dcrat | e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550

Analysis

max time kernel
1766s
max time network
1801s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
29-10-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput(1).exe
Size

607KB
MD5

19d31479381cfda2c9878b427f51a0c2
SHA1

5b8774c60b71dd32e7325d0fbceb3434975ca7cc
SHA256

e3b4620b85709a793de2b777da764d094f9a6dc19ead0a7fcad953c1fb3e8550
SHA512

14ce10c974af40f5ab3e93f3bb3ff5ada22a8c2245bf45f40be0a59a75bcd9bfb2bf2288416744a2cebb93b3eb487ba070670d553ea87ca8c0e566c727bf28a2
SSDEEP

12288:DikJ/Wmo/J594F3o472LiJgSifSdq/UByol53uFb/V4YUWpcZm83:TJ/+z4F3osuiKoqsyol54bWYUK

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe"	dwm.exe

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3396	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3448	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5056	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4364	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3116	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3160	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4592	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3980	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3120	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4612	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4512	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3868	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3996	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	4632	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	4632	schtasks.exe	84

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral4/files/0x001a00000002ab58-6.dat	dcrat
behavioral4/files/0x001000000002ab61-22.dat	dcrat
behavioral4/memory/1700-24-0x0000000000D40000-0x0000000000E16000-memory.dmp	dcrat

Executes dropped EXE 34 IoCs

pid	Process
5060	kendalcp.exe
1700	reviewDll.exe
3652	reviewDll.exe
3024	dwm.exe
3904	conhost.exe
4220	SearchHost.exe
4680	sihost.exe
1960	Idle.exe
4920	System.exe
3236	services.exe
1896	fontdrvhost.exe
3752	lsass.exe
2860	dllhost.exe
812	OfficeClickToRun.exe
1692	conhost.exe
4500	cmd.exe
4460	RuntimeBroker.exe
3664	Registry.exe
1548	System.exe
232	services.exe
4640	conhost.exe
4412	dllhost.exe
4916	OfficeClickToRun.exe
1920	conhost.exe
4100	System.exe
1784	services.exe
2888	RuntimeBroker.exe
4260	conhost.exe
1136	Registry.exe
4880	System.exe
5052	services.exe
4420	dllhost.exe
776	OfficeClickToRun.exe
2944	conhost.exe

Drops file in Program Files directory 29 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe	reviewDll.exe
File opened for modification	C:\Program Files\Reference Assemblies\dwm.exe	reviewDll.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\sihost.exe	reviewDll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\Registry.exe	reviewDll.exe
File created	C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe	reviewDll.exe
File created	C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe	reviewDll.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	reviewDll.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\SearchHost.exe	reviewDll.exe
File created	C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe	reviewDll.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\9e8d7a4ca61bd9	reviewDll.exe
File created	C:\Program Files\7-Zip\Lang\e6c9b481da804f	reviewDll.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\c5b4cb5e9653cc	reviewDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\886983d96e3d3e	reviewDll.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\66fc9ff0ee96c2	reviewDll.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	reviewDll.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe	reviewDll.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\cfa885d449487c	reviewDll.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Registry.exe	reviewDll.exe
File created	C:\Program Files\Microsoft Office\Office16\9e8d7a4ca61bd9	reviewDll.exe
File created	C:\Program Files\Reference Assemblies\dwm.exe	reviewDll.exe
File created	C:\Program Files\Reference Assemblies\6cb0b6c459d5d3	reviewDll.exe
File created	C:\Program Files\Internet Explorer\it-IT\explorer.exe	reviewDll.exe
File created	C:\Program Files\Internet Explorer\it-IT\7a0fd90576e088	reviewDll.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2021.2101.27.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\Idle.exe	reviewDll.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\27d1bcfc3c54e0	reviewDll.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\it-IT\ee2ad38f3d4382	reviewDll.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe	reviewDll.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\System.exe	reviewDll.exe
File created	C:\Program Files (x86)\Internet Explorer\images\5b884080fd4f94	reviewDll.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\fontdrvhost.exe	reviewDll.exe
File created	C:\Windows\Resources\Themes\5b884080fd4f94	reviewDll.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kendalcp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	kendalcp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1976	schtasks.exe
2996	schtasks.exe
3032	schtasks.exe
3432	schtasks.exe
2752	schtasks.exe
2540	schtasks.exe
3672	schtasks.exe
3900	schtasks.exe
3948	schtasks.exe
3040	schtasks.exe
1400	schtasks.exe
2432	schtasks.exe
4512	schtasks.exe
1432	schtasks.exe
2952	schtasks.exe
716	schtasks.exe
3120	schtasks.exe
3868	schtasks.exe
748	schtasks.exe
3744	schtasks.exe
5060	schtasks.exe
4364	schtasks.exe
4592	schtasks.exe
4612	schtasks.exe
1412	schtasks.exe
2632	schtasks.exe
2980	schtasks.exe
3488	schtasks.exe
2624	schtasks.exe
2300	schtasks.exe
5056	schtasks.exe
1352	schtasks.exe
3092	schtasks.exe
4744	schtasks.exe
2004	schtasks.exe
1372	schtasks.exe
3044	schtasks.exe
4636	schtasks.exe
3448	schtasks.exe
4292	schtasks.exe
3160	schtasks.exe
2160	schtasks.exe
2352	schtasks.exe
2884	schtasks.exe
2136	schtasks.exe
3116	schtasks.exe
1056	schtasks.exe
4780	schtasks.exe
4496	schtasks.exe
1908	schtasks.exe
1516	schtasks.exe
552	schtasks.exe
2180	schtasks.exe
3892	schtasks.exe
1604	schtasks.exe
3328	schtasks.exe
3908	schtasks.exe
1692	schtasks.exe
2408	schtasks.exe
4404	schtasks.exe
3996	schtasks.exe
2072	schtasks.exe
1836	schtasks.exe
1964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1700	reviewDll.exe
1700	reviewDll.exe
1700	reviewDll.exe
1700	reviewDll.exe
1700	reviewDll.exe
1700	reviewDll.exe
1700	reviewDll.exe
1700	reviewDll.exe
1700	reviewDll.exe
1700	reviewDll.exe
1700	reviewDll.exe
1700	reviewDll.exe
3652	reviewDll.exe
3652	reviewDll.exe
3652	reviewDll.exe
3652	reviewDll.exe
3652	reviewDll.exe
3024	dwm.exe
3024	dwm.exe
3024	dwm.exe
3024	dwm.exe
3024	dwm.exe
3024	dwm.exe
3024	dwm.exe
3024	dwm.exe
3024	dwm.exe
4500	cmd.exe
4500	cmd.exe
4500	cmd.exe
4500	cmd.exe
4500	cmd.exe
4500	cmd.exe
4500	cmd.exe
4500	cmd.exe
4500	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3024	dwm.exe
4500	cmd.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	reviewDll.exe
Token: SeDebugPrivilege	3652	reviewDll.exe
Token: SeDebugPrivilege	3024	dwm.exe
Token: SeDebugPrivilege	3904	conhost.exe
Token: SeDebugPrivilege	4220	SearchHost.exe
Token: SeDebugPrivilege	4680	sihost.exe
Token: SeDebugPrivilege	1960	Idle.exe
Token: SeDebugPrivilege	4920	System.exe
Token: SeDebugPrivilege	3236	services.exe
Token: SeDebugPrivilege	1896	fontdrvhost.exe
Token: SeDebugPrivilege	3752	lsass.exe
Token: SeDebugPrivilege	2860	dllhost.exe
Token: SeDebugPrivilege	812	OfficeClickToRun.exe
Token: SeDebugPrivilege	1692	conhost.exe
Token: SeDebugPrivilege	4500	cmd.exe
Token: SeDebugPrivilege	4460	RuntimeBroker.exe
Token: SeDebugPrivilege	3664	Registry.exe
Token: SeDebugPrivilege	1548	System.exe
Token: SeDebugPrivilege	232	services.exe
Token: SeDebugPrivilege	4640	conhost.exe
Token: SeDebugPrivilege	4412	dllhost.exe
Token: SeDebugPrivilege	4916	OfficeClickToRun.exe
Token: SeDebugPrivilege	1920	conhost.exe
Token: SeDebugPrivilege	4100	System.exe
Token: SeDebugPrivilege	1784	services.exe
Token: SeDebugPrivilege	2888	RuntimeBroker.exe
Token: SeDebugPrivilege	4260	conhost.exe
Token: SeDebugPrivilege	1136	Registry.exe
Token: SeDebugPrivilege	4880	System.exe
Token: SeDebugPrivilege	5052	services.exe
Token: SeDebugPrivilege	4420	dllhost.exe
Token: SeDebugPrivilege	776	OfficeClickToRun.exe
Token: SeDebugPrivilege	2944	conhost.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 5060	812	XBinderOutput(1).exe	79
PID 812 wrote to memory of 5060	812	XBinderOutput(1).exe	79
PID 812 wrote to memory of 5060	812	XBinderOutput(1).exe	79
PID 5060 wrote to memory of 232	5060	kendalcp.exe	80
PID 5060 wrote to memory of 232	5060	kendalcp.exe	80
PID 5060 wrote to memory of 232	5060	kendalcp.exe	80
PID 232 wrote to memory of 276	232	WScript.exe	81
PID 232 wrote to memory of 276	232	WScript.exe	81
PID 232 wrote to memory of 276	232	WScript.exe	81
PID 276 wrote to memory of 1700	276	cmd.exe	83
PID 276 wrote to memory of 1700	276	cmd.exe	83
PID 1700 wrote to memory of 3652	1700	reviewDll.exe	133
PID 1700 wrote to memory of 3652	1700	reviewDll.exe	133
PID 3652 wrote to memory of 3024	3652	reviewDll.exe	164
PID 3652 wrote to memory of 3024	3652	reviewDll.exe	164
PID 3024 wrote to memory of 4832	3024	dwm.exe	203
PID 3024 wrote to memory of 4832	3024	dwm.exe	203
PID 4832 wrote to memory of 1020	4832	cmd.exe	205
PID 4832 wrote to memory of 1020	4832	cmd.exe	205

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput(1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:812
- C:\Users\Admin\AppData\Local\Temp\kendalcp.exe
  "C:\Users\Admin\AppData\Local\Temp\kendalcp.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:276
    - - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\blocksavesperfMonitorDll\reviewDll.exe
        
        "C:\blocksavesperfMonitorDll\reviewDll.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Program Files\Reference Assemblies\dwm.exe
        
        "C:\Program Files\Reference Assemblies\dwm.exe"
        7⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat" "
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\Accessories\it-IT\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Public\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Themes\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\blocksavesperfMonitorDll\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\blocksavesperfMonitorDll\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Media Renderer\SearchHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\Media Renderer\SearchHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\blocksavesperfMonitorDll\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\blocksavesperfMonitorDll\csrss.exe'" /rl HIGHEST /f
1⤵
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\blocksavesperfMonitorDll\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\it-IT\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:4744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:5060

C:\Users\All Users\Application Data\conhost.exe
"C:\Users\All Users\Application Data\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Program Files\Windows Media Player\Media Renderer\SearchHost.exe
"C:\Program Files\Windows Media Player\Media Renderer\SearchHost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Program Files (x86)\Windows Media Player\uk-UA\sihost.exe
"C:\Program Files (x86)\Windows Media Player\uk-UA\sihost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Recovery\WindowsRE\Idle.exe
C:\Recovery\WindowsRE\Idle.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe
"C:\Program Files (x86)\Internet Explorer\images\fontdrvhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1896

C:\Program Files\Uninstall Information\lsass.exe
"C:\Program Files\Uninstall Information\lsass.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2860

C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe
"C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:812

C:\Users\All Users\Application Data\conhost.exe
"C:\Users\All Users\Application Data\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDll" /f
1⤵
PID:4228

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "reviewDllr" /f
1⤵
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwm" /f
1⤵
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwmd" /f
1⤵
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sihost" /f
1⤵
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sihosts" /f
1⤵
PID:4696

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchHost" /f
1⤵
PID:4084

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "SearchHostS" /f
1⤵
PID:4220

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sihost" /f
1⤵
PID:4688

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "sihosts" /f
1⤵
PID:4600

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwm" /f
1⤵
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwmd" /f
1⤵
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrss" /f
1⤵
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "csrssc" /f
1⤵
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "Idle" /f
1⤵
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "IdleI" /f
1⤵
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhost" /f
1⤵
PID:4208

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "fontdrvhostf" /f
1⤵
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "explorer" /f
1⤵
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "explorere" /f
1⤵
PID:4416

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsass" /f
1⤵
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "lsassl" /f
1⤵
PID:4800

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwm" /f
1⤵
PID:3820

C:\Windows\system32\schtasks.exe
schtasks.exe /delete /tn "dwmd" /f
1⤵
PID:4932

C:\Recovery\WindowsRE\cmd.exe
C:\Recovery\WindowsRE\cmd.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4460

C:\Program Files (x86)\Windows NT\Accessories\it-IT\Registry.exe
"C:\Program Files (x86)\Windows NT\Accessories\it-IT\Registry.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Users\All Users\Application Data\conhost.exe
"C:\Users\All Users\Application Data\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe
"C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Users\All Users\Application Data\conhost.exe
"C:\Users\All Users\Application Data\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4100

C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe
"C:\Program Files\Microsoft Office\Office16\RuntimeBroker.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Users\All Users\Application Data\conhost.exe
"C:\Users\All Users\Application Data\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4260

C:\Program Files (x86)\Windows NT\Accessories\it-IT\Registry.exe
"C:\Program Files (x86)\Windows NT\Accessories\it-IT\Registry.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Recovery\WindowsRE\System.exe
C:\Recovery\WindowsRE\System.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe
"C:\Program Files (x86)\Windows Sidebar\Gadgets\services.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5052

C:\Recovery\WindowsRE\dllhost.exe
C:\Recovery\WindowsRE\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe
"C:\Program Files\7-Zip\Lang\OfficeClickToRun.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Users\All Users\Application Data\conhost.exe
"C:\Users\All Users\Application Data\conhost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Explorer\images\5b884080fd4f94

Filesize
878B

MD5
6d9f1e344109cc4d53a5e1c4ad7cc315

SHA1
478ac63b18e9b49efed5f906fa328acf3407300d

SHA256
17685b62d91b803bb6cfac0085cf777b7dbd2a7d06c34a653183457bf13e729c

SHA512
61679e9bcd6fc8766afbae78af14cc05952dc67b09b52250f02690b43ac9701ee0be45a751945a96d30e3e6ae03cfaccc787a468faae7669b658bfb1b401799f

Download Submit
C:\Program Files (x86)\Windows Media Player\uk-UA\66fc9ff0ee96c2

Filesize
498B

MD5
e8a8018996ee6121e9df09252a507b77

SHA1
e4c9e2c5dd5af38eefc6d68b2f1becf0481a7c6d

SHA256
bac8b442f3ffd27d37837cd5fa72b933bb859ba438e728e0118927fea3d08664

SHA512
590dfadd955fce3d5570e9ad6437e87afbf470d0cc53ea43ab293628c1aa5a39e7d9d52d0530fd41c9607450b948225c003c99467db1c3e815bcb98008cf500f

Download Submit
C:\Program Files\Internet Explorer\it-IT\7a0fd90576e088

Filesize
47B

MD5
7dfb4d3d6c9647129c60bdf0f119fb83

SHA1
3a4654646d5ad93a3034d3bd7bd612011efb931a

SHA256
95c315658c4d9d62f04705f7bbf24881e5c30506c28214f11bb48c762782371e

SHA512
8e439b242902d43984eea48beca51e3915e6acfe1971c1314bdcd44a9ec84448c06fe6051a8f3cd5e7f15e1688805a890e5759d359907de711dbfcbfe93cdc93

Download Submit
C:\Program Files\Reference Assemblies\6cb0b6c459d5d3

Filesize
615B

MD5
4b3d1ee07aae3e92986a4146c74388a0

SHA1
6a37a3ee75365e62678a499506f85cd27bf2f77b

SHA256
6ae8ab84911cae1c0c70f8df845c1975b852ae22e19eca4338385125873420f6

SHA512
253a7904f3f8da22c5c8754be339ac21ea244efebafe27ee4b85b445f10b50afde298b52d464882b7416c3d5fd7003e52f688a152ce87dcd03420f25c10ca297

Download Submit
C:\Program Files\Uninstall Information\6203df4a6bafc7

Filesize
351B

MD5
0d131974cae178f77d02197185e62632

SHA1
da1e9272d2ad154d8d8728c11577facdd16973d8

SHA256
f8f215659b4377e31b22cd665edeb66790a29767694449302d905cb0c280fc93

SHA512
b8b9af147bdd921cb1e2e9e78f26d1fb18f4f9afae1a8f7cc6f57523cb6470c8454c64f74763e9291a44336e00af14e1cec1b6b55d978c5a9a5fd4d57f818f91

Download Submit
C:\Program Files\Windows Media Player\Media Renderer\cfa885d449487c

Filesize
25B

MD5
a61becdc4921f98fb26f341a888fe3ff

SHA1
e104ec4133911bf4c708790213d7e37e7102b5c8

SHA256
679febe6d5d739e369e28531c9a1116e8bd1736ee62ead0046eb1186248564f6

SHA512
1f0605a194dcc452d1857e6162aaf17190976cf68464b4cc8ef3ebc56709d5ab46e2d96a93afea7016f1d8ed51a11311ca749c5be925371842d1ec1af4156dc9

Download Submit
C:\Recovery\WindowsRE\66fc9ff0ee96c2

Filesize
53B

MD5
d489c350fde839acb6ae3131aeaf7ea1

SHA1
b86ef250dcbdccbd3bb59ae2b09799f41f234d5d

SHA256
b9f9e051ed13f8cb59ece9f9193a803f04e87ac1db546f4a13d6d4aa05a64fdd

SHA512
650278024deacf97c3d5418ac290f9cdd4730f6bd7fb3ecb2fd8fecef950e2a462f189bf0ee44007634f6bc9f592d0675bfda0e63231397e9c522135093844a4

Download Submit
C:\Recovery\WindowsRE\6ccacd8608530f

Filesize
339B

MD5
698bdab29af5dc5017b5c70bec02ed64

SHA1
b844105ee67f64483270f784419f2f192235ca64

SHA256
65cd07c1b39584fe921081dc628a740946594160847780aa1cefec6a2cef644d

SHA512
7b099d5fa32a32d3ef5de198e4af35f186b559cc3666ec80b399a5ebacd3431e61f9e4ac010c5f9765c00e4e50d070b15a9b3fa48a46284cd167fe9f59d84d89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\reviewDll.exe.log

Filesize
1KB

MD5
400b532c938aca538f01c5616cf318cd

SHA1
598a59a9434e51a6416f91a4c83bd02505ecb846

SHA256
28e57db6d7535775b5e65c90ab208c7fe392e373056db5d35e76854270ecd05d

SHA512
b15583323c457d389b873eb31b8e59fef450c0c0e684b0f797231e8d0abace9227b15d4e45b45f4c79ad044a28cc3d79f9f7c2a81bd38e43b0c09f07aaa95b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

Filesize
283B

MD5
c87f4b086dff06a7745b216fd97b6444

SHA1
728af0898fb106f4829197af0d8d855a10851b67

SHA256
ee5e0751683d6e539801dc9dc95a05f4863d8ea6ecf3e273ed85b376db0676e0

SHA512
65346f5541f0872bd8b0ada1a5de71a94ddfcb7168b39e6ef1d3606f012331f3139ac05b1b4767dc3bffa1ef9be28741363b0136e874ea211f1690746a50fa34

Download Submit
C:\Users\Admin\AppData\Local\Temp\kendalcp.exe

Filesize
1.1MB

MD5
0d015cc111d53a019e680b0bed11fcad

SHA1
3b3fb6eeba0c2ba286a4db5e850697399ccb5e36

SHA256
2b7365d9634016b0483009225b959692c290a6b17fad133e42434dc89fdf4150

SHA512
c3a7ea551d0151033dde83a3dda1042e8fe26702c84da2b630ecffb739aecb654730bb5f7ec8914189f72ca7d0ecf1352f0ca7effa938bc1d6f0ae56c3358eab

Download Submit
C:\Users\Admin\Local Settings\6cb0b6c459d5d3

Filesize
639B

MD5
5daa08ca775558f44c476ea88760c691

SHA1
8cf3788f28072c1fe9b70a8d459a315aa23e480b

SHA256
70d2ea135c99752f3677454ad97df624fe8312859df13d7625f40fb45cd63775

SHA512
da13242c8bb6038372584ce5d9dce5c8c4058c1292790bac1f6e85e44ccb4322118fb33f17c5a12f0641e50a468cd49328567932b01d46fb097684c5056bd43a

Download Submit
C:\blocksavesperfMonitorDll\886983d96e3d3e

Filesize
748B

MD5
e6e25811fd3a9d144bbfdb268a28cf75

SHA1
f15b6399aebfbf2a2c53ef98b8acf15bcd4bddbf

SHA256
127e6cc11e5c77d16409de66e93f46c78e7f6b99ecebe6bb34181eb030dd6e76

SHA512
569df5ad23ded3c0428b17faac270207e57f9e5f8c1e8ba166530ae497c708383fcf9182bfa448802b2c310a946819b6fbffcd6ee935b688dc6948ea298e3460

Download Submit
C:\blocksavesperfMonitorDll\R7uOS4kiQeNNM8oo5bGADNHtfWe.vbe

Filesize
222B

MD5
a6f295a2e58c722b5935cc905e81fd8b

SHA1
a2a30408197320a639e3e2f18a57fc8578c97b58

SHA256
8bcebca170fc0768cb1afb63f1350d63c3a295b26ca04602e07ec43498b9691c

SHA512
839605d7eadcdc470dd4edd117cedd976cb9f36bf0a636d08afecc6378adadf0fccb80beb44de849b6dfec814845cef8ca83ca171b39c1f6d90d55485bd06635

Download Submit
C:\blocksavesperfMonitorDll\SAymW4LctOmWulF1E6221.bat

Filesize
43B

MD5
7c582abd8874b9cc60df72d62bd86440

SHA1
564e7b01338d08f657f2c02fa8fc5b8dadb92331

SHA256
c5e95b783c6ec1b98a40edf8663370c678de43e9b657e09ca1f054618277b329

SHA512
444cf67666329ea359e221560a229990013af07d1ed074b2406e903c7ee04cf279953ad0726a96c2ca875216da68369dfdde00f905adf1de9ed93b8582bf8828

Download Submit
C:\blocksavesperfMonitorDll\reviewDll.exe

Filesize
828KB

MD5
d9dac9e1d95e84e6aec084cf2ddb3f3a

SHA1
a231a41c7ad994879b15116dcea41fdc09bb5879

SHA256
0fbeb71fb1dfe793eace5ed167f035a8f4bcc6b56d0930b6b97481f2b222b1d5

SHA512
c4aa115de6f61c7311e8654d40537cd1ce08f0fb7efd0a225a42e06ad000ed420ba905e5cc26a19cb56af951ee1441aa257c073c47911a72fff733c0db1c2f9a

Download Submit
memory/812-123-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

Filesize
10.8MB

Download
memory/812-55-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

Filesize
10.8MB

Download
memory/812-0-0x00007FFC85053000-0x00007FFC85055000-memory.dmp

Filesize
8KB

Download
memory/812-10-0x00007FFC85050000-0x00007FFC85B12000-memory.dmp

Filesize
10.8MB

Download
memory/812-1-0x0000000000820000-0x00000000008BE000-memory.dmp

Filesize
632KB

Download
memory/1700-24-0x0000000000D40000-0x0000000000E16000-memory.dmp

Filesize
856KB

Download