dcrat | da4ebcefa2ef3f418a2e1d9a2bc318f17a2e69817929be9ba18d3a3a9f2a0fd6

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_da4ebcefa2ef3f418a2e1d9a2bc318f17a2e69817929be9ba18d3a3a9f2a0fd6.exe
Size

1.3MB
MD5

f75355ad7fb4977d2d2dfbb531dbdcf6
SHA1

6d308bcf275bb70d7112bbfc87ca3793f1bdad5a
SHA256

da4ebcefa2ef3f418a2e1d9a2bc318f17a2e69817929be9ba18d3a3a9f2a0fd6
SHA512

a7794f6faa99e0250d8b321ae6698876fc890ce172a27a0ea37fe49eb7e6e5dc246e1010a0a95554bc19f24524a8823ca9403082e994a7f55a358df1bf70b2bd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2948	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d7e-9.dat	dcrat
behavioral1/memory/2848-13-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2676-52-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/2424-190-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/1960-250-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/3012-310-0x0000000000AC0000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/2760-370-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/1680-430-0x0000000001140000-0x0000000001250000-memory.dmp	dcrat
behavioral1/memory/1504-490-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/3012-550-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/828-611-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/1408-671-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2480	powershell.exe
828	powershell.exe
2936	powershell.exe
1704	powershell.exe
888	powershell.exe
344	powershell.exe
1640	powershell.exe
884	powershell.exe
568	powershell.exe
1752	powershell.exe
2344	powershell.exe
2348	powershell.exe
1104	powershell.exe
2228	powershell.exe
2108	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2848	DllCommonsvc.exe
2676	services.exe
2424	services.exe
1960	services.exe
3012	services.exe
2760	services.exe
1680	services.exe
1504	services.exe
3012	services.exe
828	services.exe
1408	services.exe
2016	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	cmd.exe
2812	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
41	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\es-ES\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\audiodg.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Uninstall Information\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Web\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\Web\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\Boot\PCAT\dwm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_da4ebcefa2ef3f418a2e1d9a2bc318f17a2e69817929be9ba18d3a3a9f2a0fd6.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2408	schtasks.exe
1860	schtasks.exe
484	schtasks.exe
984	schtasks.exe
1488	schtasks.exe
1700	schtasks.exe
2460	schtasks.exe
2096	schtasks.exe
604	schtasks.exe
2420	schtasks.exe
1192	schtasks.exe
2400	schtasks.exe
2332	schtasks.exe
408	schtasks.exe
1680	schtasks.exe
1636	schtasks.exe
1080	schtasks.exe
2164	schtasks.exe
2208	schtasks.exe
2824	schtasks.exe
1552	schtasks.exe
1960	schtasks.exe
1936	schtasks.exe
1708	schtasks.exe
1140	schtasks.exe
2892	schtasks.exe
300	schtasks.exe
1616	schtasks.exe
2268	schtasks.exe
2584	schtasks.exe
2828	schtasks.exe
2384	schtasks.exe
2620	schtasks.exe
1612	schtasks.exe
1468	schtasks.exe
900	schtasks.exe
316	schtasks.exe
1424	schtasks.exe
2472	schtasks.exe
844	schtasks.exe
824	schtasks.exe
668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2848	DllCommonsvc.exe
2848	DllCommonsvc.exe
2848	DllCommonsvc.exe
2344	powershell.exe
344	powershell.exe
2228	powershell.exe
1704	powershell.exe
2936	powershell.exe
884	powershell.exe
2676	services.exe
1104	powershell.exe
2480	powershell.exe
828	powershell.exe
2348	powershell.exe
568	powershell.exe
2108	powershell.exe
888	powershell.exe
1752	powershell.exe
1640	powershell.exe
2424	services.exe
1960	services.exe
3012	services.exe
2760	services.exe
1680	services.exe
1504	services.exe
3012	services.exe
828	services.exe
1408	services.exe
2016	services.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	DllCommonsvc.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2676	services.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2424	services.exe
Token: SeDebugPrivilege	1960	services.exe
Token: SeDebugPrivilege	3012	services.exe
Token: SeDebugPrivilege	2760	services.exe
Token: SeDebugPrivilege	1680	services.exe
Token: SeDebugPrivilege	1504	services.exe
Token: SeDebugPrivilege	3012	services.exe
Token: SeDebugPrivilege	828	services.exe
Token: SeDebugPrivilege	1408	services.exe
Token: SeDebugPrivilege	2016	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2760	2236	JaffaCakes118_da4ebcefa2ef3f418a2e1d9a2bc318f17a2e69817929be9ba18d3a3a9f2a0fd6.exe	30
PID 2236 wrote to memory of 2760	2236	JaffaCakes118_da4ebcefa2ef3f418a2e1d9a2bc318f17a2e69817929be9ba18d3a3a9f2a0fd6.exe	30
PID 2236 wrote to memory of 2760	2236	JaffaCakes118_da4ebcefa2ef3f418a2e1d9a2bc318f17a2e69817929be9ba18d3a3a9f2a0fd6.exe	30
PID 2236 wrote to memory of 2760	2236	JaffaCakes118_da4ebcefa2ef3f418a2e1d9a2bc318f17a2e69817929be9ba18d3a3a9f2a0fd6.exe	30
PID 2760 wrote to memory of 2812	2760	WScript.exe	31
PID 2760 wrote to memory of 2812	2760	WScript.exe	31
PID 2760 wrote to memory of 2812	2760	WScript.exe	31
PID 2760 wrote to memory of 2812	2760	WScript.exe	31
PID 2812 wrote to memory of 2848	2812	cmd.exe	33
PID 2812 wrote to memory of 2848	2812	cmd.exe	33
PID 2812 wrote to memory of 2848	2812	cmd.exe	33
PID 2812 wrote to memory of 2848	2812	cmd.exe	33
PID 2848 wrote to memory of 2480	2848	DllCommonsvc.exe	77
PID 2848 wrote to memory of 2480	2848	DllCommonsvc.exe	77
PID 2848 wrote to memory of 2480	2848	DllCommonsvc.exe	77
PID 2848 wrote to memory of 1752	2848	DllCommonsvc.exe	78
PID 2848 wrote to memory of 1752	2848	DllCommonsvc.exe	78
PID 2848 wrote to memory of 1752	2848	DllCommonsvc.exe	78
PID 2848 wrote to memory of 344	2848	DllCommonsvc.exe	79
PID 2848 wrote to memory of 344	2848	DllCommonsvc.exe	79
PID 2848 wrote to memory of 344	2848	DllCommonsvc.exe	79
PID 2848 wrote to memory of 1104	2848	DllCommonsvc.exe	80
PID 2848 wrote to memory of 1104	2848	DllCommonsvc.exe	80
PID 2848 wrote to memory of 1104	2848	DllCommonsvc.exe	80
PID 2848 wrote to memory of 2344	2848	DllCommonsvc.exe	81
PID 2848 wrote to memory of 2344	2848	DllCommonsvc.exe	81
PID 2848 wrote to memory of 2344	2848	DllCommonsvc.exe	81
PID 2848 wrote to memory of 828	2848	DllCommonsvc.exe	82
PID 2848 wrote to memory of 828	2848	DllCommonsvc.exe	82
PID 2848 wrote to memory of 828	2848	DllCommonsvc.exe	82
PID 2848 wrote to memory of 2228	2848	DllCommonsvc.exe	83
PID 2848 wrote to memory of 2228	2848	DllCommonsvc.exe	83
PID 2848 wrote to memory of 2228	2848	DllCommonsvc.exe	83
PID 2848 wrote to memory of 568	2848	DllCommonsvc.exe	84
PID 2848 wrote to memory of 568	2848	DllCommonsvc.exe	84
PID 2848 wrote to memory of 568	2848	DllCommonsvc.exe	84
PID 2848 wrote to memory of 2348	2848	DllCommonsvc.exe	85
PID 2848 wrote to memory of 2348	2848	DllCommonsvc.exe	85
PID 2848 wrote to memory of 2348	2848	DllCommonsvc.exe	85
PID 2848 wrote to memory of 1640	2848	DllCommonsvc.exe	86
PID 2848 wrote to memory of 1640	2848	DllCommonsvc.exe	86
PID 2848 wrote to memory of 1640	2848	DllCommonsvc.exe	86
PID 2848 wrote to memory of 884	2848	DllCommonsvc.exe	87
PID 2848 wrote to memory of 884	2848	DllCommonsvc.exe	87
PID 2848 wrote to memory of 884	2848	DllCommonsvc.exe	87
PID 2848 wrote to memory of 1704	2848	DllCommonsvc.exe	88
PID 2848 wrote to memory of 1704	2848	DllCommonsvc.exe	88
PID 2848 wrote to memory of 1704	2848	DllCommonsvc.exe	88
PID 2848 wrote to memory of 2108	2848	DllCommonsvc.exe	89
PID 2848 wrote to memory of 2108	2848	DllCommonsvc.exe	89
PID 2848 wrote to memory of 2108	2848	DllCommonsvc.exe	89
PID 2848 wrote to memory of 888	2848	DllCommonsvc.exe	90
PID 2848 wrote to memory of 888	2848	DllCommonsvc.exe	90
PID 2848 wrote to memory of 888	2848	DllCommonsvc.exe	90
PID 2848 wrote to memory of 2936	2848	DllCommonsvc.exe	91
PID 2848 wrote to memory of 2936	2848	DllCommonsvc.exe	91
PID 2848 wrote to memory of 2936	2848	DllCommonsvc.exe	91
PID 2848 wrote to memory of 2676	2848	DllCommonsvc.exe	107
PID 2848 wrote to memory of 2676	2848	DllCommonsvc.exe	107
PID 2848 wrote to memory of 2676	2848	DllCommonsvc.exe	107
PID 2676 wrote to memory of 1844	2676	services.exe	108
PID 2676 wrote to memory of 1844	2676	services.exe	108
PID 2676 wrote to memory of 1844	2676	services.exe	108
PID 1844 wrote to memory of 692	1844	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da4ebcefa2ef3f418a2e1d9a2bc318f17a2e69817929be9ba18d3a3a9f2a0fd6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da4ebcefa2ef3f418a2e1d9a2bc318f17a2e69817929be9ba18d3a3a9f2a0fd6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:692
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"
        8⤵
        
        PID:668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2420
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        10⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2612
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"
        12⤵
        
        PID:956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1908
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
        14⤵
        
        PID:536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2380
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"
        16⤵
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:264
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        18⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1276
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
        20⤵
        
        PID:344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2936
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
        22⤵
        
        PID:568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1760
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"
        24⤵
        
        PID:2252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1728
        
        C:\Users\Default User\services.exe
        
        "C:\Users\Default User\services.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\en-US\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\en-US\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Web\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\es-ES\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
519daf37eb93ce9d8c379fe5dc4e4bc1

SHA1
174dfc561fcd7dacd6feb3de90a848368d9c2313

SHA256
a7703e894788c16d7d59c406e0c72a2ae1617cd005a54a66cca297361cc33e11

SHA512
3004259b2a1fc72380e429416be09bb719efdeffbdbfb1ba9e4eeec48713699422adea75258f67473306bc3ab411c038a221f762e8bb35f94808706cc2c8142b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5bc83994db4ca5d308ce48f3e834bb3

SHA1
e10415d1f959d33e5a830f65001cf425195a9a5b

SHA256
e2791af82735a9a6943bf0691470f8c805888f3f3abe9931bfb70adf2137cad6

SHA512
5873927c0520b2aa75341b45f9c8e7a700d5926fd003a78c07d68635082d5f80aaca1739eb49e29be41cf7b90ff0e7ec874732672ce33f51c3214e61fe4e883c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81d5dc1b5ffb9c234edf798c7dfe0f6f

SHA1
e6f7642ca9d4ecdf38f454ab1a1e05437460821c

SHA256
7b890ac9f8eba4a83c73fdd7ee8d13b8077d80a69abe044f512c179bb47be5fe

SHA512
21806185078f12839baef87ef9f11bc2d184322905aa8e1b85b5608c7dc79e2c52fb79bf0262f8bc5d03ad4f93dd7af27c68834d8be446a564f0869e2517d6e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b23ba1fa51e8dc35fe63ea822a607436

SHA1
6f0c6b39a90563eccb545f6f4afdf400d13fd0f4

SHA256
3a0e2b629f87822526155ca2668c5895712390302e5085241c32b8a3558818c0

SHA512
17fc331f533b74707aedaf45d05e29962143cba961dd9c49b16dc3a36fc0883f57469c8bf21056641eac637a80a2198a22c36fdb6351dea1aa63de26a3638829

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e392489fc648d21d2dedd8ed41b0a3c5

SHA1
5bb17db562d97fb532da8a24e47793f33ca4be64

SHA256
f2bfa437576fec69503e70cd3de5e8cdd3cd1193dfc0f6f31a2319b7342d271a

SHA512
170d707debc8c5f464228bcc42f701d158b6a05ac9975d9763a73b5c09530d124e94b8ecb1cfbf8da175f9e2181b201f22edcad35fd6df37ff04b9c0032fbb29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
446d1f0de56a82716fe828ddfc610fa5

SHA1
b39bbf0214baf2a944fcc6329a27f2c1d301ffa2

SHA256
1c842ec318cc1d2339c8a7e95100db351ffdc5eb5e89813b02e80384f8b03059

SHA512
e46558614208e25cf1fad5b1d4226d62f788d14f82e27c32b79da1cd7a1792af9d37e85e0407b46e5ca36066b5465deafa7d2d56f88cda675702d21bbb74604c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79aea27b2deaa12c954f4f0f5210b4ba

SHA1
b20a87eb79e5ddbcea4f3f569fa74c09b8161daf

SHA256
c48f5c0dd449806841e7aca1e71504d919ce1a198e2dfc38eaafafecce7e1894

SHA512
cf1f118b93bf16a4bfd7868a7d3146de2fda3bb5ac02a3a6dca5bb01aecd0a1eca4c7e940678c4e85ad67810f7fa176e1fc1755ceb8d56dbb4a835e5e8b785ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8993c6128c36a0806f5aa94cbc3c7c6b

SHA1
49a004c78075be27e5e43f5aec47540ea000c8b6

SHA256
6a210dc15e73c6edc5652ad26aaa96a673ca0c2647208d4cdc54a224c0ea0c05

SHA512
2012963e34b50e03a5065bcc9fa8debcc096279185fb1e12f6c424da5c91c18243118ba0c62c50d3235757c4c43a331bfc0379b102f58fa75438a4f81b27f8ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d37bb6c314ec141d1748c714738bf5e

SHA1
801facc350b01a4bbdf63214fdb2a9281492f608

SHA256
a6335f34552f885f071b36c8f8f82f75ee219b05e42c7f196f2b7cdb834356fb

SHA512
5138746b863e6e2ae8c515b023e9a64eb287e28be6296d99df87d42535eed14de400c26596cf6702893881721b0654578608f4dac0913509362f43f469cae982

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8799.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
199B

MD5
ece04620842dfb5cafbda4aa2e6ddc3b

SHA1
4e09844543c33b105b606ece76367f1fcc6d1e4d

SHA256
f1a5dd5d425e4eb15925260df8f6c9d7010543d132a5975b28474a0b4d2217f6

SHA512
0e23451b343d82ea0abd589ac0b40d38647bd01a7d4522f510180b2823915afb9473aac66365565359038c52d006eae98d5d12c8d48c54acebdb08e2d499e32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat

Filesize
199B

MD5
6d1ce3afc0997cf8d19a286ef86ca635

SHA1
b9eb1ba8efedee27777e3d36e93726f3d14bcb60

SHA256
162bed5d4b8591d16a1e1e428c5af1eee7281ae764bc43e0007ab3e3fd96799b

SHA512
b9b3ac571b5cb92a46e598e3ed8e68e769a1fb219cf6b9fd9928ec7de10a23199a5839a32122d9071ef96fa0cda36d91c67e85ee8e0d4e44cf11f7bc297b898d

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat

Filesize
199B

MD5
3a34b71c5e731506d163b1367465be21

SHA1
eef5294b86660e577c721c1d69e2683204be4cde

SHA256
962b2c8a2cd26409ed06627686d223b2bbf07d6094a3796bf5ca149a0529ea9a

SHA512
374b25a9b5e47c4caef36e72fd08be2817b9f8a83c9135832e068e8a448177afa72d6d311bb1bc3ab2e6092c8a785cf5f7832e0f5e148440e96c304474afacce

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

Filesize
199B

MD5
bc44cf6e74de3311ceccf89bb1b6769d

SHA1
3254f3c7fbfb2469c7d175c1742598fe20322907

SHA256
79f2189e52aafd6ce51bc5f219972b5d5c3ba8ada2372ad65a7b9bc2a7fd9d87

SHA512
c1f8388c19b1b1567abfab68f2407cfb0081538c041e36865d35f4bff024cd2e9857153d95d309d2ea20a1064728a40d32c15a01e8eb26cf9e89e05b5019a5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar87AC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

Filesize
199B

MD5
de2c8089ba06860f7a6172a10adb7096

SHA1
65b56f5221199bfd2ae2ddcaecb0891704063496

SHA256
84f7ac763e2db90b8be9aa2b78950135d49f107d678ee1aa79a7ff90927b2c06

SHA512
29ccf06539f03e90e1ba964e06772fa814d5588a099dabdec40d862f9e3a3ec9f5fd9bc0603ae693b057d6e9dc66012e78cb2aeccc6f209b385501184d8a36ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

Filesize
199B

MD5
92d172ad4e194c2fb0c235e1bf72b1eb

SHA1
15483053c8b26ece8f643e266ac147eead9dead9

SHA256
2e04f1311ee39f7abfbf7df63112611948ead442642fef6902f4928f6fd80cf8

SHA512
8d24fbfddd13550981a20048b0cf0b22e518c4ce69ec51e09e865c72112ae8a5140af799694fc3174bee97a6841eab6856345806a60cd00a9b17297f2c0b6d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

Filesize
199B

MD5
d983e9c822c28bbedde1231f198b300b

SHA1
36e2c8fc80fa83d9d44124b3974d922dab8a2c91

SHA256
2417ce28f84c9d55c69486ed2503a2cb3eca3b2834b3e839e6a2aa28ef26ad91

SHA512
846abb4377b3ccbef2b58b69358e8e2c3113f072e3052f40c2e7265b964fe3f9c29141b9b27be110e7e0ee7cd54e74e3295899353a89f193b86b171b4ce70974

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
199B

MD5
ff553ae640713ccaa3dde4b39f012b6a

SHA1
f35942fc97b6cf14b052d9221f34699183b6f2ea

SHA256
a21f5aef1d2235edc75617f24bb80006c8aebbbdaf869405e6a8a7d14f0f4711

SHA512
b90cfb4183f9dc6226ddebc31f1ea985983523ef67b27c38775c2bc914728777d880d40d791a24f54a83fe859e9d290bff26c8878218629c4b84966394fdc76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat

Filesize
199B

MD5
ee3eac0658b4c7406946e8bf4c552d45

SHA1
c18db5f76447e4aea29eac0473c7a6e25cf9007b

SHA256
091573cc84a584dae2dd84b296bc4fe1fe4c14a829f29d2b6e97bc28fd19f03f

SHA512
0dadc0c801c3ff78dea1f7a8c82d3c424c062c1fa89107dec8e2e2e0ba6fea68ebf8060763ada4ba8c7d36e04c161506a6ce25076edf930795e9940f5bfa5015

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d2694c3940da34923ac8bba280b7a0c3

SHA1
1110144c2b34537c1bf8654c19807f0e5d717b97

SHA256
0cf2f57c6bc7549b2174b187c504f13512f04e152bd0ab701884ef5101776ed5

SHA512
5167cd44bf959cc5ffbecbe7fe3b18456391e9aed1bfcf5817edf16500b5ca3a91da470b63038fdb3a2486b5e06935f894fcd89ba062a2ae54f78e8e81ae498d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/344-65-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/828-611-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/1408-671-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/1504-490-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/1680-430-0x0000000001140000-0x0000000001250000-memory.dmp

Filesize
1.1MB

Download
memory/1960-250-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/2016-731-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2344-66-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/2424-190-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/2676-52-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download
memory/2676-87-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2760-370-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2848-15-0x00000000020D0000-0x00000000020DC000-memory.dmp

Filesize
48KB

Download
memory/2848-14-0x0000000002030000-0x0000000002042000-memory.dmp

Filesize
72KB

Download
memory/2848-16-0x00000000020C0000-0x00000000020CC000-memory.dmp

Filesize
48KB

Download
memory/2848-13-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2848-17-0x00000000020E0000-0x00000000020EC000-memory.dmp

Filesize
48KB

Download
memory/3012-550-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/3012-551-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/3012-310-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

Filesize
1.1MB

Download