dcrat | 05e952f361e106e8be0af13dca2cfa1f9fb9904ccc703ba8c51a061a3aacadd8

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e952f361e106e8be0af13dca2cfa1f9fb9904ccc703ba8c51a061a3aacadd8.exe
Size

1.3MB
MD5

302a0481f155ab2ad375603cb97cb146
SHA1

8001eaf70efac4c8b035d7c9faa9d6c8b17eb805
SHA256

05e952f361e106e8be0af13dca2cfa1f9fb9904ccc703ba8c51a061a3aacadd8
SHA512

8f813cd7d2bfbc349cde96ab7287ccd542b29fe06b1ac77b9ff222231c0589fb401d5b81693e071e902178580460c479421c0fa1f9244a5e6195847627b83379
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2860	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2860	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016ca0-9.dat	dcrat
behavioral1/memory/2288-13-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2396-133-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/2464-192-0x0000000000D40000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/2752-370-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1928-430-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/1752-490-0x00000000008B0000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/memory/2012-550-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1048	powershell.exe
1476	powershell.exe
1956	powershell.exe
876	powershell.exe
3008	powershell.exe
1584	powershell.exe
1452	powershell.exe
1224	powershell.exe
1088	powershell.exe
2320	powershell.exe
1576	powershell.exe
2208	powershell.exe
2064	powershell.exe
2476	powershell.exe
1240	powershell.exe
2664	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2288	DllCommonsvc.exe
2396	sppsvc.exe
2464	sppsvc.exe
2976	sppsvc.exe
2400	sppsvc.exe
2752	sppsvc.exe
1928	sppsvc.exe
1752	sppsvc.exe
2012	sppsvc.exe
2340	sppsvc.exe
2216	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	cmd.exe
2832	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
37	raw.githubusercontent.com
27	raw.githubusercontent.com
13	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\es-ES\c5b4cb5e9653cc	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\rc0006\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	05e952f361e106e8be0af13dca2cfa1f9fb9904ccc703ba8c51a061a3aacadd8.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1504	schtasks.exe
480	schtasks.exe
2124	schtasks.exe
280	schtasks.exe
2100	schtasks.exe
2968	schtasks.exe
2032	schtasks.exe
2764	schtasks.exe
1744	schtasks.exe
2284	schtasks.exe
2868	schtasks.exe
2572	schtasks.exe
1520	schtasks.exe
2044	schtasks.exe
3052	schtasks.exe
576	schtasks.exe
716	schtasks.exe
548	schtasks.exe
2364	schtasks.exe
1416	schtasks.exe
684	schtasks.exe
2296	schtasks.exe
464	schtasks.exe
1364	schtasks.exe
896	schtasks.exe
2172	schtasks.exe
292	schtasks.exe
2452	schtasks.exe
1968	schtasks.exe
1748	schtasks.exe
1324	schtasks.exe
620	schtasks.exe
2340	schtasks.exe
1468	schtasks.exe
2156	schtasks.exe
2448	schtasks.exe
268	schtasks.exe
532	schtasks.exe
1456	schtasks.exe
2116	schtasks.exe
2480	schtasks.exe
764	schtasks.exe
2348	schtasks.exe
2528	schtasks.exe
2372	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
2396	sppsvc.exe
2464	sppsvc.exe
2976	sppsvc.exe
2400	sppsvc.exe
2752	sppsvc.exe
1928	sppsvc.exe
1752	sppsvc.exe
2012	sppsvc.exe
2340	sppsvc.exe
2216	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2288	DllCommonsvc.exe
2288	DllCommonsvc.exe
2288	DllCommonsvc.exe
2288	DllCommonsvc.exe
2288	DllCommonsvc.exe
2288	DllCommonsvc.exe
2288	DllCommonsvc.exe
2476	powershell.exe
2664	powershell.exe
2208	powershell.exe
1576	powershell.exe
1452	powershell.exe
1088	powershell.exe
2320	powershell.exe
1224	powershell.exe
1476	powershell.exe
3008	powershell.exe
876	powershell.exe
1584	powershell.exe
1240	powershell.exe
1048	powershell.exe
1956	powershell.exe
2064	powershell.exe
2396	sppsvc.exe
2464	sppsvc.exe
2976	sppsvc.exe
2400	sppsvc.exe
2752	sppsvc.exe
1928	sppsvc.exe
1752	sppsvc.exe
2012	sppsvc.exe
2340	sppsvc.exe
2216	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2288	DllCommonsvc.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2396	sppsvc.exe
Token: SeDebugPrivilege	2464	sppsvc.exe
Token: SeDebugPrivilege	2976	sppsvc.exe
Token: SeDebugPrivilege	2400	sppsvc.exe
Token: SeDebugPrivilege	2752	sppsvc.exe
Token: SeDebugPrivilege	1928	sppsvc.exe
Token: SeDebugPrivilege	1752	sppsvc.exe
Token: SeDebugPrivilege	2012	sppsvc.exe
Token: SeDebugPrivilege	2340	sppsvc.exe
Token: SeDebugPrivilege	2216	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2796	2256	05e952f361e106e8be0af13dca2cfa1f9fb9904ccc703ba8c51a061a3aacadd8.exe	31
PID 2256 wrote to memory of 2796	2256	05e952f361e106e8be0af13dca2cfa1f9fb9904ccc703ba8c51a061a3aacadd8.exe	31
PID 2256 wrote to memory of 2796	2256	05e952f361e106e8be0af13dca2cfa1f9fb9904ccc703ba8c51a061a3aacadd8.exe	31
PID 2256 wrote to memory of 2796	2256	05e952f361e106e8be0af13dca2cfa1f9fb9904ccc703ba8c51a061a3aacadd8.exe	31
PID 2796 wrote to memory of 2832	2796	WScript.exe	32
PID 2796 wrote to memory of 2832	2796	WScript.exe	32
PID 2796 wrote to memory of 2832	2796	WScript.exe	32
PID 2796 wrote to memory of 2832	2796	WScript.exe	32
PID 2832 wrote to memory of 2288	2832	cmd.exe	34
PID 2832 wrote to memory of 2288	2832	cmd.exe	34
PID 2832 wrote to memory of 2288	2832	cmd.exe	34
PID 2832 wrote to memory of 2288	2832	cmd.exe	34
PID 2288 wrote to memory of 2664	2288	DllCommonsvc.exe	81
PID 2288 wrote to memory of 2664	2288	DllCommonsvc.exe	81
PID 2288 wrote to memory of 2664	2288	DllCommonsvc.exe	81
PID 2288 wrote to memory of 3008	2288	DllCommonsvc.exe	82
PID 2288 wrote to memory of 3008	2288	DllCommonsvc.exe	82
PID 2288 wrote to memory of 3008	2288	DllCommonsvc.exe	82
PID 2288 wrote to memory of 1476	2288	DllCommonsvc.exe	83
PID 2288 wrote to memory of 1476	2288	DllCommonsvc.exe	83
PID 2288 wrote to memory of 1476	2288	DllCommonsvc.exe	83
PID 2288 wrote to memory of 1224	2288	DllCommonsvc.exe	85
PID 2288 wrote to memory of 1224	2288	DllCommonsvc.exe	85
PID 2288 wrote to memory of 1224	2288	DllCommonsvc.exe	85
PID 2288 wrote to memory of 2320	2288	DllCommonsvc.exe	86
PID 2288 wrote to memory of 2320	2288	DllCommonsvc.exe	86
PID 2288 wrote to memory of 2320	2288	DllCommonsvc.exe	86
PID 2288 wrote to memory of 1240	2288	DllCommonsvc.exe	88
PID 2288 wrote to memory of 1240	2288	DllCommonsvc.exe	88
PID 2288 wrote to memory of 1240	2288	DllCommonsvc.exe	88
PID 2288 wrote to memory of 876	2288	DllCommonsvc.exe	89
PID 2288 wrote to memory of 876	2288	DllCommonsvc.exe	89
PID 2288 wrote to memory of 876	2288	DllCommonsvc.exe	89
PID 2288 wrote to memory of 1452	2288	DllCommonsvc.exe	90
PID 2288 wrote to memory of 1452	2288	DllCommonsvc.exe	90
PID 2288 wrote to memory of 1452	2288	DllCommonsvc.exe	90
PID 2288 wrote to memory of 2476	2288	DllCommonsvc.exe	91
PID 2288 wrote to memory of 2476	2288	DllCommonsvc.exe	91
PID 2288 wrote to memory of 2476	2288	DllCommonsvc.exe	91
PID 2288 wrote to memory of 2064	2288	DllCommonsvc.exe	92
PID 2288 wrote to memory of 2064	2288	DllCommonsvc.exe	92
PID 2288 wrote to memory of 2064	2288	DllCommonsvc.exe	92
PID 2288 wrote to memory of 1048	2288	DllCommonsvc.exe	94
PID 2288 wrote to memory of 1048	2288	DllCommonsvc.exe	94
PID 2288 wrote to memory of 1048	2288	DllCommonsvc.exe	94
PID 2288 wrote to memory of 1576	2288	DllCommonsvc.exe	96
PID 2288 wrote to memory of 1576	2288	DllCommonsvc.exe	96
PID 2288 wrote to memory of 1576	2288	DllCommonsvc.exe	96
PID 2288 wrote to memory of 1584	2288	DllCommonsvc.exe	98
PID 2288 wrote to memory of 1584	2288	DllCommonsvc.exe	98
PID 2288 wrote to memory of 1584	2288	DllCommonsvc.exe	98
PID 2288 wrote to memory of 1088	2288	DllCommonsvc.exe	99
PID 2288 wrote to memory of 1088	2288	DllCommonsvc.exe	99
PID 2288 wrote to memory of 1088	2288	DllCommonsvc.exe	99
PID 2288 wrote to memory of 1956	2288	DllCommonsvc.exe	100
PID 2288 wrote to memory of 1956	2288	DllCommonsvc.exe	100
PID 2288 wrote to memory of 1956	2288	DllCommonsvc.exe	100
PID 2288 wrote to memory of 2208	2288	DllCommonsvc.exe	101
PID 2288 wrote to memory of 2208	2288	DllCommonsvc.exe	101
PID 2288 wrote to memory of 2208	2288	DllCommonsvc.exe	101
PID 2288 wrote to memory of 2092	2288	DllCommonsvc.exe	113
PID 2288 wrote to memory of 2092	2288	DllCommonsvc.exe	113
PID 2288 wrote to memory of 2092	2288	DllCommonsvc.exe	113
PID 2092 wrote to memory of 1364	2092	cmd.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\05e952f361e106e8be0af13dca2cfa1f9fb9904ccc703ba8c51a061a3aacadd8.exe
"C:\Users\Admin\AppData\Local\Temp\05e952f361e106e8be0af13dca2cfa1f9fb9904ccc703ba8c51a061a3aacadd8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\attachments\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zdt89Dj5Wd.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2092
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1364
      - C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
        7⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1628
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
        9⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1784
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat"
        11⤵
        
        PID:2460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2488
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
        13⤵
        
        PID:444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1628
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"
        15⤵
        
        PID:1288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2844
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
        17⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1936
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        19⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:828
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"
        21⤵
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2532
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"
        23⤵
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2080
        
        C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
        25⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Downloads\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\Crashpad\attachments\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\attachments\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\Temp\Crashpad\attachments\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c19f2e1f375fd996397d80107d6c917a

SHA1
ed18d3d46c3d6c6110c9316c2861493827134065

SHA256
7f06f89afddce60da5ca6b1caa9127aa6e4b2fbad1e5e9206a389d59de924163

SHA512
79514e7676daf42f40638869918988c13eeb2bc090d09d25d75105fb0185449291013477bc3b8d5561c09308f9fdc7e017f171044edf6929c9b735fa92d842bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36fd1bb2db3be533103b7c445efc24ce

SHA1
a86f641e2a03b93b7ad1873cd9756f58cc25e70a

SHA256
ec0e0e6fcffb43ea6f12300ac7cdef8079e5bb2be4b0d20360fc3dc11357c40b

SHA512
cd82e4fdc32e95830bf7d8903c335e404a26aee4aea175fd46969d099de8f643dffee60c10e8360b9b5618d3832cf8ecd2b0e2522506c60a8cfd654d1eed80ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3afcb35c035134ebdaabb567af54384f

SHA1
ed24f3e5499fbba9782b269a219239d68495201d

SHA256
30348e36a66d1d6a051ed9d11bced471a743fb1eb5ac89208abed8ea4944ba02

SHA512
9b9fd84469c019adb5d92961a793be1e6a85e8b7f6926b1e066d5afb34016dc115eaa13177a79dbbfe56cbed9176b8815cee25e523263d64b4c84181de40b9c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
390a64ad54a63e0fc609fec3127d1e4e

SHA1
63f7d24e577b95ed23bb7b51a5f54b8437e42929

SHA256
b58ac9869aad94c425f2f173a070af624038bf2154ce044c7943ad3d2f1764ec

SHA512
c5a1cbc169d1581a698dce038fcd53178c12501a6c6ad6d2c14a5f2424b82002257ab54b0b876533d2973c921d91a25ff634d2c4291041fae663f62ebcb67722

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4eee01775f15a5874111a10d133ec634

SHA1
a52999915e2b135cb0ce01732cc3ec418ac3f98f

SHA256
90b273d379fef5f1ba6073730cdecb6bef23593a63cb4b3aaba3b69eaa5cebf8

SHA512
d89aa6e9cfa557265fca1db97c581dac68a935389f29278a9d54b03ff80a37617cac7aacf16a673ea691516874359f93278679b0e5a3a24dd13fd94daacf05d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
975143c95adaac72f066752915bd418c

SHA1
8a423ac6d6661b569b0480a369a660bf3ba2b98b

SHA256
9a46985ae00459c974064e9c115bd0d1bac7aa100f00c94c3bc2c155fa10c24a

SHA512
7b444b489bd19a58d16c02b2081ecd18371d550e2b7fba2005f37ad2a13ee54c9b7f99887b75bb497ae214fa9b69b90273fdafa61c77c17cd00a78b5acd696c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb6276838a6fc0cae454ee971eb13d5a

SHA1
03f0abd68bd35f7edfdbce39fa187bf2c83c25ad

SHA256
379bfc71f04c72f6daef663dd6c58851de1ebf6630c687aa56ed92176f15bd4d

SHA512
ac6d0df739e93144cdd264c54ff1e9325d6ff8ed8a4addf2cfba5bfb51fa1946ecbb69389c75267a868cd04aa4bce04cd8105eeb1e365cf5d94c18b08be966a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
559e557f93f3e37b19e1ef11c3d30298

SHA1
6c7c6b83ec3a532997c382ff572ba668b0d0ec1e

SHA256
4c7ce094dd3ce869edadf13d5dd6eae5eb06b84f12291d58fd209b2f8220ac44

SHA512
da0bc6ef1e9fe392804fff17e47460c81ffa793398cdc97551b4c8111a5b24f8fd76da7f34af07f1f5c1efc7f6582288e3e1799c8a5a1820ba6dc763e96544ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6edecab053d62e092037e81da48c098

SHA1
e5311fccb41b0e3095d2e083421c47776de99b18

SHA256
0acc40f444f489a79c2b8320dac5d0780ac4d861d716bc81a7943ac76feeff22

SHA512
f2f73f43064e77319dcfab5b1141177b559a53be94764ead95b9be575af9ac29d4c8af0234267ea957b474c2b1cd44f78d8548afdd065d5d30c908e61345cdba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab591A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat

Filesize
247B

MD5
b761928928e896873d97b0f3729d3d10

SHA1
aed88390a9768657754b0cd9f9d207a26a08b0b1

SHA256
fce496f95d12926cb08334bd3993ee0ad1e538fbba4f8607a6597201e06db2fa

SHA512
02f782528772fb03fb193e8a3437cb85f5031a8b4e1170953cdd41eff722e38e1559f78636ce4fee8c8a605cf83928009a9f41f09fe2424356764fdcffb5c888

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
247B

MD5
4b3fdb8bb1dd024dee5a5ed0ffbc5e7f

SHA1
59987d519f22f9d9a2c1770b681314f08089ee28

SHA256
fac795b1023e5fa04ffd4cf4ff3a844af7b2117dac683ff3202b6cad6234fa2d

SHA512
2ad882ccdfd93a001e7b0a6a7229e8f6716e7b44256dffa3465455b5f1f4f4f28e80c8ac6d961005f8054a71be076da6c4f645f7a54c6b96c909e95c3b29171c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar592D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat

Filesize
247B

MD5
8b07980ba3d4e87c857a9b248aa56e71

SHA1
82b07188b74fa5a6c0e1381215feed04cae189c8

SHA256
f07d9d37b18940556dbe5d651616b5570ad848cea1b617158e147e31c37b9634

SHA512
e8235b9fde574016b6eda4fdf3f8b29fb5ec8744eadc15bd8bdcd1acf08438a0a3045b82c06e5657837465fa12f76c271f6b5553969c1265abb805f0fcfcc3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zdt89Dj5Wd.bat

Filesize
247B

MD5
36ea2f9d84aa918cc43a08debf050196

SHA1
293866fa5b990c6b92d807dde0a286c7f9393be0

SHA256
6baa4fb0c57fd4d45506969841e4504d0e153dc5c55bd034003ee01478f0565e

SHA512
e85409c7e182694d58350129613dfbe98aee9c6fc484148ab8db3dc49b74b2d7ede23d24466b7f5e65a94fff69c3d1b07593aa602ff3c5d220a7e7fae7168a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

Filesize
247B

MD5
4a9ca17969cb76a392be9561e26fedcf

SHA1
1bf327f49ed83f810002e40354c6e83ced584114

SHA256
07ef1eb8f6ec1fc7bcec70ef18cf5f26ec0969f5edf5cf79df46a7fee9660577

SHA512
affe724c1e7691084e5c3d0f33711f4736486a8243a65a169de327475535063ab7b6558e6585b18e8e8be1b52bde1ddf0df5b90abc2a47a10d7eaaa132df1d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat

Filesize
247B

MD5
48c74501d70d99219a1963a1ffcff434

SHA1
d4a34fcd142b28c397890fc35609fb1d7e10745d

SHA256
0a766171a7f88285dffd7e3cd43c5d4233dfd90fcc9c32df32994239d7236e25

SHA512
463582a9b6ae93835230d40093e39392973f317e38f0d6560e1efa6697be4858ce33ec26f712bcc3ca17d813d60ce2cbc533cf78438e95243837af7ed02a5f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
247B

MD5
cb8a58751fea7b4c35f5daa319137283

SHA1
6f7fb6edf21be12f41ba22548a2ef544d684a9f8

SHA256
e47461562df968d14d53ddaffa4c47e441e596fa736a643f97c5223761b4661b

SHA512
3d68469984d57f53acdc5ddfe5f807037df30c0cd7a5600e5ee08f376a38cde4addf7cf99ef73606919b0b6c056f7296801b491312845e6a19767480b1184d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat

Filesize
247B

MD5
032129f666004b18d4f0698dc9ec2d4c

SHA1
ee37320be820ea90b68ab0abd801f1a617f13eef

SHA256
1ce26e5c9b6d254cc0f41c8abe21451a0e62ad0f0d63ecde2effafb31f0c6cea

SHA512
0384cf6ff8efc76ce6582b664f21b9c4896f04e4c09f1f08b5239adb933c0140bfac2cf19686ebd7a31f7e0a643f3c355a9cd3e57ada4b99a2f70947765661d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

Filesize
247B

MD5
8c772d1277dadd4f9055e830c737c556

SHA1
c95f65d4d469f9fdd02800cf9fdde6a2c409c4f0

SHA256
fe894b7e123894ca7b1ad3973213067e409b710ab24fddc735a96567db67f2e5

SHA512
2dc06aaed09c872a42a1ebdc81f92fdb269998efd572d6099d6b5ff8bbc5f2e2511e82057ca24589cac65a96798c192a643e75b8e06e98f150c911c5156a05a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat

Filesize
247B

MD5
0230a4dec47e0372333cae509094d051

SHA1
25a7dcefbac151346c6df0375418547bcda78b20

SHA256
e028fa10b681eaffb8ce7f92c4ce9d89f3535e5ae7e286c9af0cfe6a70aa3b5a

SHA512
ce7878000e24318ae7ceda2f380f47f08fa060ef1f6ebe6a8e5942ee0ab25b7824ff96cd5f91b4ab7c0aa11e4cdba13cb194f6006d009b264aee120dbab372ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

Filesize
247B

MD5
8afb75a1c9a52199c9529b5c3407b9e1

SHA1
49614f5fc6d2cc65a86954e6d481ad67e422332c

SHA256
62516a043a86567da35191905cb82dcbf586b93721930dfa3c00d9c489c81e86

SHA512
be574e109a27f4ea2287096429e7e9861902a759fd6e70435b4d4875f879213f9128c3c69a16a127af08d05d5f077d1d5535b0861e70fe8efc7e84bf79b4ef66

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1B0ATE2PAW7F5FMLC2TP.temp

Filesize
7KB

MD5
9d12db9dd3b55caf8736eb860ce1e0f6

SHA1
632f718b0bff9424f96da779861c339cde37cb1c

SHA256
61d454fe3d49b87a954b8ddde5930ae92a0b9c7dee6d3dca8fa22b1c06824e88

SHA512
10c3e67769319592b0d0285e0c8d3804f7bc45168e4ca2a4cbf41aacd4f5a47bd174c6f160d213e2db1f86ed4cf17af333a6a1f46a53a0fa7690be8f427edb7c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1752-490-0x00000000008B0000-0x00000000009C0000-memory.dmp

Filesize
1.1MB

Download
memory/1928-430-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/2012-550-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2288-17-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2288-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2288-15-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2288-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2288-13-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2340-610-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2396-133-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2464-192-0x0000000000D40000-0x0000000000E50000-memory.dmp

Filesize
1.1MB

Download
memory/2476-63-0x0000000001CD0000-0x0000000001CD8000-memory.dmp

Filesize
32KB

Download
memory/2476-61-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2752-370-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download