory of 788	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	74
PID 2540 wrote to memory of 2492	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	76
PID 2540 wrote to memory of 2492	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	76
PID 2540 wrote to memory of 2492	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	76
PID 2540 wrote to memory of 1916	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	84
PID 2540 wrote to memory of 1916	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	84
PID 2540 wrote to memory of 1916	2540	1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe	84
PID 1916 wrote to memory of 2624	1916	winlogon.exe	85
PID 1916 wrote to memory of 2624	1916	winlogon.exe	85
PID 1916 wrote to memory of 2624	1916	winlogon.exe	85
PID 1916 wrote to memory of 2436	1916	winlogon.exe	86
PID 1916 wrote to memory of 2436	1916	winlogon.exe	86
PID 1916 wrote to memory of 2436	1916	winlogon.exe	86
PID 2624 wrote to memory of 2452	2624	WScript.exe	87
PID 2624 wrote to memory of 2452	2624	WScript.exe	87
PID 2624 wrote to memory of 2452	2624	WScript.exe	87
PID 2452 wrote to memory of 764	2452	winlogon.exe	88
PID 2452 wrote to memory of 764	2452	winlogon.exe	88
PID 2452 wrote to memory of 764	2452	winlogon.exe	88
PID 2452 wrote to memory of 3032	2452	winlogon.exe	89
PID 2452 wrote to memory of 3032	2452	winlogon.exe	89
PID 2452 wrote to memory of 3032	2452	winlogon.exe	89
PID 764 wrote to memory of 2272	764	WScript.exe	90
PID 764 wrote to memory of 2272	764	WScript.exe	90
PID 764 wrote to memory of 2272	764	WScript.exe	90
PID 2272 wrote to memory of 2672	2272	winlogon.exe	91
PID 2272 wrote to memory of 2672	2272	winlogon.exe	91
PID 2272 wrote to memory of 2672	2272	winlogon.exe	91
PID 2272 wrote to memory of 2396	2272	winlogon.exe	92
PID 2272 wrote to memory of 2396	2272	winlogon.exe	92
PID 2272 wrote to memory of 2396	2272	winlogon.exe	92
PID 2672 wrote to memory of 2960	2672	WScript.exe	93
PID 2672 wrote to memory of 2960	2672	WScript.exe	93
PID 2672 wrote to memory of 2960	2672	WScript.exe	93
PID 2960 wrote to memory of 1640	2960	winlogon.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe
"C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2284
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Minesweeper\fr-FR\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\taskhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2492
- C:\Users\Default\Start Menu\winlogon.exe
  "C:\Users\Default\Start Menu\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3c8e6f79-ed1d-46b6-bbd7-e0b1076ee6ea.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Default\Start Menu\winlogon.exe
      "C:\Users\Default\Start Menu\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4d972f84-562a-4d55-abde-4a131bece538.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Users\Default\Start Menu\winlogon.exe
        
        "C:\Users\Default\Start Menu\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc5321ae-ae38-4bb8-99c3-fd9f74fba21b.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Users\Default\Start Menu\winlogon.exe
        
        "C:\Users\Default\Start Menu\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\361ee57f-d57c-4d43-b04b-af934461cb95.vbs"
        9⤵
        
        PID:1640
        
        C:\Users\Default\Start Menu\winlogon.exe
        
        "C:\Users\Default\Start Menu\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\061e713f-9c78-46a3-a56a-a145feb9d255.vbs"
        11⤵
        
        PID:1648
        
        C:\Users\Default\Start Menu\winlogon.exe
        
        "C:\Users\Default\Start Menu\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\45911a3f-01c9-428d-971c-d8d04431a7f9.vbs"
        13⤵
        
        PID:2368
        
        C:\Users\Default\Start Menu\winlogon.exe
        
        "C:\Users\Default\Start Menu\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\044bfc2a-013c-42ad-8658-2320ad845f36.vbs"
        15⤵
        
        PID:1728
        
        C:\Users\Default\Start Menu\winlogon.exe
        
        "C:\Users\Default\Start Menu\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f40689e-9ea7-4961-b8bc-a72ea4299289.vbs"
        17⤵
        
        PID:1632
        
        C:\Users\Default\Start Menu\winlogon.exe
        
        "C:\Users\Default\Start Menu\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3ad4cbfc-6c99-44da-8e0b-24a6d3a1628e.vbs"
        19⤵
        
        PID:1148
        
        C:\Users\Default\Start Menu\winlogon.exe
        
        "C:\Users\Default\Start Menu\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f45e7448-a9bd-41d6-9684-e4ae84e632ad.vbs"
        21⤵
        
        PID:676
        
        C:\Users\Default\Start Menu\winlogon.exe
        
        "C:\Users\Default\Start Menu\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\03f9a47a-3c17-41ea-b405-ab41bfd8a90e.vbs"
        23⤵
        
        PID:1872
        
        C:\Users\Default\Start Menu\winlogon.exe
        
        "C:\Users\Default\Start Menu\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\6c922adb-31b8-4c4e-af47-e81cb02ed99e.vbs"
        25⤵
        
        PID:2336
        
        C:\Users\Default\Start Menu\winlogon.exe
        
        "C:\Users\Default\Start Menu\winlogon.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0cfa8eec-76e8-47d6-beec-0e60df106dea.vbs"
        27⤵
        
        PID:2612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3eaf5892-4107-491c-9efc-4ec17af85328.vbs"
        27⤵
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3f6f90de-3883-4786-96c7-8135bd95f4f8.vbs"
        25⤵
        
        PID:3016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d08f900a-280b-4861-9edb-595047a2dff0.vbs"
        23⤵
        
        PID:2564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac0959c0-2b45-4532-9e4e-dba1174477b2.vbs"
        21⤵
        
        PID:3056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc9adeef-806c-42af-85b0-bc652d4275b5.vbs"
        19⤵
        
        PID:1620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\339b84ba-0262-4c83-bf20-fa5374119f51.vbs"
        17⤵
        
        PID:1352
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1556f8e8-86c3-4814-a8d1-0239fb6b8848.vbs"
        15⤵
        
        PID:2120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\75d44824-0017-4362-8cf6-58c95dc995d7.vbs"
        13⤵
        
        PID:2824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35d166b9-8fff-4978-9752-8d8f9911adf9.vbs"
        11⤵
        
        PID:748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dfe9c786-f290-48b8-a5f4-7ef1a3f6cedb.vbs"
        9⤵
        
        PID:2988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d805a61e-bc47-4202-b534-fd92eb3d231c.vbs"
        7⤵
        
        PID:2396
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3a987036-63f2-4637-befc-51e0a30fffef.vbs"
        5⤵
        
        PID:3032
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\affe6896-a6ea-44ea-8af3-e28b3557931d.vbs"
    3⤵
    PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\AppData\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Minesweeper\fr-FR\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Minesweeper\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\Minesweeper\fr-FR\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Games\Minesweeper\fr-FR\WMIADAP.exe

Filesize
1.6MB

MD5
2c4dbe075f37719580a096bf67bf048e

SHA1
71673f7af94683985e875f3db73cbf1a5509228e

SHA256
1f824bf7c73eeef309d3a30fff4e924f91870de0fc5990adc2d0a1a42284f567

SHA512
6d5bed3e46aa8e02d678c0a3f1ff6be56b776980af341e9ef84d9febaad843dfa2df28083ff6d8dcad9e74d4724ee1f09190b093c9bb3d1cb78068ca219d3c70

Download Submit
C:\Program Files\Microsoft Games\Minesweeper\fr-FR\WMIADAP.exe

Filesize
1.6MB

MD5
0d96eaad01f7ad9a4580365d4c286a5f

SHA1
62a11e58a4bfe6fc375a48cbc5a8ddd5aa1a1f6b

SHA256
1e9917dca9d5fb4df720ad9a75ef0ee2661acdc8312f3df310669938dcc7291b

SHA512
9f81debb2806e3d13b5b2d62857c782238dfbf9d214d8447f8307839c7015a492844cd6b23d6388a2f0d90e85057b556ca513f0dec868a0ddc5f3f86d65ca8ee

Download Submit
C:\ProgramData\Microsoft\Windows\Templates\taskhost.exe

Filesize
1.6MB

MD5
fd2ca514b09e342997acbad195b8209b

SHA1
7ba3ce55e9a04837cad75c7b5e7ed72d87a2e965

SHA256
524f85c994b4e3a882934a0456005a80164272a64f08edfdc9eec690892d7e7f

SHA512
9591c1391866cca8b336d7b7eb5ecf1718d4285e203cc426535bf64d99fda4070bdeb70e02f08e9113afe80a29d877bde0d4158956f65db843e6eda4cfd665f9

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WMIADAP.exe

Filesize
1.6MB

MD5
c1c30dfd47c4b700f0ff68b88089db97

SHA1
5812a2282fa4ab863381f623882f53c02bf0dbca

SHA256
da2403ab4eab53d1327cc8e7011ce72b9e076c874bc038f08e5141d22707e37a

SHA512
729be9a0602a6d7f882257e9c1ab1dca4eba7909efa8e37d997d7f46d4ae63c3069a27a70116de40b7bd0e214e38966abff88343cc2485a2ebb3ad691842224e

Download Submit
C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\csrss.exe

Filesize
1.6MB

MD5
d8d44124d09a6be5de2bab43ff012f8a

SHA1
80e758e92eb5c55b4730638946c3fdfd0b774417

SHA256
c95cd1fa40d298cea12a2d5e3a54fbc00374985005bd62cf15d036b6e5e5fed9

SHA512
de91fb9335b33780ca448b39ec22328db93bd3fd951d261d00c5850aa2b85438ecf2fcd45bc4bcb28b9a62810eec419652e5e98b41513add1266dc0653eb397b

Download Submit
C:\Users\Admin\AppData\Local\Temp\03f9a47a-3c17-41ea-b405-ab41bfd8a90e.vbs

Filesize
716B

MD5
5e21fe2b087e6f5f333d92335cbc95f8

SHA1
a77e37d75d9eb21cc20afab59765f8a29a432ba6

SHA256
4c5c38432f04800de07dfc2df8bb8c73e527c0673f1b06183cb595b3804fc7d2

SHA512
4e5909fe89e5adaa98a8fbce3b3fa2ac0299348acc671b92405a072c7fb805c81a306af7861db667e04aa49a3bdd469cf202caf00e9b05c9ef19aa62f1c155dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\044bfc2a-013c-42ad-8658-2320ad845f36.vbs

Filesize
716B

MD5
3373c353aa328b54c46005e6ef0d69bc

SHA1
025825cf068b07653cded85313289b97f50b9538

SHA256
eae01d227863daa6ef46526aa929ada2ea5db54df0142161ac0266baa85848bd

SHA512
433af2d29420da4a461b8edf11f3c0e406d39d2c9eef7a53ca2f820c328b1a6af23afb8637732c50c73a60ccc3178ab0eab30558ca44375298def1c74190b992

Download Submit
C:\Users\Admin\AppData\Local\Temp\061e713f-9c78-46a3-a56a-a145feb9d255.vbs

Filesize
716B

MD5
6f63eb7811034059f4eef7f9341c6dc4

SHA1
102a3a09c281293e73c295f1f604f16a5cdbeb71

SHA256
0b6f327630b2aaca2fe45f55d7b229deb5ed58e53427dcd39a0b5499f55da690

SHA512
53007182aff323c951840782086a64fbc514914c38f6df82df5389ca8cce10de4e7815b11a144dd491e5a9d7fa9fc56c69a4210547a4cbed64e0c2752cfc7b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\0cfa8eec-76e8-47d6-beec-0e60df106dea.vbs

Filesize
716B

MD5
a3865efd98619d047173c0b48343ab9c

SHA1
5a94817a3852fd6b0ee83f0fd40a710d7baffe1b

SHA256
c7afab86b704c23b62f3a66ca55d371a95460351ca806ae30ed2bbe7be2b0062

SHA512
a75dd814dcf1af51ee29e6225874798acf6b9e297551f46fcb45dd97ed15de44db5efb2a34967fea617003c242bc21f3ac692d1a20f033960e7569018f1172fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\361ee57f-d57c-4d43-b04b-af934461cb95.vbs

Filesize
716B

MD5
9901c00110c7b62469fc29fce913b35f

SHA1
0ada99fabf906766739352bbc0ec6fadf45cea87

SHA256
23524f757ec02203f1e746c34a9c28ad213178fd84c35969432d34dc424e356d

SHA512
b87456301af4cc70c0bf6d76b9c93d239e9042dc8aaada6d809d83e5fccda803ab0bc0ceab41d6a53fa0287de47ddc5dfd370a5d88d9361efec809241cbf3287

Download Submit
C:\Users\Admin\AppData\Local\Temp\3ad4cbfc-6c99-44da-8e0b-24a6d3a1628e.vbs

Filesize
716B

MD5
f361feb251189b05ee2213677846a1b6

SHA1
b33c42fbeff0a80f8dd579b2eb923c672c532d53

SHA256
94cbc6ac9850fe360df5bc16821085d962bbaad8b7dfc3d9297dd46ac143cd4c

SHA512
bca71bc042f779e9b612dbcb647cc8a7123275bd9487b3d297796ba01ff5c4a8f811fa6977641bd57f69d25f03bbc8c44c33ea32218a9a16f39f827c7162c5b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3c8e6f79-ed1d-46b6-bbd7-e0b1076ee6ea.vbs

Filesize
716B

MD5
f5ba3496ef4e81af10781a2485a96f99

SHA1
cb3cce66a6cadcdec0de71194114d743114aaafe

SHA256
dea639a0aefee725dbb03d93dc9afce5a1423682ee744af0cbd84d1f1b7a13ac

SHA512
68e01e1a0a0b11b163dcec55a143c0efcf8f6de36daef986d238f43a4e124ef03d41073e3bd8a3bdf83c2a2af3cd7deb4103f97db583b0a5eb5990893634625c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3f40689e-9ea7-4961-b8bc-a72ea4299289.vbs

Filesize
716B

MD5
fe4920a87d5e78510f6d380c36b6fd86

SHA1
8815446f801fe67a349ad5ae2741775078b64176

SHA256
8991107ebcb3a949cbf245959c5a2d1c54d9947d05709cade38bff194c35d633

SHA512
a3572f3afd36ac3420ff0dd0b4645710060784b255d975a77210f8c51155ef04ea1a9b34753d41f04f6fe05aba53145ebc0bd369bf5960fcbc55b22527ffee00

Download Submit
C:\Users\Admin\AppData\Local\Temp\45911a3f-01c9-428d-971c-d8d04431a7f9.vbs

Filesize
716B

MD5
434e1bdaabd47f550ac48a6bd72feeab

SHA1
6fd10974aa525fca7f3bb5d735fd3f3f4eccc916

SHA256
660c3df8c4c925c12a8028a01e4f4d08ffd5aa14f4192ae43648d3c3d7ff6529

SHA512
14c8d28f9e1ebffd246b0df368d3ccb97025b45055562b9f4521f4ec0e85f317f5f8b0ba8dec42a221a0ff54fe3c85dfa329fe16a95a62c1f0227f03d8c82b82

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d972f84-562a-4d55-abde-4a131bece538.vbs

Filesize
716B

MD5
0d3018d95954d1c35f8dfc4e2a908727

SHA1
651d9da15ea3f57c48f30182e7d710b2597f56ac

SHA256
77f71bf76d221ca1acf71310f9e2f96ded3d5f051090a03f861b9fe0c50bcd82

SHA512
63532224ccb5f1fe167b886da11aa2023ac7faf36a2c1f9e03dc74b27433c8d3de9cb95d2ebe7dddc1efc5f2d575073a708f43372d51d2507e32fa74580d2cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\6c922adb-31b8-4c4e-af47-e81cb02ed99e.vbs

Filesize
716B

MD5
462a5ad4b37aea66c36f8139391890d5

SHA1
cc2aa030e7de48bd3c5504a71bf09473826a66be

SHA256
a9cab241a525bf6aed22e0797bdd26693c5038edd94b7ccae61117dbd8a16e35

SHA512
6f27cd1f0557d555f1186139c96565cbfd6c5966d6cf3bfae74529c9a3aa14d104dc31b282b1558ea6a38a11dc6fb92873a7baf30aed8db6927fa2a4d2acef75

Download Submit
C:\Users\Admin\AppData\Local\Temp\affe6896-a6ea-44ea-8af3-e28b3557931d.vbs

Filesize
492B

MD5
2460657ac2b0582f6ed18ab7ff3a1db1

SHA1
ea13ccba6845d8868c66ded19c74a5425e58800c

SHA256
407e565ecdffba6a349540bbf10b0c9b13258446478b689e3561cfd9d29377de

SHA512
8cb963413dd36f14994ea4881f33bfaba2450a8b3e62190fe4b8adc65c5e5516636014b9d45067691a50352cce77a3a346788595e3b7fa6d0aa2ecd4b52a6c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc5321ae-ae38-4bb8-99c3-fd9f74fba21b.vbs

Filesize
716B

MD5
ab1efc280fcd06e3bb7a76211de8f2ec

SHA1
67aa37390060c20de2a622aec0a0d16dc4f039b2

SHA256
5a8ef1293d0bd805f9f500754dd26d853cd944f8196147144ffbc9694ef38824

SHA512
00edd83ab580ef6bd4cc17f3ad7540e6f8059570c671251d75c93190248835e2652a1023a4bfc1a4e4d85f3457e11c44ce2c9c13e557a3b33a301e0c9d8110c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f45e7448-a9bd-41d6-9684-e4ae84e632ad.vbs

Filesize
716B

MD5
e1f0471907d09a559478cbe05a6d7ae7

SHA1
c93484163bbeaaf44110923b93d4207bbb6684a7

SHA256
1409ecd08bcc5f4d2e585688622335c71d47d0ff2059a37bea62f50a0f0cbc7a

SHA512
12ca92d8837e0ff797b8d534a14352f4561baa6abef776dadfa4b99f591a6f1c0ea1c2622f51bc1a8860be3d0ed52ddd5c36fe7d5f6c5b3b2707a86628c19515

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5b3f90ba626e6d814ceb6d3def6a4f14

SHA1
829c441f411584b9a6c4297197b96410f2cca57d

SHA256
1decb0544262a166ab7b69ff2c99501a8bfdc47b48fc5a5b92df6824dbe571ca

SHA512
e557ac09af8fc9e07f3ab4bd0552bd7ca2df3811b0999b25704ec4037bd3f34024c783f6c1666a8d516396e8d7f5a89e9f6ac567567ea99ebfbf63b4faa61647

Download Submit
C:\Windows\Migration\WTR\csrss.exe

Filesize
1.6MB

MD5
1b016f7491287b8f8bd961b7db5e55e4

SHA1
181f526f637fd7ed0ff0bc8d08457e474d659e89

SHA256
f2968d88de3566ff1370be1d1b36e4d0370230545dc3c829d87d107e19bafd70

SHA512
ad165aca4f5629cb43aedb86f29d16b8d3946092ae3d3b8ba9d7fa6a7c3ad12ce8509b1d10b830d524155edf8a9a9d4c38c46cd99260e8adacde374c560a707e

Download Submit
memory/1488-342-0x00000000010C0000-0x0000000001262000-memory.dmp

Filesize
1.6MB

Download
memory/1844-330-0x00000000002E0000-0x0000000000482000-memory.dmp

Filesize
1.6MB

Download
memory/1916-184-0x00000000013E0000-0x0000000001582000-memory.dmp

Filesize
1.6MB

Download
memory/2188-166-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2188-173-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2272-238-0x0000000000390000-0x0000000000532000-memory.dmp

Filesize
1.6MB

Download
memory/2452-226-0x00000000001B0000-0x0000000000352000-memory.dmp

Filesize
1.6MB

Download
memory/2512-274-0x00000000012D0000-0x0000000001472000-memory.dmp

Filesize
1.6MB

Download
memory/2540-12-0x00000000020F0000-0x00000000020FE000-memory.dmp

Filesize
56KB

Download
memory/2540-7-0x00000000020A0000-0x00000000020B0000-memory.dmp

Filesize
64KB

Download
memory/2540-16-0x00000000022C0000-0x00000000022CC000-memory.dmp

Filesize
48KB

Download
memory/2540-15-0x0000000002120000-0x000000000212A000-memory.dmp

Filesize
40KB

Download
memory/2540-14-0x0000000002110000-0x0000000002118000-memory.dmp

Filesize
32KB

Download
memory/2540-1-0x0000000000AD0000-0x0000000000C72000-memory.dmp

Filesize
1.6MB

Download
memory/2540-13-0x0000000002100000-0x0000000002108000-memory.dmp

Filesize
32KB

Download
memory/2540-2-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-0-0x000007FEF5E43000-0x000007FEF5E44000-memory.dmp

Filesize
4KB

Download
memory/2540-11-0x00000000020E0000-0x00000000020EA000-memory.dmp

Filesize
40KB

Download
memory/2540-10-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/2540-9-0x0000000002090000-0x000000000209C000-memory.dmp

Filesize
48KB

Download
memory/2540-8-0x0000000002080000-0x0000000002088000-memory.dmp

Filesize
32KB

Download
memory/2540-186-0x000007FEF5E40000-0x000007FEF682C000-memory.dmp

Filesize
9.9MB

Download
memory/2540-6-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/2540-5-0x0000000000A20000-0x0000000000A36000-memory.dmp

Filesize
88KB

Download
memory/2540-4-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/2540-3-0x0000000000A00000-0x0000000000A1C000-memory.dmp

Filesize
112KB

Download
memory/2760-262-0x00000000000A0000-0x0000000000242000-memory.dmp

Filesize
1.6MB

Download
memory/2960-250-0x0000000000E10000-0x0000000000FB2000-memory.dmp

Filesize
1.6MB

Download