dcrat | f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Size

885KB
MD5

63fa59f7c83ec1df2eac00cc85696830
SHA1

799e9ea365e4ad95c05d21e275e72438882ad776
SHA256

f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6
SHA512

0fc737e68a46d1af83e99b67f066b94bbfaad74bbeeeb183fda33337576fdca3c00fc894706bcfd75d74f0a6432982955a1fdba84fd13252413402c3aa9017d3
SSDEEP

12288:0lNE5VnZuh+ZIlXJBH5SP2I/lwvDT77/wOKsV42i3GULVaHeopyyx:0lNCv6XJ5BClaXfD9vUha+u

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6012	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5792	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5888	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4852	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4472	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5436	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5708	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5540	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3760	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4776	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5840	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5188	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5620	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5908	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5168	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5580	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3104	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5524	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3356	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3772	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5312	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5492	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6020	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5260	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	6088	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5640	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5584	4512	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5764	4512	schtasks.exe	86

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/memory/5948-1-0x0000000000580000-0x0000000000664000-memory.dmp	dcrat
behavioral2/files/0x000e000000022ef1-21.dat	dcrat
behavioral2/files/0x000e000000024248-139.dat	dcrat
behavioral2/files/0x000c000000024273-217.dat	dcrat
behavioral2/files/0x000d000000024274-283.dat	dcrat

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 15 IoCs

pid	Process
4804	sihost.exe
5124	sihost.exe
1452	sihost.exe
1960	sihost.exe
5800	sihost.exe
4524	sihost.exe
3488	sihost.exe
5396	sihost.exe
5368	sihost.exe
1700	sihost.exe
6104	sihost.exe
4404	sihost.exe
1092	sihost.exe
3556	sihost.exe
4312	sihost.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCX668B.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX4DD0.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\5b884080fd4f94	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RCX667B.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Windows Media Player\9e8d7a4ca61bd9	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\27d1bcfc3c54e0	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX4DAD.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\RCX4DAE.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\RCX4E4E.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX677A.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\9e8d7a4ca61bd9	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\RCX670B.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\Globalization\69ddcba757bf72	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\Microsoft.NET\Framework64\1031\RuntimeBroker.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\IdentityCRL\production\RCX6626.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\System.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\Help\Help\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\RCX4D66.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\RCX4D77.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\Globalization\RCX4DBF.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\Microsoft.NET\Framework64\1031\9e8d7a4ca61bd9	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\1031\RCX678B.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\System.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\Help\Help\RCX4DAC.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\SystemResources\wininit.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\27d1bcfc3c54e0	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\Help\Help\eb2a544a2102f2	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\Globalization\RCX4DBE.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\IdentityCRL\production\RCX6584.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\ModemLogs\RCX6658.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\Globalization\smss.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\Help\Help\RCX4D9B.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\IdentityCRL\production\RuntimeBroker.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\IdentityCRL\production\RCX6585.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\IdentityCRL\production\RCX6647.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\ModemLogs\RCX6648.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\IdentityCRL\production\smss.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\IdentityCRL\production\69ddcba757bf72	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\IdentityCRL\production\9e8d7a4ca61bd9	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\1031\RCX677B.tmp	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\ModemLogs\Registry.exe	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
File created	C:\Windows\ModemLogs\ee2ad38f3d4382	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2252	schtasks.exe
4772	schtasks.exe
5840	schtasks.exe
3716	schtasks.exe
1608	schtasks.exe
5584	schtasks.exe
4864	schtasks.exe
3708	schtasks.exe
5540	schtasks.exe
4052	schtasks.exe
1196	schtasks.exe
5312	schtasks.exe
5640	schtasks.exe
6012	schtasks.exe
5524	schtasks.exe
3772	schtasks.exe
5112	schtasks.exe
5792	schtasks.exe
4472	schtasks.exe
4752	schtasks.exe
5620	schtasks.exe
3032	schtasks.exe
4300	schtasks.exe
4976	schtasks.exe
5908	schtasks.exe
4852	schtasks.exe
6020	schtasks.exe
2304	schtasks.exe
2612	schtasks.exe
5580	schtasks.exe
2868	schtasks.exe
6088	schtasks.exe
5888	schtasks.exe
4776	schtasks.exe
5188	schtasks.exe
5060	schtasks.exe
3612	schtasks.exe
5260	schtasks.exe
616	schtasks.exe
5708	schtasks.exe
5168	schtasks.exe
3012	schtasks.exe
5492	schtasks.exe
4884	schtasks.exe
3132	schtasks.exe
1412	schtasks.exe
5544	schtasks.exe
5436	schtasks.exe
5000	schtasks.exe
3640	schtasks.exe
3760	schtasks.exe
2664	schtasks.exe
3404	schtasks.exe
2632	schtasks.exe
620	schtasks.exe
1932	schtasks.exe
4816	schtasks.exe
3104	schtasks.exe
3356	schtasks.exe
2492	schtasks.exe
2384	schtasks.exe
5764	schtasks.exe
2656	schtasks.exe
2592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
5948	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
5948	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
5948	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4572	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4572	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4572	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4572	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4572	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4572	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4572	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
4804	sihost.exe
5124	sihost.exe
1452	sihost.exe
1452	sihost.exe
1960	sihost.exe
5800	sihost.exe
5800	sihost.exe
4524	sihost.exe
3488	sihost.exe
5396	sihost.exe
5368	sihost.exe
1700	sihost.exe
6104	sihost.exe
4404	sihost.exe
1092	sihost.exe
3556	sihost.exe
4312	sihost.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	5948	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Token: SeDebugPrivilege	4572	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Token: SeDebugPrivilege	4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
Token: SeDebugPrivilege	4804	sihost.exe
Token: SeDebugPrivilege	5124	sihost.exe
Token: SeDebugPrivilege	1452	sihost.exe
Token: SeDebugPrivilege	1960	sihost.exe
Token: SeDebugPrivilege	5800	sihost.exe
Token: SeDebugPrivilege	4524	sihost.exe
Token: SeDebugPrivilege	3488	sihost.exe
Token: SeDebugPrivilege	5396	sihost.exe
Token: SeDebugPrivilege	5368	sihost.exe
Token: SeDebugPrivilege	1700	sihost.exe
Token: SeDebugPrivilege	6104	sihost.exe
Token: SeDebugPrivilege	4404	sihost.exe
Token: SeDebugPrivilege	1092	sihost.exe
Token: SeDebugPrivilege	3556	sihost.exe
Token: SeDebugPrivilege	4312	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5948 wrote to memory of 4572	5948	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	95
PID 5948 wrote to memory of 4572	5948	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	95
PID 4572 wrote to memory of 5652	4572	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	118
PID 4572 wrote to memory of 5652	4572	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	118
PID 5652 wrote to memory of 3588	5652	cmd.exe	120
PID 5652 wrote to memory of 3588	5652	cmd.exe	120
PID 5652 wrote to memory of 4156	5652	cmd.exe	124
PID 5652 wrote to memory of 4156	5652	cmd.exe	124
PID 4156 wrote to memory of 5072	4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	165
PID 4156 wrote to memory of 5072	4156	f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe	165
PID 5072 wrote to memory of 5384	5072	cmd.exe	167
PID 5072 wrote to memory of 5384	5072	cmd.exe	167
PID 5072 wrote to memory of 4804	5072	cmd.exe	170
PID 5072 wrote to memory of 4804	5072	cmd.exe	170
PID 4804 wrote to memory of 2812	4804	sihost.exe	171
PID 4804 wrote to memory of 2812	4804	sihost.exe	171
PID 4804 wrote to memory of 1040	4804	sihost.exe	172
PID 4804 wrote to memory of 1040	4804	sihost.exe	172
PID 2812 wrote to memory of 5124	2812	WScript.exe	173
PID 2812 wrote to memory of 5124	2812	WScript.exe	173
PID 5124 wrote to memory of 412	5124	sihost.exe	174
PID 5124 wrote to memory of 412	5124	sihost.exe	174
PID 5124 wrote to memory of 1288	5124	sihost.exe	175
PID 5124 wrote to memory of 1288	5124	sihost.exe	175
PID 412 wrote to memory of 1452	412	WScript.exe	181
PID 412 wrote to memory of 1452	412	WScript.exe	181
PID 1452 wrote to memory of 5616	1452	sihost.exe	182
PID 1452 wrote to memory of 5616	1452	sihost.exe	182
PID 1452 wrote to memory of 4936	1452	sihost.exe	183
PID 1452 wrote to memory of 4936	1452	sihost.exe	183
PID 5616 wrote to memory of 1960	5616	WScript.exe	187
PID 5616 wrote to memory of 1960	5616	WScript.exe	187
PID 1960 wrote to memory of 1420	1960	sihost.exe	188
PID 1960 wrote to memory of 1420	1960	sihost.exe	188
PID 1960 wrote to memory of 2888	1960	sihost.exe	189
PID 1960 wrote to memory of 2888	1960	sihost.exe	189
PID 1420 wrote to memory of 5800	1420	WScript.exe	190
PID 1420 wrote to memory of 5800	1420	WScript.exe	190
PID 5800 wrote to memory of 2364	5800	sihost.exe	191
PID 5800 wrote to memory of 2364	5800	sihost.exe	191
PID 5800 wrote to memory of 5624	5800	sihost.exe	192
PID 5800 wrote to memory of 5624	5800	sihost.exe	192
PID 2364 wrote to memory of 4524	2364	WScript.exe	193
PID 2364 wrote to memory of 4524	2364	WScript.exe	193
PID 4524 wrote to memory of 5656	4524	sihost.exe	194
PID 4524 wrote to memory of 5656	4524	sihost.exe	194
PID 4524 wrote to memory of 1476	4524	sihost.exe	195
PID 4524 wrote to memory of 1476	4524	sihost.exe	195
PID 5656 wrote to memory of 3488	5656	WScript.exe	196
PID 5656 wrote to memory of 3488	5656	WScript.exe	196
PID 3488 wrote to memory of 5188	3488	sihost.exe	198
PID 3488 wrote to memory of 5188	3488	sihost.exe	198
PID 3488 wrote to memory of 5920	3488	sihost.exe	199
PID 3488 wrote to memory of 5920	3488	sihost.exe	199
PID 5188 wrote to memory of 5396	5188	WScript.exe	200
PID 5188 wrote to memory of 5396	5188	WScript.exe	200
PID 5396 wrote to memory of 3596	5396	sihost.exe	201
PID 5396 wrote to memory of 3596	5396	sihost.exe	201
PID 5396 wrote to memory of 2040	5396	sihost.exe	202
PID 5396 wrote to memory of 2040	5396	sihost.exe	202
PID 3596 wrote to memory of 5368	3596	WScript.exe	203
PID 3596 wrote to memory of 5368	3596	WScript.exe	203
PID 5368 wrote to memory of 1836	5368	sihost.exe	204
PID 5368 wrote to memory of 1836	5368	sihost.exe	204

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
"C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5948
- C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
  "C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ON83D8AI2o.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5652
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe
      "C:\Users\Admin\AppData\Local\Temp\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe"
      4⤵
      Checks computer location settings
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4156
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qUMg8BuEM.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:5384
      - C:\Recovery\WindowsRE\sihost.exe
        
        "C:\Recovery\WindowsRE\sihost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f6d6c243-1dc7-4189-b021-4fd5ac7fc5be.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5124
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a111e2a0-2a95-4ab7-a34b-9b33179567d3.vbs"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d79df908-df60-4897-a6c0-ffa5cbc8d171.vbs"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5616
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\d90f54eb-c328-4508-a164-21a94871be86.vbs"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c082c835-31dd-4747-9baa-c990401908af.vbs"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9b0613f9-2f5f-40df-b0c2-ec2974c006b5.vbs"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:5656
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c1c325e9-01c6-4340-b1a8-914a7cd05b47.vbs"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:5188
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\42ec6a8c-b122-4e46-8f05-ff36a80e4fc4.vbs"
        21⤵
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\327684f8-d51e-4c0c-b3fb-62bb660ac484.vbs"
        23⤵
        
        PID:1836
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\68365265-db41-479e-9e09-e1a24a75497b.vbs"
        25⤵
        
        PID:5536
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4f5fbe04-3c7a-432e-8e68-1bcf880f8c84.vbs"
        27⤵
        
        PID:2100
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1cc92ef5-aa42-4abd-9bf1-f478e5514edb.vbs"
        29⤵
        
        PID:5080
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a05f110f-fd51-4ef8-9b2e-ae9dbf3f9e33.vbs"
        31⤵
        
        PID:1156
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\0822ee6f-6952-4a40-bbab-54f3df300be0.vbs"
        33⤵
        
        PID:1932
        
        C:\Recovery\WindowsRE\sihost.exe
        
        C:\Recovery\WindowsRE\sihost.exe
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4840d7e6-7c8b-4949-9291-152cb862d528.vbs"
        33⤵
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\255cf2d6-2534-4691-9619-f081b3b0a93d.vbs"
        31⤵
        
        PID:3668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1fbce457-1971-41e2-8784-10bbcd576fa9.vbs"
        29⤵
        
        PID:2372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21395d58-1453-473d-b9d0-470195526152.vbs"
        27⤵
        
        PID:4104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\9d723621-bc7a-43e3-aeaa-027a2bffc396.vbs"
        25⤵
        
        PID:3152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\35135e4c-67cf-4415-a9c0-5947a2397306.vbs"
        23⤵
        
        PID:4364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a307521f-4a23-4cdf-9d48-a85f7f4438ef.vbs"
        21⤵
        
        PID:2040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa17bd70-2281-4bb5-b2da-635ed9b31ee8.vbs"
        19⤵
        
        PID:5920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\a44feca7-477c-4437-b738-72a58864b4ae.vbs"
        17⤵
        
        PID:1476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\08d8a807-6a71-415b-8eb8-a94cd3011964.vbs"
        15⤵
        
        PID:5624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\833a9792-93e2-4eb1-b2f0-b91a0373848a.vbs"
        13⤵
        
        PID:2888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\803543f9-ed66-4b69-abec-30ac2d540225.vbs"
        11⤵
        
        PID:4936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b2bf8697-32d9-407a-8d9f-d7d8df5aa027.vbs"
        9⤵
        
        PID:1288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e2dde784-40d6-422a-ab89-4d7e394bbfb1.vbs"
        7⤵
        
        PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotification" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "MusNotificationM" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\MusNotification.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\PrintDialog\microsoft.system.package.metadata\Autogen\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\f9532e701a889cdd91b8\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\f9532e701a889cdd91b8\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\f9532e701a889cdd91b8\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\f9532e701a889cdd91b8\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6f" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Help\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6" /sc ONLOGON /tr "'C:\Windows\Help\Help\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6f" /sc MINUTE /mo 7 /tr "'C:\Windows\Help\Help\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Globalization\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\production\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\production\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\f9532e701a889cdd91b8\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\f9532e701a889cdd91b8\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\production\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\IdentityCRL\production\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Windows\ModemLogs\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\ModemLogs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Windows\ModemLogs\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework64\1031\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework64\1031\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\Framework64\1031\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:6088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\f9532e701a889cdd91b8\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\aff403968f1bfcc42131676322798b50\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\aff403968f1bfcc42131676322798b50\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\aff403968f1bfcc42131676322798b50\dwm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\fontdrvhost.exe

Filesize
885KB

MD5
4e4a17881c1316219677108d5b216e94

SHA1
b575bd98680cb9ba30e5ea655aa02db938e2bd53

SHA256
d1c9b62b15520afd83b901019803327dbd0ba0c603984ff71d2b5fc268ca3ff9

SHA512
69b53751e0c54b802c6b9797cdc9407724f68f12d9cbc06d4fe8ca82f5f2686efb7eabd5702a7271c352de4c76c7738426e6015c10cd056d8f0487601ffd5d34

Download Submit
C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\System.exe

Filesize
885KB

MD5
458d081aabcecb1923f4df195de4c5c1

SHA1
476379200537a651edb2187ab55f1f4931cc4384

SHA256
d6322eff535dfa3d3945859be40e774f4a88ee27fab07c1acda44b3913a0f070

SHA512
031c6bcc258fa4136b1d2dddc2f0b0a735374a257e72e4dfc9ef2eda6f88d39b69eba154261d8bd7ae7c8a3b499c2d22b18fbfc144b47ff7249df984f6ef2ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
3690a1c3b695227a38625dcf27bd6dac

SHA1
c2ed91e98b120681182904fa2c7cd504e5c4b2f5

SHA256
2ca8df156dba033c5b3ae4009e3be14dcdc6b9be53588055efd0864a1ab8ff73

SHA512
15ebfe05c0317f844e957ac02842a60b01f00ddca981e888e547056d0e30c97829bc4a2a46ce43034b3346f7cf5406c7c41c2a830f0abc47c8d2fd2ef00cb2c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0822ee6f-6952-4a40-bbab-54f3df300be0.vbs

Filesize
708B

MD5
cd26d4933ef4e48d6f4d1463864c5c9b

SHA1
bc24342ae2eada976ac888379417807ff7c73536

SHA256
512081026c86b0970ec38b04aa153bf73a9c0c5f189b192d1d4ae9188e9ea7d1

SHA512
b383a885b8459a5b85c02c9bb6bf51f0868ce20a14b1180c1126482cc1555397e27c8c50a91ee4eec14ee8a8280742a1434996821e1fed878d23aa66d51449bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\1cc92ef5-aa42-4abd-9bf1-f478e5514edb.vbs

Filesize
708B

MD5
36c56fb30a14bd05c8a59db7bc762fd1

SHA1
72de02991827d40a4c5fd0b1a63a7dc095628d04

SHA256
5f01359e2619a868a66d41483236c28282a88b5c8c482eb92f54893b5f7dca77

SHA512
b771b8baa29af9e8cac9be4700652d7ea087dd61df6e756782ab66fb31b732c221baaae903226b78b01ab471b68314ce1ae85ebe297b494574b3e9b02b78aecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\327684f8-d51e-4c0c-b3fb-62bb660ac484.vbs

Filesize
708B

MD5
fc3d967a833e1c7215168199448b208c

SHA1
03d436948f2a05fa168ddba09b8c8906b88cac33

SHA256
6211948ea73bfef15c14e506e18a6e11b69c0dab1f9e0749d745ca93cea9cf80

SHA512
b64516cd914d26448ff6cae1dff6a1304ee4072696726d3256a5cfd5dd54b657deb34ceca35ba1ef470fbbdf927dc2543bc42fd04e31cf362178b29284e5939d

Download Submit
C:\Users\Admin\AppData\Local\Temp\42ec6a8c-b122-4e46-8f05-ff36a80e4fc4.vbs

Filesize
708B

MD5
78d211a02eddcf8cbf26c8ba42799fbe

SHA1
c165c6b860e27cc9b8dbfc6de222a929e012b171

SHA256
71a97c9be0a1e35dab3c3e866bf2932d8d33f2145519e919c72edc4e8fce1326

SHA512
d5e6b495af1c24cd6613ee026ad78ecec14c21c50e49471a5f5a0cf92878fc25fd368af29ca3726f30809665c69e9e5ba6f534f089d7d52c21b6950008d809be

Download Submit
C:\Users\Admin\AppData\Local\Temp\4f5fbe04-3c7a-432e-8e68-1bcf880f8c84.vbs

Filesize
708B

MD5
14ea7e6c45ecf439ea33e3b94ab9dd28

SHA1
24df49d541ef0858df0399273ccc7748712942b7

SHA256
fad09a571df38298acc3b0c88b5bbdaaa274b882146087fce2bb9675ad886258

SHA512
fb126296878d1cc918f9d1a4197bf73019e8184fee2220657f1fd537ee1528f596700b31e03c148503be1607ac0ce1b4d26bf0739bad23453cc1c845f1235bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\68365265-db41-479e-9e09-e1a24a75497b.vbs

Filesize
708B

MD5
3773772a91927bf1a5059dd177a0c527

SHA1
ca1024968f4a9a5e4c4368b2a98ef69e43485d08

SHA256
c0dfc33d25d400541e3bf0f98a6f5104b618bd488f8b240613e74cbbffc3ac6e

SHA512
b05cda23159930e0c7f79b860b57f9d50a0e80bd1e043e4bb790c2d75b5c29954afbf9b1a47d7572d32d1d0150930c7ce6e2e1f4c4ce5d700158f1ba97b4143a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qUMg8BuEM.bat

Filesize
197B

MD5
1351e74f3bbde0feae76fc131e3c4d17

SHA1
f1b6be6ef1ae03e1c07061dc4b9a5874ee0af246

SHA256
66aed8378719bf1103fa5dada193ec823740f5b2bdd65b168add315e796c9829

SHA512
ffcf0ca3f375720e008b270a903bbfa7f7d2bada4f38342eab0bfb4e6cd51878e05176f6e2f8a441bf58f18c0eb1904888ac0a03359d957712e4069013f1fd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b0613f9-2f5f-40df-b0c2-ec2974c006b5.vbs

Filesize
708B

MD5
8a156a227b5aa966f5c0c68f0faaff54

SHA1
e93b7c5571f1014d022f95eb0d4a2df988003f65

SHA256
e0f1c13ee0d07c21595fe77f320ccbbf76855460b137009e50ed3bcf9aae921a

SHA512
541f441679e3f8e2e9953075cc50c0fac9de7a7f1ba385e0589362c29c69e227a51d311071f6c9e41c18b9454f5584110edc312b20c743774de28701024ad993

Download Submit
C:\Users\Admin\AppData\Local\Temp\ON83D8AI2o.bat

Filesize
267B

MD5
0620a82733c99c7621c53bb978f59664

SHA1
1324a8c3f12e9bc1fc37d3cb202bae35d373ff22

SHA256
bc73267b67b076cc67d1edff6ca6deda68f6598decaa776104d73e23442a3e01

SHA512
68129839b50c7b912a2dc66e1f95968447e3fb338801d47fb34517fc74e462910ec6a5b68f0155b2b51620af57be9ca600cd4bcb866fcfa5da586797cf8eb720

Download Submit
C:\Users\Admin\AppData\Local\Temp\a05f110f-fd51-4ef8-9b2e-ae9dbf3f9e33.vbs

Filesize
708B

MD5
eb874eedca801917e7b1364608a9fe52

SHA1
d2426aea990f397dc0dba16debecbf0f8c439026

SHA256
201c6b164c2ca02c5d41a95e9534b601fde72ba0afc4225efded1231bb4744f4

SHA512
279e734b831c4fc98e8e99d9951bf632ce03adac8d86876daca821875bde53e7b2b3e23abd9ba228dc49243c4560a7563596a53ca5499441e61fd298c371eed6

Download Submit
C:\Users\Admin\AppData\Local\Temp\a111e2a0-2a95-4ab7-a34b-9b33179567d3.vbs

Filesize
708B

MD5
28958c25fc3cc93366312b124217a295

SHA1
09f35d414d6ce31dadec6d54326e02b1a36a63d0

SHA256
516ce5d5e0a1c011914cccf1fa6f179649b200903a58d00a293da193e1dce305

SHA512
c0872885a735da360e4addbe36a7b95c44b2baf86f7f8029dd5ab1644957f497d9c7d57c9049f40d8ec039317b00d0a87f375773879a738aa6eff356828df838

Download Submit
C:\Users\Admin\AppData\Local\Temp\c082c835-31dd-4747-9baa-c990401908af.vbs

Filesize
708B

MD5
1b0729ecd80a24c494b6ceb92f1a1243

SHA1
14cc14632fb1433c20f8ef354ba3defe04273ec1

SHA256
276299fb9edebd12994ebf6a4d70f1b9b440f8489b6a48e1cb720b87d8a89c39

SHA512
b44ca35f39dbf53d6abe2a8e022f999c81cd24c0769b4b9867e8c62cb70f01ab2870d894fe7dc609b173e0a263cb3acab92dba575a0a3e70ee9e7ee65298343f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c1c325e9-01c6-4340-b1a8-914a7cd05b47.vbs

Filesize
708B

MD5
1c5886454743901817a80c5ba319c7c0

SHA1
e9fcc08254bff511fffb6fe52a53db0a0a578b3c

SHA256
b1529739e86032ca66059ab96bb7b35dc8b79eefd9030d1591710dd67e00ea16

SHA512
3d00fce915b0b963e9870673396c104bcba39e01709e6dbaed2614a0477a1cf984095e02d9a1bf4e228c2b1b1cc6b3c8f59ca4a7dc8ae3993a52732b0deb4bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\d79df908-df60-4897-a6c0-ffa5cbc8d171.vbs

Filesize
708B

MD5
23366a3283cae0e5cd2d734887846691

SHA1
a297437eaf6b50c9e22ef82a8923bde2cd885ea2

SHA256
02660f85785f8d3bac228aeeccfeb8542a68870b49fbb88431acbb774fc43d88

SHA512
8999492ae20f418a32dd82a20d470147e6ab84d7f595f9e91776a4f154e0e9456e0bbf5cd223a53abfbd8cfcd34426982ea94c53311cecccd5d97e9911495a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d90f54eb-c328-4508-a164-21a94871be86.vbs

Filesize
708B

MD5
c44920e69af8f453f506022139aabead

SHA1
939eadcdff1187b4ff5c78bd902e0d85c3abf80e

SHA256
cb4b7dafcd1a874832044e1b5f39f14d5183b60a9fc339e3ed8df08233fec141

SHA512
c1657a8733e36aa33b0a6ccb082afdd82a772749d5b7a4148216f6676bf642a524eda9fc4ac98204e227530b0b6c13bc5c965be986bfe7eceb302a229acd27e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2dde784-40d6-422a-ab89-4d7e394bbfb1.vbs

Filesize
484B

MD5
2aeabe6736a1935108b428fabea6462b

SHA1
51e0f00ba27bb142a86a1c7a46dc7935392d444b

SHA256
b372284b77559834a7d3143405a08065cdb1034f19e5e2fe99913da44447b55d

SHA512
1e0ac819310b3bbf2bc746906b22524676aa53999ef503275f1bc72282db3d7db1597089507c830824f3843a7d8cf978a6529bfd44b72b802d2d86e0663da366

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6d6c243-1dc7-4189-b021-4fd5ac7fc5be.vbs

Filesize
708B

MD5
7a337cbc68acf369613f7123ac2f6b5c

SHA1
d27b520e8c5f9f8bbb0fb309fb816578c9075596

SHA256
70493cff613a1b3e649b8ab441f6cd23e7cb87c418b88473cb72ee17c4b066ae

SHA512
f1af2b726cc6c56f65db479cdaed88d3b9c2522b3e0e546c64e6daa2d857223854994b199ed9b87778c4f9f20781f26d316e64d10ed77b3458d539815822788d

Download Submit
C:\Users\Admin\Music\services.exe

Filesize
885KB

MD5
63fa59f7c83ec1df2eac00cc85696830

SHA1
799e9ea365e4ad95c05d21e275e72438882ad776

SHA256
f6e8ad2f79264f067063144585dd8840a8ae0768c4f7f68edcda045ad3bee1c6

SHA512
0fc737e68a46d1af83e99b67f066b94bbfaad74bbeeeb183fda33337576fdca3c00fc894706bcfd75d74f0a6432982955a1fdba84fd13252413402c3aa9017d3

Download Submit
C:\f9532e701a889cdd91b8\WmiPrvSE.exe

Filesize
885KB

MD5
b14e4863f3104c89e9ee1f38fd5417fb

SHA1
9d7cf9d95f6e790ff3c588972d925e8e1d14a8fc

SHA256
b76e73fd9bc360e77829f70f8af53bcf139453208376f9086b3242d95cec3009

SHA512
59873fc55e28e816d691f51d93f013af7ffc0422064496c706ff50ae1658d30dc94599cb6d9f66b1909b589112b991fc0b19ef67e9529e43c0970ffa9d394ce8

Download Submit
memory/5948-0-0x00007FFE082F3000-0x00007FFE082F5000-memory.dmp

Filesize
8KB

Download
memory/5948-45-0x00007FFE082F0000-0x00007FFE08DB1000-memory.dmp

Filesize
10.8MB

Download
memory/5948-9-0x000000001B2C0000-0x000000001B2C8000-memory.dmp

Filesize
32KB

Download
memory/5948-10-0x000000001B2D0000-0x000000001B2DC000-memory.dmp

Filesize
48KB

Download
memory/5948-6-0x000000001B290000-0x000000001B2A6000-memory.dmp

Filesize
88KB

Download
memory/5948-7-0x0000000000F30000-0x0000000000F3A000-memory.dmp

Filesize
40KB

Download
memory/5948-8-0x000000001B2B0000-0x000000001B2BE000-memory.dmp

Filesize
56KB

Download
memory/5948-4-0x000000001B2E0000-0x000000001B330000-memory.dmp

Filesize
320KB

Download
memory/5948-5-0x0000000000D10000-0x0000000000D20000-memory.dmp

Filesize
64KB

Download
memory/5948-3-0x00000000029A0000-0x00000000029BC000-memory.dmp

Filesize
112KB

Download
memory/5948-2-0x00007FFE082F0000-0x00007FFE08DB1000-memory.dmp

Filesize
10.8MB

Download
memory/5948-1-0x0000000000580000-0x0000000000664000-memory.dmp

Filesize
912KB

Download