dcrat | 406b94c2f85aa76571ff24e79fd53ebef3927ca1614882e7a76b2b3694498b7b

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_406b94c2f85aa76571ff24e79fd53ebef3927ca1614882e7a76b2b3694498b7b.exe
Size

1.3MB
MD5

5d09880164a3af567eb4a3e2d2a82b3a
SHA1

b4279a3154e690e6a67b1e8457bd3f6a10480ad0
SHA256

406b94c2f85aa76571ff24e79fd53ebef3927ca1614882e7a76b2b3694498b7b
SHA512

17c2c60e41a1362d10ffcd1787656c4e83ed765617a95fbe7472bab0472514a02b8c3ba269d7c1bb84f0cc80ac276114f1e60328afd925620bea2e6f431b3498
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2724	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000173aa-9.dat	dcrat
behavioral1/memory/2184-13-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat
behavioral1/memory/1940-136-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/2380-255-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/404-315-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/1940-376-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/2108-436-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/1696-496-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/2732-615-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
952	powershell.exe
2320	powershell.exe
2268	powershell.exe
2088	powershell.exe
1756	powershell.exe
2272	powershell.exe
1796	powershell.exe
1596	powershell.exe
2260	powershell.exe
1960	powershell.exe
2524	powershell.exe
2400	powershell.exe
2504	powershell.exe
2072	powershell.exe
2300	powershell.exe
2264	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2184	DllCommonsvc.exe
1940	csrss.exe
2200	csrss.exe
2380	csrss.exe
404	csrss.exe
1940	csrss.exe
2108	csrss.exe
1696	csrss.exe
704	csrss.exe
2732	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2508	cmd.exe
2508	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
21	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
9	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\en-US\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\en-US\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\system\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\system\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_406b94c2f85aa76571ff24e79fd53ebef3927ca1614882e7a76b2b3694498b7b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2116	schtasks.exe
1996	schtasks.exe
2916	schtasks.exe
2452	schtasks.exe
2136	schtasks.exe
1956	schtasks.exe
2352	schtasks.exe
1900	schtasks.exe
2568	schtasks.exe
1916	schtasks.exe
2096	schtasks.exe
1816	schtasks.exe
3036	schtasks.exe
2908	schtasks.exe
1964	schtasks.exe
2348	schtasks.exe
2288	schtasks.exe
2808	schtasks.exe
1500	schtasks.exe
2876	schtasks.exe
1260	schtasks.exe
2852	schtasks.exe
2648	schtasks.exe
3032	schtasks.exe
1512	schtasks.exe
964	schtasks.exe
1940	schtasks.exe
2608	schtasks.exe
2840	schtasks.exe
3048	schtasks.exe
988	schtasks.exe
2488	schtasks.exe
1200	schtasks.exe
2156	schtasks.exe
1096	schtasks.exe
404	schtasks.exe
756	schtasks.exe
1168	schtasks.exe
2148	schtasks.exe
308	schtasks.exe
2028	schtasks.exe
2904	schtasks.exe
2900	schtasks.exe
2220	schtasks.exe
1052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
1756	powershell.exe
2320	powershell.exe
2088	powershell.exe
2524	powershell.exe
2400	powershell.exe
2504	powershell.exe
1960	powershell.exe
1796	powershell.exe
2264	powershell.exe
2268	powershell.exe
2260	powershell.exe
2072	powershell.exe
2300	powershell.exe
1596	powershell.exe
952	powershell.exe
2272	powershell.exe
1940	csrss.exe
2200	csrss.exe
2380	csrss.exe
404	csrss.exe
1940	csrss.exe
2108	csrss.exe
1696	csrss.exe
704	csrss.exe
2732	csrss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	DllCommonsvc.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1940	csrss.exe
Token: SeDebugPrivilege	2200	csrss.exe
Token: SeDebugPrivilege	2380	csrss.exe
Token: SeDebugPrivilege	404	csrss.exe
Token: SeDebugPrivilege	1940	csrss.exe
Token: SeDebugPrivilege	2108	csrss.exe
Token: SeDebugPrivilege	1696	csrss.exe
Token: SeDebugPrivilege	704	csrss.exe
Token: SeDebugPrivilege	2732	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 776	1960	JaffaCakes118_406b94c2f85aa76571ff24e79fd53ebef3927ca1614882e7a76b2b3694498b7b.exe	30
PID 1960 wrote to memory of 776	1960	JaffaCakes118_406b94c2f85aa76571ff24e79fd53ebef3927ca1614882e7a76b2b3694498b7b.exe	30
PID 1960 wrote to memory of 776	1960	JaffaCakes118_406b94c2f85aa76571ff24e79fd53ebef3927ca1614882e7a76b2b3694498b7b.exe	30
PID 1960 wrote to memory of 776	1960	JaffaCakes118_406b94c2f85aa76571ff24e79fd53ebef3927ca1614882e7a76b2b3694498b7b.exe	30
PID 776 wrote to memory of 2508	776	WScript.exe	32
PID 776 wrote to memory of 2508	776	WScript.exe	32
PID 776 wrote to memory of 2508	776	WScript.exe	32
PID 776 wrote to memory of 2508	776	WScript.exe	32
PID 2508 wrote to memory of 2184	2508	cmd.exe	34
PID 2508 wrote to memory of 2184	2508	cmd.exe	34
PID 2508 wrote to memory of 2184	2508	cmd.exe	34
PID 2508 wrote to memory of 2184	2508	cmd.exe	34
PID 2184 wrote to memory of 2264	2184	DllCommonsvc.exe	81
PID 2184 wrote to memory of 2264	2184	DllCommonsvc.exe	81
PID 2184 wrote to memory of 2264	2184	DllCommonsvc.exe	81
PID 2184 wrote to memory of 2524	2184	DllCommonsvc.exe	82
PID 2184 wrote to memory of 2524	2184	DllCommonsvc.exe	82
PID 2184 wrote to memory of 2524	2184	DllCommonsvc.exe	82
PID 2184 wrote to memory of 2320	2184	DllCommonsvc.exe	83
PID 2184 wrote to memory of 2320	2184	DllCommonsvc.exe	83
PID 2184 wrote to memory of 2320	2184	DllCommonsvc.exe	83
PID 2184 wrote to memory of 952	2184	DllCommonsvc.exe	84
PID 2184 wrote to memory of 952	2184	DllCommonsvc.exe	84
PID 2184 wrote to memory of 952	2184	DllCommonsvc.exe	84
PID 2184 wrote to memory of 1756	2184	DllCommonsvc.exe	85
PID 2184 wrote to memory of 1756	2184	DllCommonsvc.exe	85
PID 2184 wrote to memory of 1756	2184	DllCommonsvc.exe	85
PID 2184 wrote to memory of 2088	2184	DllCommonsvc.exe	87
PID 2184 wrote to memory of 2088	2184	DllCommonsvc.exe	87
PID 2184 wrote to memory of 2088	2184	DllCommonsvc.exe	87
PID 2184 wrote to memory of 2300	2184	DllCommonsvc.exe	88
PID 2184 wrote to memory of 2300	2184	DllCommonsvc.exe	88
PID 2184 wrote to memory of 2300	2184	DllCommonsvc.exe	88
PID 2184 wrote to memory of 2268	2184	DllCommonsvc.exe	89
PID 2184 wrote to memory of 2268	2184	DllCommonsvc.exe	89
PID 2184 wrote to memory of 2268	2184	DllCommonsvc.exe	89
PID 2184 wrote to memory of 2260	2184	DllCommonsvc.exe	90
PID 2184 wrote to memory of 2260	2184	DllCommonsvc.exe	90
PID 2184 wrote to memory of 2260	2184	DllCommonsvc.exe	90
PID 2184 wrote to memory of 2400	2184	DllCommonsvc.exe	91
PID 2184 wrote to memory of 2400	2184	DllCommonsvc.exe	91
PID 2184 wrote to memory of 2400	2184	DllCommonsvc.exe	91
PID 2184 wrote to memory of 1596	2184	DllCommonsvc.exe	93
PID 2184 wrote to memory of 1596	2184	DllCommonsvc.exe	93
PID 2184 wrote to memory of 1596	2184	DllCommonsvc.exe	93
PID 2184 wrote to memory of 1796	2184	DllCommonsvc.exe	95
PID 2184 wrote to memory of 1796	2184	DllCommonsvc.exe	95
PID 2184 wrote to memory of 1796	2184	DllCommonsvc.exe	95
PID 2184 wrote to memory of 2072	2184	DllCommonsvc.exe	97
PID 2184 wrote to memory of 2072	2184	DllCommonsvc.exe	97
PID 2184 wrote to memory of 2072	2184	DllCommonsvc.exe	97
PID 2184 wrote to memory of 1960	2184	DllCommonsvc.exe	100
PID 2184 wrote to memory of 1960	2184	DllCommonsvc.exe	100
PID 2184 wrote to memory of 1960	2184	DllCommonsvc.exe	100
PID 2184 wrote to memory of 2272	2184	DllCommonsvc.exe	101
PID 2184 wrote to memory of 2272	2184	DllCommonsvc.exe	101
PID 2184 wrote to memory of 2272	2184	DllCommonsvc.exe	101
PID 2184 wrote to memory of 2504	2184	DllCommonsvc.exe	102
PID 2184 wrote to memory of 2504	2184	DllCommonsvc.exe	102
PID 2184 wrote to memory of 2504	2184	DllCommonsvc.exe	102
PID 2184 wrote to memory of 2812	2184	DllCommonsvc.exe	109
PID 2184 wrote to memory of 2812	2184	DllCommonsvc.exe	109
PID 2184 wrote to memory of 2812	2184	DllCommonsvc.exe	109
PID 2812 wrote to memory of 2432	2812	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_406b94c2f85aa76571ff24e79fd53ebef3927ca1614882e7a76b2b3694498b7b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_406b94c2f85aa76571ff24e79fd53ebef3927ca1614882e7a76b2b3694498b7b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\en-US\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7u00F0cTd8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2432
      - C:\Program Files\7-Zip\Lang\csrss.exe
        
        "C:\Program Files\7-Zip\Lang\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat"
        7⤵
        
        PID:2684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:568
        
        C:\Program Files\7-Zip\Lang\csrss.exe
        
        "C:\Program Files\7-Zip\Lang\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
        9⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2596
        
        C:\Program Files\7-Zip\Lang\csrss.exe
        
        "C:\Program Files\7-Zip\Lang\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"
        11⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1168
        
        C:\Program Files\7-Zip\Lang\csrss.exe
        
        "C:\Program Files\7-Zip\Lang\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
        13⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2304
        
        C:\Program Files\7-Zip\Lang\csrss.exe
        
        "C:\Program Files\7-Zip\Lang\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"
        15⤵
        
        PID:608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2864
        
        C:\Program Files\7-Zip\Lang\csrss.exe
        
        "C:\Program Files\7-Zip\Lang\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"
        17⤵
        
        PID:2320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2612
        
        C:\Program Files\7-Zip\Lang\csrss.exe
        
        "C:\Program Files\7-Zip\Lang\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        19⤵
        
        PID:1036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2156
        
        C:\Program Files\7-Zip\Lang\csrss.exe
        
        "C:\Program Files\7-Zip\Lang\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
        21⤵
        
        PID:1052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2116
        
        C:\Program Files\7-Zip\Lang\csrss.exe
        
        "C:\Program Files\7-Zip\Lang\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\system\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\system\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\Registration\CRMLog\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\Accessories\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09b77b3e69c98672a2dcd203cbbbd0ac

SHA1
5d7e7df4889a2826e46658f93f5e634492586b75

SHA256
2a6bc79ac25395c1a831e23f13baec11bab86375e07240562602ff261586970f

SHA512
7b2392a9dd70c373cbec37bb39cf5f29c4009c8db61ec98961d75e0db7309311780eea03a267a789e614f089c40a504c3e789ec093dc08e26ceaef4625c48b64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b19bacbb3c77f084109233508250d1c

SHA1
87655df076107f533554c0ab8ac5463a0a1d1aa9

SHA256
156828073b84082878ead9fcee2c30fb806a0f1ad3638ae076d77d7ed31974b8

SHA512
68c63bcc1bebc91d627ac0c2098efba178b02b0223c00ac0d67534240c860d789f46040c9c3b8ecb89a90ad8f63872626610a3e3fa25811243e3a8a6e47a1bd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16db0cfedb7b5741e6516e457297e6f1

SHA1
f8ba1fb55edf17dc3e07fc9113c86817559bb0d8

SHA256
552db29d4d45496a4179f43c0ac791a90018497ded4f65e95e923d78adad7c26

SHA512
a33ecda78aa025a2464b035eda82ce427b7a28261d29d4011ccc3b995c473c15c1f07fdf099b1e9ac4aa5adc3e3c640c9d0b9c657c652355c42bde5ee2a7b9f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b720417d448bbad57f5b3022efe5d7f

SHA1
5da9f43db65f9f5ef8fc67fc50d831fbc807b79f

SHA256
12c465f4da3c11bcefadbd4228ce6de1eb310ed35d578269d4b9e73b58d8adc6

SHA512
e00fbc30bc7bc0cadaf2ef2353182c189a872929e37d59c5d3d6b19150d20da171858d5266118b61e483524815a23243106c379cdfa80d1cb22c9832925b7fa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41d850aa15af5943d74a8d96ed1d169f

SHA1
9a44292ec3f08cc60e2599abdbf2fd369b5521f3

SHA256
b3ff52c0fff9b9ec022c2d97fdd3f3a7f8d5c69bd112b296a63f0f3a9031a831

SHA512
e23136e0f04843946b2d6bbb3ddccc44207acd3f77c4733e9946f905638c91a20ab6de5c8f3a3d49ce1ce00f32e132318ba6389925bdc96e2e886b6fa3e66236

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd172e38c4f6542a7e3206841dbd8a52

SHA1
ef7ab9664f1415e3f995523d20f697905c902822

SHA256
91fccb2f6ed58cd28dc61113ae889c5ca46d9998904c163efe83bbccf7ce99a5

SHA512
6dd23171b3210b273ce22c03d62bbe2a4816fe82f48b7211ef00e36d32ccfadbd46d682ece5ba24e8cb25d42c44e402203d374bd74be5ac45634e9c555e892d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0058cd79b7592f51cf43fbac76894ba

SHA1
bdb3b5a55b5037ad50d3b446bdee5d79ed26c465

SHA256
3318ad1ca72aaa519848f30a2f0bdf9bca4f8f72e5620970a298e6a15dc3272f

SHA512
f91cac63b506a4f0882a1011c8c2d5fedfc83b2259e3211aa96061e8c3849259ea5bfeae867e2207dd7acc382be9d8d2af0eab8f77a82a4a11706dd1502b45a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat

Filesize
202B

MD5
e3a93b3100bb98da10c703738fbc79dd

SHA1
c6f70f25a4e8a2c23ff984da357c24dfdd42265e

SHA256
65aed9cdffa612ed8b2363254934aed0fa638e667f1c75febb3dff248c38bc6b

SHA512
98130675e20e6f18eb09a66466de42de7ed58d58778acc77518c1fe3800ce93f8dc9f59e2a7fcd159f2f97eeebc69833e876341d330216c3090e721d57e6908f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7u00F0cTd8.bat

Filesize
202B

MD5
6573398a78e059ca9ff550a33107064e

SHA1
2a8ee24e7d90318f56952d5b20c7a54c480b0e5e

SHA256
6bb9853742e2a172063e57d48da5ab0b7caa5c9efd3ab7a6a6fc54cf42d56602

SHA512
99d23f1fab33dd2e879e25def363a325bbdcfe44e8a770c0bacb340f76f4fd532dd3174c594a7b56ce762590d52427906ab5d99569c5893f68e949f4e387ad77

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
202B

MD5
f81fd0b8efd5757b5770f4c1afdcdce7

SHA1
e4beb30ef0284634c29b80badf2f3fd9bb12fe59

SHA256
20254cdb43aba043ab3f1edcf9511ecfe247a6cf66c9324a967c4e546f28c515

SHA512
811b2a2141420077f5493a72d38f426fa462e5a3fb962eabb30e422787303a9f23de8d43054f4a75a0dc9be1f3a7b4a6d3e01439a91f0db87f1e489672cb9e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat

Filesize
202B

MD5
b4a230cf432e9f5f940b4703b021a2c5

SHA1
7361b766474e9448905e4dc0fee04c4f333a5d14

SHA256
74d0463a737fb04bff70a3f1f78e98789c44e07d79655d911ee33dd84d1fe44c

SHA512
0885b866382b39d891fdf64a233bd158c2afd931cbb35c983bc8e684696c458ed6dc3e0573b3a66c99040fdfac5767aa46d68e45c0586185c3552bba13397e7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab43B6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat

Filesize
202B

MD5
2a182c885c20e2a31cde0376af095c14

SHA1
ba14df95452935569c187d2b4c597f147883186a

SHA256
a15307d8002833367a0ae34665e75afb0f437fa357ea1ddc84edc6607febe6f2

SHA512
5e061a74d794c8783f1623964051ec379f5fa31cd9c222be36aec8f8939fdce92c7a6ca856b79e2dc72c6c054c48ee5f5498f7224c31c181127d32a6e8b84f6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

Filesize
202B

MD5
946a34a9655e34e0c7a783b8234c7aa5

SHA1
573560be2927e7ad6f31122e8f724aa90fc32f26

SHA256
0bab03864b6803bce28dc8858b49dffc1a20d1d1fded8125801a8232fab25ffa

SHA512
56164b61b8655038ead75d86b7e3dac8cabf868809ac7d7ff6bd3041746683ffd9968377f6fef9cea8a845d80b62bba575e3a1fddfa2e576f259b15ba7bfe45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar43D9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

Filesize
202B

MD5
cda10dfa1dcb5e5c8c6bf7a9953abac5

SHA1
703faa374bd9f36cda9b91b01dcfa75b7f46dd6e

SHA256
89f2ee3a50487b772f987b437a9283b627282c0f45e01bf7aac9430f29a9f086

SHA512
4514155531d947e3bf5056dcd12fc1a0b3226969bf71c2480fa75d5604d044cfe6885bdb2fb024c5e633c1c852007c31f0e92201ed845a2027e3fe87e92a9f67

Download Submit
C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

Filesize
202B

MD5
e308ce1032a63568cff5a60ed0388671

SHA1
1bfb8ba192da054b90c88c33cc1b010bb3b9b5e3

SHA256
c21cb2a03c16ff3a09551a3a42603ea4ba6d2b79a0c495b8fdbe0a0d9551a17b

SHA512
070f12d3db8b3ec377ec6d9f365689c23355bca11571f2f8dc48be5a31156cda8fe45957f866fb3aabc5f479b21cf3c41dac215cc67856f0f1673ec58da1d4d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

Filesize
202B

MD5
c8cb576e265849c682dc8f754939442d

SHA1
2aaf1d83137c675b844131ddc97a67ce78929838

SHA256
3556b59f98cd1d3caca035eb7902cddd1865f2c5f3157f0678d5f11a7cac1428

SHA512
d85455864c78bbc18a67517a320da8446e34ffc011abc3ecbb62a4c43c75f0677a852cafc286c700084a086a1b81d532d996f0fd42a2b17929bf9e26dc92ac36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ec1c9cecb4dda13398a923a1f339ede8

SHA1
c1209e7f989daf5ed583d0f5de39fbbf80903c65

SHA256
6d8acba739bbfc487eb4d26e069b233a3037654c64a2fd691e2497548c79a0c8

SHA512
609e30c94cc8e674930d1425e2c0aaa9b41fbfc90c66e58e424a8093dea771b108e7469c5ced84a9baa669fa3bfcafbb05be8bd7cb7897355350ae70ef190345

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/404-315-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/404-316-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/1696-496-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/1940-376-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/1940-137-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1940-136-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/2108-436-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2184-17-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2184-16-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2184-15-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2184-14-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2184-13-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/2320-68-0x000000001B8E0000-0x000000001BBC2000-memory.dmp

Filesize
2.9MB

Download
memory/2320-69-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2380-255-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-615-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download