dcrat | 36d248189ae4831364990b9a6d2c79653852948da70b822a0da3decb7a5a8e8c

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36d248189ae4831364990b9a6d2c79653852948da70b822a0da3decb7a5a8e8c.exe
Size

1.3MB
MD5

90dae2decd20d9fc279356bd42769ea9
SHA1

51fcc1ebab6915257231fdb3fb836726e5286f62
SHA256

36d248189ae4831364990b9a6d2c79653852948da70b822a0da3decb7a5a8e8c
SHA512

1a3c844d05aab8da7290f8d917c2aaacf9945f6486f338f98f397869fefeccc2e0d6cfd936eef912fdcec1dc0f0580fe06a21cbee5903d69272dcb2bd4c85c43
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2980	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2980	schtasks.exe	32

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c73-12.dat	dcrat
behavioral1/memory/2948-13-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/2828-127-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2604-422-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/2312-541-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/1628-601-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2240	powershell.exe
2148	powershell.exe
2388	powershell.exe
2384	powershell.exe
1636	powershell.exe
996	powershell.exe
760	powershell.exe
3068	powershell.exe
2252	powershell.exe
2336	powershell.exe
664	powershell.exe
892	powershell.exe
320	powershell.exe
1996	powershell.exe
568	powershell.exe
2216	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2948	DllCommonsvc.exe
2828	csrss.exe
2404	csrss.exe
684	csrss.exe
2168	csrss.exe
1940	csrss.exe
2604	csrss.exe
2408	csrss.exe
2312	csrss.exe
1628	csrss.exe
1556	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	cmd.exe
2296	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Journal\Templates\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\CBS\System.exe	DllCommonsvc.exe
File created	C:\Windows\Logs\CBS\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	36d248189ae4831364990b9a6d2c79653852948da70b822a0da3decb7a5a8e8c.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1732	schtasks.exe
1396	schtasks.exe
2832	schtasks.exe
2800	schtasks.exe
1760	schtasks.exe
2668	schtasks.exe
2492	schtasks.exe
2540	schtasks.exe
924	schtasks.exe
792	schtasks.exe
2168	schtasks.exe
2968	schtasks.exe
2020	schtasks.exe
2264	schtasks.exe
2364	schtasks.exe
604	schtasks.exe
1156	schtasks.exe
2652	schtasks.exe
1632	schtasks.exe
1924	schtasks.exe
2868	schtasks.exe
2872	schtasks.exe
2200	schtasks.exe
2804	schtasks.exe
848	schtasks.exe
2312	schtasks.exe
2548	schtasks.exe
2340	schtasks.exe
2016	schtasks.exe
1320	schtasks.exe
1052	schtasks.exe
2696	schtasks.exe
2700	schtasks.exe
2792	schtasks.exe
1872	schtasks.exe
1620	schtasks.exe
2984	schtasks.exe
1276	schtasks.exe
1600	schtasks.exe
1696	schtasks.exe
1800	schtasks.exe
2768	schtasks.exe
2764	schtasks.exe
1700	schtasks.exe
876	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2948	DllCommonsvc.exe
2216	powershell.exe
320	powershell.exe
1996	powershell.exe
1636	powershell.exe
892	powershell.exe
568	powershell.exe
760	powershell.exe
2388	powershell.exe
2252	powershell.exe
664	powershell.exe
2336	powershell.exe
2148	powershell.exe
3068	powershell.exe
2240	powershell.exe
2384	powershell.exe
996	powershell.exe
2828	csrss.exe
2404	csrss.exe
684	csrss.exe
2168	csrss.exe
1940	csrss.exe
2604	csrss.exe
2408	csrss.exe
2312	csrss.exe
1628	csrss.exe
1556	csrss.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	DllCommonsvc.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	664	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	2828	csrss.exe
Token: SeDebugPrivilege	2404	csrss.exe
Token: SeDebugPrivilege	684	csrss.exe
Token: SeDebugPrivilege	2168	csrss.exe
Token: SeDebugPrivilege	1940	csrss.exe
Token: SeDebugPrivilege	2604	csrss.exe
Token: SeDebugPrivilege	2408	csrss.exe
Token: SeDebugPrivilege	2312	csrss.exe
Token: SeDebugPrivilege	1628	csrss.exe
Token: SeDebugPrivilege	1556	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2052	1032	36d248189ae4831364990b9a6d2c79653852948da70b822a0da3decb7a5a8e8c.exe	28
PID 1032 wrote to memory of 2052	1032	36d248189ae4831364990b9a6d2c79653852948da70b822a0da3decb7a5a8e8c.exe	28
PID 1032 wrote to memory of 2052	1032	36d248189ae4831364990b9a6d2c79653852948da70b822a0da3decb7a5a8e8c.exe	28
PID 1032 wrote to memory of 2052	1032	36d248189ae4831364990b9a6d2c79653852948da70b822a0da3decb7a5a8e8c.exe	28
PID 2052 wrote to memory of 2296	2052	WScript.exe	29
PID 2052 wrote to memory of 2296	2052	WScript.exe	29
PID 2052 wrote to memory of 2296	2052	WScript.exe	29
PID 2052 wrote to memory of 2296	2052	WScript.exe	29
PID 2296 wrote to memory of 2948	2296	cmd.exe	31
PID 2296 wrote to memory of 2948	2296	cmd.exe	31
PID 2296 wrote to memory of 2948	2296	cmd.exe	31
PID 2296 wrote to memory of 2948	2296	cmd.exe	31
PID 2948 wrote to memory of 320	2948	DllCommonsvc.exe	78
PID 2948 wrote to memory of 320	2948	DllCommonsvc.exe	78
PID 2948 wrote to memory of 320	2948	DllCommonsvc.exe	78
PID 2948 wrote to memory of 2252	2948	DllCommonsvc.exe	79
PID 2948 wrote to memory of 2252	2948	DllCommonsvc.exe	79
PID 2948 wrote to memory of 2252	2948	DllCommonsvc.exe	79
PID 2948 wrote to memory of 2336	2948	DllCommonsvc.exe	80
PID 2948 wrote to memory of 2336	2948	DllCommonsvc.exe	80
PID 2948 wrote to memory of 2336	2948	DllCommonsvc.exe	80
PID 2948 wrote to memory of 2388	2948	DllCommonsvc.exe	81
PID 2948 wrote to memory of 2388	2948	DllCommonsvc.exe	81
PID 2948 wrote to memory of 2388	2948	DllCommonsvc.exe	81
PID 2948 wrote to memory of 2384	2948	DllCommonsvc.exe	82
PID 2948 wrote to memory of 2384	2948	DllCommonsvc.exe	82
PID 2948 wrote to memory of 2384	2948	DllCommonsvc.exe	82
PID 2948 wrote to memory of 1636	2948	DllCommonsvc.exe	83
PID 2948 wrote to memory of 1636	2948	DllCommonsvc.exe	83
PID 2948 wrote to memory of 1636	2948	DllCommonsvc.exe	83
PID 2948 wrote to memory of 2240	2948	DllCommonsvc.exe	84
PID 2948 wrote to memory of 2240	2948	DllCommonsvc.exe	84
PID 2948 wrote to memory of 2240	2948	DllCommonsvc.exe	84
PID 2948 wrote to memory of 568	2948	DllCommonsvc.exe	85
PID 2948 wrote to memory of 568	2948	DllCommonsvc.exe	85
PID 2948 wrote to memory of 568	2948	DllCommonsvc.exe	85
PID 2948 wrote to memory of 1996	2948	DllCommonsvc.exe	86
PID 2948 wrote to memory of 1996	2948	DllCommonsvc.exe	86
PID 2948 wrote to memory of 1996	2948	DllCommonsvc.exe	86
PID 2948 wrote to memory of 2216	2948	DllCommonsvc.exe	87
PID 2948 wrote to memory of 2216	2948	DllCommonsvc.exe	87
PID 2948 wrote to memory of 2216	2948	DllCommonsvc.exe	87
PID 2948 wrote to memory of 996	2948	DllCommonsvc.exe	88
PID 2948 wrote to memory of 996	2948	DllCommonsvc.exe	88
PID 2948 wrote to memory of 996	2948	DllCommonsvc.exe	88
PID 2948 wrote to memory of 760	2948	DllCommonsvc.exe	89
PID 2948 wrote to memory of 760	2948	DllCommonsvc.exe	89
PID 2948 wrote to memory of 760	2948	DllCommonsvc.exe	89
PID 2948 wrote to memory of 3068	2948	DllCommonsvc.exe	90
PID 2948 wrote to memory of 3068	2948	DllCommonsvc.exe	90
PID 2948 wrote to memory of 3068	2948	DllCommonsvc.exe	90
PID 2948 wrote to memory of 664	2948	DllCommonsvc.exe	91
PID 2948 wrote to memory of 664	2948	DllCommonsvc.exe	91
PID 2948 wrote to memory of 664	2948	DllCommonsvc.exe	91
PID 2948 wrote to memory of 2148	2948	DllCommonsvc.exe	92
PID 2948 wrote to memory of 2148	2948	DllCommonsvc.exe	92
PID 2948 wrote to memory of 2148	2948	DllCommonsvc.exe	92
PID 2948 wrote to memory of 892	2948	DllCommonsvc.exe	93
PID 2948 wrote to memory of 892	2948	DllCommonsvc.exe	93
PID 2948 wrote to memory of 892	2948	DllCommonsvc.exe	93
PID 2948 wrote to memory of 2176	2948	DllCommonsvc.exe	102
PID 2948 wrote to memory of 2176	2948	DllCommonsvc.exe	102
PID 2948 wrote to memory of 2176	2948	DllCommonsvc.exe	102
PID 2176 wrote to memory of 1700	2176	cmd.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\36d248189ae4831364990b9a6d2c79653852948da70b822a0da3decb7a5a8e8c.exe
"C:\Users\Admin\AppData\Local\Temp\36d248189ae4831364990b9a6d2c79653852948da70b822a0da3decb7a5a8e8c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Logs\CBS\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWP9YLrY7v.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1700
      - C:\Program Files\Windows Journal\Templates\csrss.exe
        
        "C:\Program Files\Windows Journal\Templates\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        7⤵
        
        PID:2480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2668
        
        C:\Program Files\Windows Journal\Templates\csrss.exe
        
        "C:\Program Files\Windows Journal\Templates\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
        9⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2896
        
        C:\Program Files\Windows Journal\Templates\csrss.exe
        
        "C:\Program Files\Windows Journal\Templates\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
        11⤵
        
        PID:2636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2956
        
        C:\Program Files\Windows Journal\Templates\csrss.exe
        
        "C:\Program Files\Windows Journal\Templates\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat"
        13⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:924
        
        C:\Program Files\Windows Journal\Templates\csrss.exe
        
        "C:\Program Files\Windows Journal\Templates\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"
        15⤵
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1604
        
        C:\Program Files\Windows Journal\Templates\csrss.exe
        
        "C:\Program Files\Windows Journal\Templates\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"
        17⤵
        
        PID:2344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2388
        
        C:\Program Files\Windows Journal\Templates\csrss.exe
        
        "C:\Program Files\Windows Journal\Templates\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
        19⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2844
        
        C:\Program Files\Windows Journal\Templates\csrss.exe
        
        "C:\Program Files\Windows Journal\Templates\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"
        21⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:580
        
        C:\Program Files\Windows Journal\Templates\csrss.exe
        
        "C:\Program Files\Windows Journal\Templates\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat"
        23⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3020
        
        C:\Program Files\Windows Journal\Templates\csrss.exe
        
        "C:\Program Files\Windows Journal\Templates\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Logs\CBS\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Logs\CBS\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Logs\CBS\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f35014511d3fad295c92343924bb6dc9

SHA1
2f0c46c267a0e07788b55930981a3c1b1ae0f0ec

SHA256
807137baaddad6f74c2998e891f344966507f12eddee84ce70e4f37dfd9f41c7

SHA512
8e0a44eb75ea7d619bb9ae10b308bbff4f944a6918face7ff820374b07625670f5d95fb8992cbe18e97d65d17f58a36aa079ef673728da732c6b80e7867a7156

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af728eaab9abbf9909ad027af3a0ea66

SHA1
9b58dd5680fd9c15fa0e8252fe2b269eb67116e3

SHA256
d8d9ce1bade60b1ff1fcea232088dcd760b14ad840bda54a4e67cf64fa861209

SHA512
2db50ad87f06b99c4ea90a7922d27fb501e7b13b0be455b48ba199e2a581d783cb22057f7a6886108c38d33f7e31d8705e65f0631370c0d46dfd7e778e4f5392

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dfd0b5d708fbdfd433de643d129a353

SHA1
5173f64ba28a146165a92abd2a81b85b421f5097

SHA256
def46fd6cfdea45cc30edba15013d1897bb54b9b34ab2159e9e4a3ab3998bf38

SHA512
8883fa60b4ba1ca95f18e77b1265cbfbc48c6a7bee5daebe08c1dae2062188f5277712a650ef7381657307e0b403aa9a30a454b18bb0b247ac1f73a038d2e2bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87a2a89fc6df38d605db908b08a211db

SHA1
40b003bd16fc85842514645757a3b912410a9d66

SHA256
187685d901037aa019740db44004459c2fecbf646c2870a11bd6e50b3b904f66

SHA512
c3c1f934c9979af06c5c6170318f2500ef98d14f86c873d96766e5f73b89e6c459eca377c044c6b67e53b5a89c5f31786cfce37cd54878f3bace84249366e1f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d454b44fa8a8566eb913b5dba787544

SHA1
7b3ba6e92e05b1bf8e5c9548d97d1bafd46e7fa5

SHA256
203c555bc1c882bcebc77866a3282652451a618ffae979a7c2be7aeb395d3068

SHA512
d9593fd96794bbc10c681c1b0fdba042b3299ccee70369140a0b083ecae50d98d3da67b3a88df330f94184d3ebdf646cd1574550865e58f8df232b9fc00b1293

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1146890c34ae86bc593cfbcaddf87ae

SHA1
b79b87083ea55853be80606e86cc1d1be7e1b459

SHA256
c5adf1c0a8f4916cad7ad462ed76101435c83d20ffe8895103c7869f30f0f9ec

SHA512
b5cd49cabe8675e158180acd4e39c575cab9b54ac88e1e060c1202410faf65763829595c3091f8c02af905b4526ff657d86369a5c604906d22d4f51d5535d662

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53b1fa1f336d514de128b16e76d30ea6

SHA1
bbbf631a8223d75d078de5e8862d1787317672bf

SHA256
eaa411435a1726ad306fd59088035c1658e126c7533bdad40bbb009039156098

SHA512
49b75324e45084f7b5a1c06ff786ce7d5c51eb62f8ebff37943f3be3f9f873289dd33880a2bd00d9effa4cf4aa9613a25e73512f995d08824125d4ad91ac6445

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31cb24a00dd492d002c0e4d64277c385

SHA1
299a25e905db1f2c71a2e31e77636e4b40b56973

SHA256
f639ec3fa946f8edd65297b15b5a6d9758cedd3941fbea10326ea0985cece4e1

SHA512
9a1e224106b3b30fbe1c39958f496c8c73b4b44e3fa2c4b4db04d885a0eebe01ab06005b9af316fd017f0a619c5a9efdf2e3c9a1c99be4927d04e3d33adbb945

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

Filesize
217B

MD5
828d487287f5befe908c30bc100265fd

SHA1
769ea2c47d81c8cfebaa4bef360bcdb20e7f7d28

SHA256
dc032db194acffb95558cfc5c1bc19d69891ece1eec6b5e482bd6edc271e39e2

SHA512
e4a0269707a8a11434edba0c7562158ee1f75d520f5a532a8b2b03286506945068434f38796aa237a1a469f24701c03a025266a136542def61872d2ea45ae608

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWP9YLrY7v.bat

Filesize
217B

MD5
1c50caa51d9969baa7d9eb1a8504dbfb

SHA1
795bba5c22cd273f0f761ad89ce7f97722ac1370

SHA256
4427700dce10bab920ece9e7cd992c53555f60f167feb5af01047194b79bafe7

SHA512
5e7be97fc672719a508cfdd697f93814083a7a2461ba5275c43aa1ff504f51cd609db5cafb80630c329b2a16ea87c7af7426cdd9967067d1be23557b082a1eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat

Filesize
217B

MD5
a18c56f69e1d5bd02d4b5c802fef6ef2

SHA1
a1141b115ad9bc0173dff4a372b078326a4fb460

SHA256
36441d2e0794be691ac37dabd7b7d4276849b683e55b929ff0b8cc09055aa345

SHA512
fde4c78ede689f686078aaa5dda227e5525a255153bb4df710cc72e23a1321aec318b989dfe0273c1b99182c05adf45e6c8a56e20aa32c4752c20ee0242dda96

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC69B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat

Filesize
217B

MD5
981d83a1af1268f38c01e88ca8b54ff2

SHA1
814391f556181316dcdbe8d56149d3cf5dcf5e4a

SHA256
890320bd3ffed2a038b67cb49b5e515b86b001d1202a87c6661f97fddb0f0655

SHA512
0709b0af6583229ac0792b9869f3af9bf8b12dfc8b9b978972a4d4ae01400a148e9a8119f93d262ec6bb58a5dc032e8999e6c5a5e7d8ce54c27162bf7ed45fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

Filesize
217B

MD5
20093f9f4bba109ff0f290bef890ca53

SHA1
7f1ce349bd59360bc0c329b8adfcc9b829f00ec3

SHA256
bd44fff22dbe149951409fa3759a3ce93e5ec9034b4a460d09275d314522e804

SHA512
cb4e3243889c2f3cc0f1b847834e061820adf0f7c36aff58affe81f3a5174db024f343383cb4d02039f647a9045a7cdc5c17f86848c1f967d3ff664d0d256972

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
217B

MD5
c21225a3c366c83a3f7d06b25f3e949f

SHA1
5ec00b8daf3a2dbfb538e6938dac3d948750f253

SHA256
6fe057fcc1be13eb8c412734f32be07b5468d4ae14dd279c085f22d3f7330c23

SHA512
7cdbce3fa11c88b83f70094c989b9cdc0aca02ade5c352f99623a0b2abfc4a29e2558dfddf574a302cbee4a02abbd1c08b310b024ab1f5b4e4ae3ea5c8bc0bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC6CD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

Filesize
217B

MD5
af4c98d2f0ce2732351c768c7f33ffae

SHA1
6bbff63676b431b6a2ffd9802b604919e128efcb

SHA256
d23b68a28b663536b1f036215815c78c917c3368f89918dea31385bb5a1d165d

SHA512
6d74ab99336f9b967f03d7ee57bcb0afac133a66d59a7dd1d478a8bf9284a6e0bc85fb4777b81a26139e2341440b56401f8611270a9398add357e0174aaf75b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGW3UwTeX7.bat

Filesize
217B

MD5
8653c37a63cf4b5d8786420e7d8c5df0

SHA1
da13681fb5317b2fad39d6e175c273d5d9998a15

SHA256
52a537ac6c57fcfecec5322682db88e738493c61e2d505be1244af9863d7d14c

SHA512
70eaef9ee219be1500389d0e02146bd0fba77fafabb4a4478dde4dee4e2bc97bd80c6f31dede21f6e673bb48dbce83b6bb1af89e0815ce1da9475935f692eec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat

Filesize
217B

MD5
01544d98c777f5f0e717df2a6ecf224c

SHA1
ccb1ff4ae99510abf6244880808998046e7f97d3

SHA256
38e3f50db15bf2f3c53a07fb142cc59e29560f4f7d509e97d58a5797b68514a2

SHA512
503d8c17f21baeff37949055bd6e017fd5d240a138a01b9f09d8bf07b6903548f2fc9b282070c00c91b2d8fedecfddea3792fd7c2eef559bdc731bcb066456d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat

Filesize
217B

MD5
777f4ef1b8a40d107fa7d2281ab80e1e

SHA1
911d71b1d88dbb03d471bfd2a7e8e551aca48ded

SHA256
221d4ab3eccbabf6c7df1c8742eec9082544cf08b0464af8603760b6ef79e3b9

SHA512
23839b42c685998db175d16c0cb448799afa33203824afc95d5ee82d2c223daa28927b2dc1f716bd300780205a1326f021c0e458a3fc81ae7db2486bd27623bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9SUYQ2TID92RHO7GHQ1E.temp

Filesize
7KB

MD5
863e20d02e21cd9b510c107bb92040c8

SHA1
606e8a82e803e971e06e7c8bb8e19c20e98a9492

SHA256
d0e3a69e433199e5a3c255ab5a2459ce761aa5b2d7f0b29b0e6f01d183fddc89

SHA512
bf8ce3cdd0d3d0d0dd9d18fbd467c0aa03e51e4b423a9cd26f61b10168bb2c9c766b862d286bbeec54595a3114e97d04251c504ae7b40c6f37bae6422295eb69

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1628-601-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/2216-85-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2216-86-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/2312-541-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2604-422-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/2828-127-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2948-16-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2948-13-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2948-14-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2948-15-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2948-17-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download