dcrat | 2d205ca95e9f9dbb03f54730dc08220df16e76d2f40ee42c767a257279755523

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2d205ca95e9f9dbb03f54730dc08220df16e76d2f40ee42c767a257279755523.exe
Size

1.3MB
MD5

bf73485f26aed5eb8c0b22daa6738b26
SHA1

9acb4caba746df2c215772e35d21f1be3f9f0d46
SHA256

2d205ca95e9f9dbb03f54730dc08220df16e76d2f40ee42c767a257279755523
SHA512

05195ed5b21ce3f1ee760d52a1c84df0a81b43286e0be38bca5ce02b6025665e7ff921234109c9165b083073279a685ae272ad908eb703e78853a264da11043e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1016	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	1016	schtasks.exe	32

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016689-12.dat	dcrat
behavioral1/memory/2720-13-0x00000000009F0000-0x0000000000B00000-memory.dmp	dcrat
behavioral1/memory/1768-54-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/1692-253-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2052-314-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/1688-492-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/2644-613-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2200-673-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat
behavioral1/memory/1244-733-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2176-793-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2956	powershell.exe
568	powershell.exe
2068	powershell.exe
1756	powershell.exe
2136	powershell.exe
2044	powershell.exe
2096	powershell.exe
1592	powershell.exe
2300	powershell.exe
2132	powershell.exe
1720	powershell.exe
1708	powershell.exe
1488	powershell.exe
2004	powershell.exe
2316	powershell.exe
2216	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2720	DllCommonsvc.exe
1768	wininit.exe
1608	wininit.exe
1692	wininit.exe
2052	wininit.exe
2292	wininit.exe
864	wininit.exe
1688	wininit.exe
2040	wininit.exe
2644	wininit.exe
2200	wininit.exe
1244	wininit.exe
2176	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2540	cmd.exe
2540	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
41	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2d205ca95e9f9dbb03f54730dc08220df16e76d2f40ee42c767a257279755523.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe
2456	schtasks.exe
2000	schtasks.exe
1684	schtasks.exe
532	schtasks.exe
2812	schtasks.exe
2648	schtasks.exe
872	schtasks.exe
2732	schtasks.exe
1536	schtasks.exe
1196	schtasks.exe
2600	schtasks.exe
2488	schtasks.exe
1092	schtasks.exe
800	schtasks.exe
2628	schtasks.exe
2800	schtasks.exe
2752	schtasks.exe
2888	schtasks.exe
684	schtasks.exe
1312	schtasks.exe
748	schtasks.exe
2572	schtasks.exe
2952	schtasks.exe
2484	schtasks.exe
2576	schtasks.exe
2444	schtasks.exe
2220	schtasks.exe
1836	schtasks.exe
1988	schtasks.exe
980	schtasks.exe
2676	schtasks.exe
2356	schtasks.exe
604	schtasks.exe
1268	schtasks.exe
1120	schtasks.exe
2876	schtasks.exe
2700	schtasks.exe
1776	schtasks.exe
1232	schtasks.exe
3056	schtasks.exe
2884	schtasks.exe
1832	schtasks.exe
1932	schtasks.exe
2560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2720	DllCommonsvc.exe
2720	DllCommonsvc.exe
2720	DllCommonsvc.exe
1708	powershell.exe
2956	powershell.exe
1592	powershell.exe
1720	powershell.exe
2300	powershell.exe
2132	powershell.exe
1488	powershell.exe
2216	powershell.exe
2004	powershell.exe
2136	powershell.exe
1756	powershell.exe
2044	powershell.exe
1768	wininit.exe
2096	powershell.exe
2316	powershell.exe
2068	powershell.exe
568	powershell.exe
1608	wininit.exe
1692	wininit.exe
2052	wininit.exe
2292	wininit.exe
864	wininit.exe
1688	wininit.exe
2040	wininit.exe
2644	wininit.exe
2200	wininit.exe
1244	wininit.exe
2176	wininit.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	DllCommonsvc.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1768	wininit.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1608	wininit.exe
Token: SeDebugPrivilege	1692	wininit.exe
Token: SeDebugPrivilege	2052	wininit.exe
Token: SeDebugPrivilege	2292	wininit.exe
Token: SeDebugPrivilege	864	wininit.exe
Token: SeDebugPrivilege	1688	wininit.exe
Token: SeDebugPrivilege	2040	wininit.exe
Token: SeDebugPrivilege	2644	wininit.exe
Token: SeDebugPrivilege	2200	wininit.exe
Token: SeDebugPrivilege	1244	wininit.exe
Token: SeDebugPrivilege	2176	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1528	2276	JaffaCakes118_2d205ca95e9f9dbb03f54730dc08220df16e76d2f40ee42c767a257279755523.exe	28
PID 2276 wrote to memory of 1528	2276	JaffaCakes118_2d205ca95e9f9dbb03f54730dc08220df16e76d2f40ee42c767a257279755523.exe	28
PID 2276 wrote to memory of 1528	2276	JaffaCakes118_2d205ca95e9f9dbb03f54730dc08220df16e76d2f40ee42c767a257279755523.exe	28
PID 2276 wrote to memory of 1528	2276	JaffaCakes118_2d205ca95e9f9dbb03f54730dc08220df16e76d2f40ee42c767a257279755523.exe	28
PID 1528 wrote to memory of 2540	1528	WScript.exe	29
PID 1528 wrote to memory of 2540	1528	WScript.exe	29
PID 1528 wrote to memory of 2540	1528	WScript.exe	29
PID 1528 wrote to memory of 2540	1528	WScript.exe	29
PID 2540 wrote to memory of 2720	2540	cmd.exe	31
PID 2540 wrote to memory of 2720	2540	cmd.exe	31
PID 2540 wrote to memory of 2720	2540	cmd.exe	31
PID 2540 wrote to memory of 2720	2540	cmd.exe	31
PID 2720 wrote to memory of 2956	2720	DllCommonsvc.exe	78
PID 2720 wrote to memory of 2956	2720	DllCommonsvc.exe	78
PID 2720 wrote to memory of 2956	2720	DllCommonsvc.exe	78
PID 2720 wrote to memory of 2004	2720	DllCommonsvc.exe	79
PID 2720 wrote to memory of 2004	2720	DllCommonsvc.exe	79
PID 2720 wrote to memory of 2004	2720	DllCommonsvc.exe	79
PID 2720 wrote to memory of 2300	2720	DllCommonsvc.exe	80
PID 2720 wrote to memory of 2300	2720	DllCommonsvc.exe	80
PID 2720 wrote to memory of 2300	2720	DllCommonsvc.exe	80
PID 2720 wrote to memory of 2132	2720	DllCommonsvc.exe	81
PID 2720 wrote to memory of 2132	2720	DllCommonsvc.exe	81
PID 2720 wrote to memory of 2132	2720	DllCommonsvc.exe	81
PID 2720 wrote to memory of 1720	2720	DllCommonsvc.exe	82
PID 2720 wrote to memory of 1720	2720	DllCommonsvc.exe	82
PID 2720 wrote to memory of 1720	2720	DllCommonsvc.exe	82
PID 2720 wrote to memory of 568	2720	DllCommonsvc.exe	83
PID 2720 wrote to memory of 568	2720	DllCommonsvc.exe	83
PID 2720 wrote to memory of 568	2720	DllCommonsvc.exe	83
PID 2720 wrote to memory of 2068	2720	DllCommonsvc.exe	84
PID 2720 wrote to memory of 2068	2720	DllCommonsvc.exe	84
PID 2720 wrote to memory of 2068	2720	DllCommonsvc.exe	84
PID 2720 wrote to memory of 2316	2720	DllCommonsvc.exe	85
PID 2720 wrote to memory of 2316	2720	DllCommonsvc.exe	85
PID 2720 wrote to memory of 2316	2720	DllCommonsvc.exe	85
PID 2720 wrote to memory of 2216	2720	DllCommonsvc.exe	86
PID 2720 wrote to memory of 2216	2720	DllCommonsvc.exe	86
PID 2720 wrote to memory of 2216	2720	DllCommonsvc.exe	86
PID 2720 wrote to memory of 1708	2720	DllCommonsvc.exe	87
PID 2720 wrote to memory of 1708	2720	DllCommonsvc.exe	87
PID 2720 wrote to memory of 1708	2720	DllCommonsvc.exe	87
PID 2720 wrote to memory of 2096	2720	DllCommonsvc.exe	88
PID 2720 wrote to memory of 2096	2720	DllCommonsvc.exe	88
PID 2720 wrote to memory of 2096	2720	DllCommonsvc.exe	88
PID 2720 wrote to memory of 1756	2720	DllCommonsvc.exe	89
PID 2720 wrote to memory of 1756	2720	DllCommonsvc.exe	89
PID 2720 wrote to memory of 1756	2720	DllCommonsvc.exe	89
PID 2720 wrote to memory of 2136	2720	DllCommonsvc.exe	90
PID 2720 wrote to memory of 2136	2720	DllCommonsvc.exe	90
PID 2720 wrote to memory of 2136	2720	DllCommonsvc.exe	90
PID 2720 wrote to memory of 1592	2720	DllCommonsvc.exe	91
PID 2720 wrote to memory of 1592	2720	DllCommonsvc.exe	91
PID 2720 wrote to memory of 1592	2720	DllCommonsvc.exe	91
PID 2720 wrote to memory of 1488	2720	DllCommonsvc.exe	92
PID 2720 wrote to memory of 1488	2720	DllCommonsvc.exe	92
PID 2720 wrote to memory of 1488	2720	DllCommonsvc.exe	92
PID 2720 wrote to memory of 2044	2720	DllCommonsvc.exe	93
PID 2720 wrote to memory of 2044	2720	DllCommonsvc.exe	93
PID 2720 wrote to memory of 2044	2720	DllCommonsvc.exe	93
PID 2720 wrote to memory of 1768	2720	DllCommonsvc.exe	110
PID 2720 wrote to memory of 1768	2720	DllCommonsvc.exe	110
PID 2720 wrote to memory of 1768	2720	DllCommonsvc.exe	110
PID 1768 wrote to memory of 1052	1768	wininit.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d205ca95e9f9dbb03f54730dc08220df16e76d2f40ee42c767a257279755523.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2d205ca95e9f9dbb03f54730dc08220df16e76d2f40ee42c767a257279755523.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        6⤵
        
        PID:1052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2952
        
        C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
        8⤵
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2532
        
        C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
        10⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2976
        
        C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat"
        12⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:752
        
        C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        14⤵
        
        PID:2280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1504
        
        C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"
        16⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1952
        
        C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"
        18⤵
        
        PID:3052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2584
        
        C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat"
        20⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2776
        
        C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat"
        22⤵
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2000
        
        C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
        24⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2524
        
        C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat"
        26⤵
        
        PID:1356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:856
        
        C:\MSOCache\All Users\wininit.exe
        
        "C:\MSOCache\All Users\wininit.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\Crashpad\reports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cae71d5d3f64cf830da4685a912eb35

SHA1
8ea7a8c790374e9e91c06bd9f0c83b266c61f997

SHA256
c9c666663792f192d578b625367a45161acceec25ad06efc6a80bc3283c3f0c8

SHA512
fd29507365b184ab2bc6f095910174c79b5733d74cefc012010122e9d4fd659edac68d39a53316c60d9cc090912219162a82cfba45eed6ba7f1569487bcee9d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ebd7e8d1165fde434e5e6d8733dcf14

SHA1
ae2adda51bd2409d666b27d3a174e7e76559c602

SHA256
c54654b625cc2abcd2f7b9a640ae3c8514800735b2e1aa249ab0dba5e8d54389

SHA512
f0b8b290e05d54159186ed9c1b92ccc541c90cc7c939d3093645dd4fc2ec10a2fab70c9cbbcbc0d3b8a744bc429ebf01267667dd096c1857e59aec6dff79daa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d1a2ab1598f920e6cbda5c701d68e10

SHA1
d84728d0a620fb03330a0949f8b3e4fe866371a7

SHA256
d18a5421e6db179c464fed06f0c9df9d1f0762d347a71d6318e33a74c890d709

SHA512
a9bf53a190325338a888904f2b3e7fd83d534a69b2d96fa31e1dc27253b474688201938b961fce40ca4d315d02454bc5c4af491bf514efe75f025fdb60bd48d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30ab9ec8b92606b609dcc726850c21d2

SHA1
b1b057d26a5fa748877db756d6c1dc6833dd0027

SHA256
b244124222642dcf5442febfa17494d04df7b35301b6e7b4c7fd19d62e02220e

SHA512
579d6f9b6be27a38129be5b891f98af34d30bd57cc9a5c68902e538f441f991cae2d141a8fc7010373dfdb1d98c098259b89c9f907f3651aabda8c5271432a5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49f39748bb3bcc6735b46e176d9a00d1

SHA1
edd2cd4e52abc8dd5e7c902477fc5b3c03f77c3c

SHA256
6f9483f98e4f4c82ad67236ac9f613dfd478fb2117fc8a66a27608d5650d48c3

SHA512
3dc677637d53d44ab363b44c2aa8fc2203df91c2633ae42c197679830ece634f4a4c046d642fe947557754b7a716944f900a8b829ba2d8d58593529a9946d1ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80d420e77f901c87d7a7d4a846f706cf

SHA1
da992a6089d9fe2d16f3dc1c52ea0524b1fb0c94

SHA256
aff6be36bd519225ee3aaf2442628a386be94c06ce807b23edce3716b1d711de

SHA512
4c4799c3f68b6fdf56da0d314a923037333bec30565830638b7e23b6e2e5cee69a6c6a69935e9239dad443f3b654303d1bc07e228f314b0e5d99b57c0c0a2fbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d5f675d875030f00003561a9dc55800

SHA1
be11e065b410a44027c9729da050392ff080e3f6

SHA256
6bdf5869f178a289129c6a93cb3a573b4bf42ed09942b6e8caf15745fbcd252d

SHA512
ca16fee6e69b8e979f55bfd439150fcfdda227f6f9a2b3cd819990be276f33db4b5c2de31b1b2b1e3992c4bb2e6bb1d5051f06b615ceca2fbb993f8eec913cd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21cd9775b51b84293674c1eed7fda18b

SHA1
bcf2c3138aed94baf858db3f0adec36ccfcd3511

SHA256
a8b22fe09a3265d76d77f6fcb4d3fa77de7ba3fd1f43222fcb931fc31d39929f

SHA512
769ed0bcdfe7de28c1171df64fee3cdec4363b5860cc45782af44dfe2f41614ad4ab7ba2cb356f007e929f58bd5ccc094e98f420da7c097fad56922ba5cb8368

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64191971f4da1a909da3aecd9d30ad94

SHA1
1bc702f943594ec39209c279c05e68c673742b6e

SHA256
ca02ead14abaa88bf7275c93a642875ca4037f33478cc5802bb10ef924be9f12

SHA512
ded69fbd75f83bbc8cb653c62439e121d099bcbbebfee997fa571f65a224ad760740d2d2b2e154bc32012b2ee0fc444338a3aead1c78a6bba168ffddb8e397bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
223d553249050933f69a706d08093839

SHA1
8cf220936b0865409cc9cd5fe8336e6e9b89b498

SHA256
9d3b64cbb643291eda0f539a97709d1be7f74f3300c709d2eb129b9978741de8

SHA512
8b581820ff62bdcdb541562bf024de8f394ebdd1629722c0145512d8a365983b4446d25f373d58aa47cbe0a51e2b9616abe61d04578206b82a2f90a9e14f38f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

Filesize
198B

MD5
e6f36780ef5add7b21a2d968176622e3

SHA1
f43c7cc579efdf5abb808e4602d79c513872775d

SHA256
61029bcef19ef1d2a0c174e05274553c81dceaed1fe66af0d85f9d0904d071dd

SHA512
441eb8d2650eb5fdfae256a62537c286e0c34d4835ddcfbb8b4b5ca403d127a1454816be991bb5a7ded6b5a34b36c94ff0f69fb1ec522306f43daaffb30b75e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8pOjIocmws.bat

Filesize
198B

MD5
ffea1f8dac6201b2243f9f6a68a3a41e

SHA1
662d7a1ef82376a626af49021c16da4d45c28d59

SHA256
0d64428eacd5ec58d96e0c3a014131f437a37b3201d0cf548fb4be2099b500b4

SHA512
9add7093a54f2424a467baa8dd27360b36855fdf7572d94b4f7c3dcccf72181076a215e54b83597024a5762d3935bfc1b40790f8f5a59bdfee31886d968261a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat

Filesize
198B

MD5
2e6445435da530bc4d7bec7a838b5bb1

SHA1
c25e93d315919ab9b227df2d5745a0a7178c50fa

SHA256
c8652b9d3851a1e53da34b18a19a94ae4b10b3cb4187929a2a01b36a3daa82c6

SHA512
deda69c85639cbd058f14a5b157078cacd901aab8d880888606463c20b8323b9946047206339aaad462eee58a0c63c923d43d3033197b75b82dcef27fdd2fe56

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF0B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

Filesize
198B

MD5
3f5da73941faeaa3665f0591f4c944bc

SHA1
e9a5bdaafd4065c14c64ad2adcec61fc91a7962c

SHA256
7ba6884901bae91fcc0608119764a0348ffe2c7d43ad76c009891247c6e76b9b

SHA512
8b2fc6ba62aa0f585e5021eabbc1d68fdf5b3c71b1578a18b405bff392cb6f0b011efc8b0eef0486f489b78461b9a70fc8d446404b19a249f7e7fb0a36cfc415

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDF3D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

Filesize
198B

MD5
4904f31d87c0b2e5f4b3bc740b669336

SHA1
251de3eff3a77579217acdbaae93c53e25e8d701

SHA256
94d8398c8019886dac20ee4b10e400dfd1a0fc4f01b1e9564dd18ffa6896ba6d

SHA512
f9d5c3cae45ccbc814ec15cea42d645ca5097482304bf992e1fd290c1ddcfccbf1ce8d6171aeca6363536264263af69c82ea87e96321c5a11d002189e0138116

Download Submit
C:\Users\Admin\AppData\Local\Temp\dekjrv1PTF.bat

Filesize
198B

MD5
67dc480a8a5f82432417a8a9dd60009a

SHA1
dbac3e36ac11bbababb92faf54a92b6c67014f4f

SHA256
05f5c6d96d06f30703be973788c93d189699210bf42f4465b3ce38fc85b767c0

SHA512
0ccdceefc4387d7ce98ff97768708f0a1f5a2d4038f6708b61ce41a4c15b5498b78471f09e029144ad2fd7e404101ee7b18a2ee22bd6d4c8f57b21e6fc6809b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat

Filesize
198B

MD5
42263fcc3b20bf77a9a970ab0096ad47

SHA1
3be0baeed6e93a0af4720b4fa1604dd4c4183c9d

SHA256
637338bd8ddf92478756ae024e873f0362ae90a047d7d83599a5031241521325

SHA512
ce40e32a38c4cc10134931a8cb5a446b3294de7956f28b05ca90152e2bd84655a232fadbc1fcd9c60001c57473782fe275f01d7522496ca1265d78c6e492e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pnRbx2xD7z.bat

Filesize
198B

MD5
d5f63129edb954df553dfa839d059592

SHA1
2e67272996f4bc9d38fa52a34de41327b45ae702

SHA256
d30bd8cdb8e391c1193a4640dec607bab2ffa0228b4b65492270e046a44a3432

SHA512
fc5237cda34c1441b5e28c5318a589c5542312f15412effaf57409f6477f56877b93572b68b1820db0a625df16225915413186cfb5d8cab8be519b4ac62f90c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
198B

MD5
0e8e1ed95ed3797ab2905ea77029c97c

SHA1
e96e520bab80e3dfe59aa31ad91f7b956bbba00a

SHA256
e01e8f67792d19acc133094db3915ffb56391621451afac329a05ab2e887c457

SHA512
74e9925e96a911f1ba0f1d1829b515dfd86889fd1032b02e6b388709989ec79a6458ba00afb53402f2e809a642eab55c5aa6b5a1a19ad8fb6bb1e7eb4a454f5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

Filesize
198B

MD5
161d9f5d08e1bdb77848fc722529cb64

SHA1
6580911aa923ba371714fc46877437cf3744339b

SHA256
0b7dc63bad8b2bace2760d245fcef3875ef2adbb12f7641e3b819e092b0de312

SHA512
e98c4f4cacd312d1448a61d134ab860124453218e74d6d7c9c4af6ebe69d116779222d1271397f3323eb22efa8b0be6c242b389118eed58777a42638ad44f2f8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7cad4bb575ab96ce7ad242dd45e4ed96

SHA1
d4a403ee2fd6162271c54a3b3427d9a803dcc144

SHA256
f32bb69331ad8b61842f2a4ea019c8dcb1f7383296c5f14a144d4bcf79931cd2

SHA512
1f392c572ff64cc5197eb8f769d7f624717d2c1e7005399ce6523d7efc51decbf4f65fbc7ba728de92c1888db66a80278efa99f9860964128ad97178973e01fa

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1244-733-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-493-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1688-492-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download
memory/1692-253-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/1692-254-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1708-76-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1708-72-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1768-54-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/2040-553-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2052-314-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/2176-793-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2176-794-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2200-673-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/2644-613-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2720-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2720-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2720-13-0x00000000009F0000-0x0000000000B00000-memory.dmp

Filesize
1.1MB

Download
memory/2720-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2720-15-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download