dcrat | 7fd5ffece757c9f69fcb8242e10f6d72f075ab08b4b8a3a776092807aa192a67

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7fd5ffece757c9f69fcb8242e10f6d72f075ab08b4b8a3a776092807aa192a67.exe
Size

1.3MB
MD5

1524228d85477898d15ccb4485ab3539
SHA1

a5f8b6cf538945782c97b567cd0fa02a23657f96
SHA256

7fd5ffece757c9f69fcb8242e10f6d72f075ab08b4b8a3a776092807aa192a67
SHA512

768b012238961023779e675078ea641f4b1fd7570616086bbae8a0321473387b2ab3ded05d0c4167268f42a9f130f203837f6eadcf520e104217443642164054
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2644	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2644	schtasks.exe	32

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001727e-11.dat	dcrat
behavioral1/memory/788-13-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/2968-108-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/572-167-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/980-227-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/1956-287-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/1584-347-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/1752-407-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/2544-468-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/1648-528-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
848	powershell.exe
1280	powershell.exe
2272	powershell.exe
2880	powershell.exe
1160	powershell.exe
1824	powershell.exe
2256	powershell.exe
2240	powershell.exe
1612	powershell.exe
1588	powershell.exe
2920	powershell.exe
2432	powershell.exe
1148	powershell.exe
2220	powershell.exe
2440	powershell.exe
1744	powershell.exe
2312	powershell.exe
1688	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
788	DllCommonsvc.exe
2968	cmd.exe
572	cmd.exe
980	cmd.exe
1956	cmd.exe
1584	cmd.exe
1752	cmd.exe
1944	cmd.exe
2544	cmd.exe
1648	cmd.exe
3048	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2444	cmd.exe
2444	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
15	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\smss.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Cursors\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7fd5ffece757c9f69fcb8242e10f6d72f075ab08b4b8a3a776092807aa192a67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3048	schtasks.exe
2676	schtasks.exe
112	schtasks.exe
1088	schtasks.exe
1692	schtasks.exe
1036	schtasks.exe
1272	schtasks.exe
2888	schtasks.exe
844	schtasks.exe
3028	schtasks.exe
1324	schtasks.exe
760	schtasks.exe
2196	schtasks.exe
1708	schtasks.exe
536	schtasks.exe
2528	schtasks.exe
2672	schtasks.exe
1644	schtasks.exe
2812	schtasks.exe
1996	schtasks.exe
1660	schtasks.exe
2752	schtasks.exe
468	schtasks.exe
2960	schtasks.exe
2392	schtasks.exe
2352	schtasks.exe
2376	schtasks.exe
3040	schtasks.exe
540	schtasks.exe
2840	schtasks.exe
2564	schtasks.exe
2492	schtasks.exe
2680	schtasks.exe
1980	schtasks.exe
2720	schtasks.exe
588	schtasks.exe
2224	schtasks.exe
1992	schtasks.exe
1848	schtasks.exe
2168	schtasks.exe
1560	schtasks.exe
2292	schtasks.exe
2520	schtasks.exe
2380	schtasks.exe
2004	schtasks.exe
2016	schtasks.exe
1032	schtasks.exe
2160	schtasks.exe
1672	schtasks.exe
2052	schtasks.exe
2668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
788	DllCommonsvc.exe
2432	powershell.exe
2240	powershell.exe
2312	powershell.exe
1588	powershell.exe
2256	powershell.exe
1744	powershell.exe
2272	powershell.exe
1612	powershell.exe
1824	powershell.exe
2220	powershell.exe
848	powershell.exe
2440	powershell.exe
1688	powershell.exe
2920	powershell.exe
1160	powershell.exe
2880	powershell.exe
1280	powershell.exe
1148	powershell.exe
2968	cmd.exe
572	cmd.exe
980	cmd.exe
1956	cmd.exe
1584	cmd.exe
1752	cmd.exe
2544	cmd.exe
1648	cmd.exe
3048	cmd.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	788	DllCommonsvc.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2968	cmd.exe
Token: SeDebugPrivilege	572	cmd.exe
Token: SeDebugPrivilege	980	cmd.exe
Token: SeDebugPrivilege	1956	cmd.exe
Token: SeDebugPrivilege	1584	cmd.exe
Token: SeDebugPrivilege	1752	cmd.exe
Token: SeDebugPrivilege	2544	cmd.exe
Token: SeDebugPrivilege	1648	cmd.exe
Token: SeDebugPrivilege	3048	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 1688	1824	JaffaCakes118_7fd5ffece757c9f69fcb8242e10f6d72f075ab08b4b8a3a776092807aa192a67.exe	28
PID 1824 wrote to memory of 1688	1824	JaffaCakes118_7fd5ffece757c9f69fcb8242e10f6d72f075ab08b4b8a3a776092807aa192a67.exe	28
PID 1824 wrote to memory of 1688	1824	JaffaCakes118_7fd5ffece757c9f69fcb8242e10f6d72f075ab08b4b8a3a776092807aa192a67.exe	28
PID 1824 wrote to memory of 1688	1824	JaffaCakes118_7fd5ffece757c9f69fcb8242e10f6d72f075ab08b4b8a3a776092807aa192a67.exe	28
PID 1688 wrote to memory of 2444	1688	WScript.exe	29
PID 1688 wrote to memory of 2444	1688	WScript.exe	29
PID 1688 wrote to memory of 2444	1688	WScript.exe	29
PID 1688 wrote to memory of 2444	1688	WScript.exe	29
PID 2444 wrote to memory of 788	2444	cmd.exe	31
PID 2444 wrote to memory of 788	2444	cmd.exe	31
PID 2444 wrote to memory of 788	2444	cmd.exe	31
PID 2444 wrote to memory of 788	2444	cmd.exe	31
PID 788 wrote to memory of 1588	788	DllCommonsvc.exe	84
PID 788 wrote to memory of 1588	788	DllCommonsvc.exe	84
PID 788 wrote to memory of 1588	788	DllCommonsvc.exe	84
PID 788 wrote to memory of 1612	788	DllCommonsvc.exe	85
PID 788 wrote to memory of 1612	788	DllCommonsvc.exe	85
PID 788 wrote to memory of 1612	788	DllCommonsvc.exe	85
PID 788 wrote to memory of 1148	788	DllCommonsvc.exe	86
PID 788 wrote to memory of 1148	788	DllCommonsvc.exe	86
PID 788 wrote to memory of 1148	788	DllCommonsvc.exe	86
PID 788 wrote to memory of 1744	788	DllCommonsvc.exe	87
PID 788 wrote to memory of 1744	788	DllCommonsvc.exe	87
PID 788 wrote to memory of 1744	788	DllCommonsvc.exe	87
PID 788 wrote to memory of 2240	788	DllCommonsvc.exe	88
PID 788 wrote to memory of 2240	788	DllCommonsvc.exe	88
PID 788 wrote to memory of 2240	788	DllCommonsvc.exe	88
PID 788 wrote to memory of 2312	788	DllCommonsvc.exe	89
PID 788 wrote to memory of 2312	788	DllCommonsvc.exe	89
PID 788 wrote to memory of 2312	788	DllCommonsvc.exe	89
PID 788 wrote to memory of 2272	788	DllCommonsvc.exe	90
PID 788 wrote to memory of 2272	788	DllCommonsvc.exe	90
PID 788 wrote to memory of 2272	788	DllCommonsvc.exe	90
PID 788 wrote to memory of 2256	788	DllCommonsvc.exe	91
PID 788 wrote to memory of 2256	788	DllCommonsvc.exe	91
PID 788 wrote to memory of 2256	788	DllCommonsvc.exe	91
PID 788 wrote to memory of 1280	788	DllCommonsvc.exe	92
PID 788 wrote to memory of 1280	788	DllCommonsvc.exe	92
PID 788 wrote to memory of 1280	788	DllCommonsvc.exe	92
PID 788 wrote to memory of 2432	788	DllCommonsvc.exe	93
PID 788 wrote to memory of 2432	788	DllCommonsvc.exe	93
PID 788 wrote to memory of 2432	788	DllCommonsvc.exe	93
PID 788 wrote to memory of 1824	788	DllCommonsvc.exe	94
PID 788 wrote to memory of 1824	788	DllCommonsvc.exe	94
PID 788 wrote to memory of 1824	788	DllCommonsvc.exe	94
PID 788 wrote to memory of 848	788	DllCommonsvc.exe	95
PID 788 wrote to memory of 848	788	DllCommonsvc.exe	95
PID 788 wrote to memory of 848	788	DllCommonsvc.exe	95
PID 788 wrote to memory of 1160	788	DllCommonsvc.exe	96
PID 788 wrote to memory of 1160	788	DllCommonsvc.exe	96
PID 788 wrote to memory of 1160	788	DllCommonsvc.exe	96
PID 788 wrote to memory of 2920	788	DllCommonsvc.exe	97
PID 788 wrote to memory of 2920	788	DllCommonsvc.exe	97
PID 788 wrote to memory of 2920	788	DllCommonsvc.exe	97
PID 788 wrote to memory of 2880	788	DllCommonsvc.exe	98
PID 788 wrote to memory of 2880	788	DllCommonsvc.exe	98
PID 788 wrote to memory of 2880	788	DllCommonsvc.exe	98
PID 788 wrote to memory of 2440	788	DllCommonsvc.exe	99
PID 788 wrote to memory of 2440	788	DllCommonsvc.exe	99
PID 788 wrote to memory of 2440	788	DllCommonsvc.exe	99
PID 788 wrote to memory of 2220	788	DllCommonsvc.exe	100
PID 788 wrote to memory of 2220	788	DllCommonsvc.exe	100
PID 788 wrote to memory of 2220	788	DllCommonsvc.exe	100
PID 788 wrote to memory of 1688	788	DllCommonsvc.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7fd5ffece757c9f69fcb8242e10f6d72f075ab08b4b8a3a776092807aa192a67.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7fd5ffece757c9f69fcb8242e10f6d72f075ab08b4b8a3a776092807aa192a67.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Pictures\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UEBpdI9yp4.bat"
        5⤵
        
        PID:3008
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2544
      - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat"
        7⤵
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2400
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        9⤵
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2872
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
        11⤵
        
        PID:1632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3004
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
        13⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2928
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"
        15⤵
        
        PID:1460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1280
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"
        17⤵
        
        PID:1776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2244
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
        18⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
        19⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2284
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat"
        21⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2776
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        23⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2092
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
        25⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Documents\My Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dff1754d7bac9c2acbea0068b29857f

SHA1
1e7ee6c73573f51f3af934abe8fd37481a368913

SHA256
b34f8903c294b5e770772862380c515c300a4d68917a44b782ba260d11de39a6

SHA512
45c08f1767c5fdae58d7a85b8ae2ee7f7775520c679cfeca3dae731a46cbee5436bda44f2b31e367ba736a3b0ddf188e5a48d39e8fb0e7bde58fbdadda293a3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ec34dcbb9cdb7e7346b64bf5368f0c2

SHA1
c4c7c7527c472400d957ca2a29d4334c76e5e761

SHA256
5315e73c5cd23ee2aa0154a1d4935cf4ce93a97b7af1c79977460de5868bf866

SHA512
f0f4593af7eec9959b1afd8433bf5adec79a6814429f5c19cc37860707bb9e994850bea4ed3a6c8a7565b0caa73ab8ddacdd2602a1beeb82ee00c9326bfaacb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a36f2c45ed538a8adc1dce411e59449a

SHA1
3fee0b5be49419558766a8e226da03526d361691

SHA256
9e57e191f3b6f3e47c232154a4336a9daa54d6a50968439e6a216dc0f20f9b21

SHA512
20dfc141322fa1e4cc2b0cd67a286e02f990ad1c17d743134965bec4e0a726a19f56ee682c1c0aaaf6f9f5a6e318545b5148360d2fa16ad09ca7cd22d9f3f4b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1030e7e0f2e1d28671985fd96ce8cf93

SHA1
9f5c56a0a285160111e45e32ddd7e83c9dfea23d

SHA256
7e1a2a02e437938f569498992043dbfeef81eab1a3b9787944396152fad9995f

SHA512
4025017aca78bbbd01998af496de5fcfba3395ee54f719508f26809b946b66e9418c0ff09e7626d4a86dabc2c0b0e532393a2aff4ff4b1f5e1f4f2ef59de8354

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b50e234843fd3e1615479e9b475d462

SHA1
ba35243f7d4c837423fae8223eced3aadce8700e

SHA256
264f0d140e98b6f722f4db6125682d662a0c208054c0004fc1927d9fa2c3c0a2

SHA512
c965f777aa404d6974801c69bc13af2f74734c86e1e4f0111ff6f3638981cc50e290226853873ac5a42e4b29e55fb9b0d1f6046cecacb451fdbac5ac0f28fd7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28796a7a6651759d9b0cbdb18addfc2d

SHA1
3488605cbfc88267b495c68fee177009bbce23cf

SHA256
f00e01c7d3e7f10f608172c53c1d6e2329d8ac974e69203d0b92db9b9135e8dc

SHA512
76c25c6712cae6e0d592abfd07e8939f2feccd4a7bcaeca7c3e68481c220cca6ebdaa660c0046f34fc22885551d6b1c77ed51156c72baae1b0efb1f0ffddd06b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
314ef424cef5dee84aa3d0020caa55cf

SHA1
0e77363c530f27fe46e51eb05cfb69d2c601babe

SHA256
fe51fb61db5578dd4d04071313a91e61471087bffd961930dc35c1624c96c59c

SHA512
c825e627ee2076eacab1e16d9d380da3ffcdf505bfffd41e40127d21d73d52ba53ae8c70c3fe8a92c754d9b611451a3695284165133e4beed51dc769978883c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9fa29800979f9d147a06f418cd10a4b

SHA1
1dd09cd8d5d97e34bfdce6a40ebae9c30d6b0421

SHA256
cc4c195a1f9fe316f5bcfb20795e77efe6606eca68c8067ca0b1eea3efeb32dc

SHA512
401b176079577d4e770f11caa71a7b768f8d75bae6ace5a17b19548f4d39397bca05d198d54c449f1d4316532a18e42d2cd21dac4dd4120a1bf4290e24e224ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat

Filesize
235B

MD5
1d649859ec025398d9059e5a517aab0e

SHA1
68bc807a8220c5287adfa59d33e18e812ba04721

SHA256
84d0c9b2cc924e469297b38d1bdf22eab8ebc9e27d475585c235a55e5a201c81

SHA512
3bd9df28d029bce1fd50baf0d13ea950ab9795e233b8aa9a0851f30e12b2c5c475e0317adf1a13884ad1e0067f2cc557e1c5ae17eaf7a0834c541f23dccdf174

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2889.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
235B

MD5
fe353bceca17d08d5a6a4ae05f9431b4

SHA1
dc2004ea98713c17e32d083e777d9d85bd87321c

SHA256
85fc9c6d4d9cf258a53e71d518f3a589e4e677e98813d0a593ad4a20f2657199

SHA512
7e70ece300eb8a4fc7ee9af1949cab835bcc5b9c659b2cb5025b80871eebd50da8233bb08bcfc6ea4a9bda85bfb760642de82cf5ff1f9846a2e33ffd2553bce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

Filesize
235B

MD5
1b108ab5927cd1128760c26499ed4431

SHA1
4912181212026e3516c7afea932e8b1bfc84bdb8

SHA256
c03d2e1a80517a591046c649aa71d45d609eba9dcb2d6c2b0ae6de95047f35e8

SHA512
259f3706efa90bbcb5d159bb73b18ec72266b5378ba980ffb78b93ba78ecb55a3df54dfb77e4fbf9cb4f0f83c5eee1ec6ead5ac69aba31fcb7b74d1878c387a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat

Filesize
235B

MD5
5a4e5ea5b07a1bad67eb0a7c9fee4844

SHA1
02518cf014cc5eb5820646703f56b4b86929e3ab

SHA256
e761e2878f9b1e324796d32e4a59e45d683a6ca010e3cd5e4ed34697eaded18b

SHA512
0e9ccbf833ab081446aa687035a0dd02b810a3dd861bf1dd20d4529af3c11faab567768ad6e7624fefbbadb56c75d91509e52e06ba4d40292b4169fd915e2609

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar289B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UEBpdI9yp4.bat

Filesize
235B

MD5
fbb4790507d446be8e50e7c219b9719b

SHA1
4c2a611ad44f7c317aa887a33df48fe3aa188c47

SHA256
65c0292270d6ceb99df655b80ba88a5adb8150c9abdccd6944b91dc12983fb06

SHA512
7e67a221a01ec6f22f25951ff522d380668dadf5a441402c87dd9711bda23e6a0999301b2ac297d322fd089829d44e8ca456f5f18daffd10f364e26023d12020

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat

Filesize
235B

MD5
3b208d68600a06ea11e604dbfa078ede

SHA1
ee8fbbb635f2a3483c4fdfff5978068d7a52bcdb

SHA256
b812c0d928e61e2edf6031cb8cfb5064a966197edb16771b18673d8310b5dc9f

SHA512
54e354bd6284edfb9da4f89ac656be34d983fe07a6e42ac1d31c6f4d2b7187a76024252b1184e24080c3a2ceb55dd73f885ce7ef9bae38356137f08b118358d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
235B

MD5
1048748daf4c9010da4b45290b024ef4

SHA1
675d6a9963d759e0af8be06556f5d61a9a73692a

SHA256
79113c7f31dc5888048f715a0266e192cf1cfb9d32e9db012a27319faf70745b

SHA512
7cbfad05ae13b21d20beda199f30bcb98fe2aea47b4a4d2462f7210973bd951a1f45bdee41410ae8ae2ba465ce177bf461f51c0de89249b73dbb7cf265e2bbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat

Filesize
235B

MD5
ceada09d5d14aacaae2ef8fb8db86c38

SHA1
b03a184d14e39b5cfc415bfddf333b89b262a678

SHA256
04c2d1d54a72e3a170aeaf78380d1525f14c126519bb76c7d541ab1d0f3db96d

SHA512
281c3644085dd5b452b792456a5cbd7fb62c07918e4ae44ba3e447845eee38004b870571301bc9470cecba7901b98bfec7a735baf38c0eef7b956ecda9a4377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

Filesize
235B

MD5
bb10f9f99c45dd32bd636b8b0cafc425

SHA1
42f1ca90d850bc8d85f72805bf66f54ab7fb74e8

SHA256
4d38720512b3a07feee5643b95bfaea210fc0140f1b868cb75c3388146e2d082

SHA512
0644f803294ec83e50d44b4d387dd35b49a5d50a8cafb48b045c0f12137a582cd5659c487febd5a9c207e8c1e4a0613daa7d98a80c2179e6158fdf2752d1f57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat

Filesize
235B

MD5
d2c4632f33ebb5f549e6bf41792a9acf

SHA1
069489d69dfb6a32e23e9fea79f9acb3e659b9d8

SHA256
374a299529b9287810ba9c80cf679407ebd7f2f7ecf1eaeccf8bdaa66ae4bf7d

SHA512
df9cc40e16cb15201ce7eaa23b461c68677ebfe062b5d6c37aa48915aa5f71e44121753988cb8e384c5974158ddc7d3d09cd153a6bf3ed9d0328eac1acd713b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
36d86291e09c201eeb56b3aa1787385e

SHA1
a73f44879402f401ee7a0a70473c26abce77e1ab

SHA256
8043953d8f7f0d98c997a38ba244cf1976f0d6d863dcfc6c9030e3a5928f3eee

SHA512
77e37ddd1a797b3865fa93240d22e8a8060281b85981b3f00dac6425a10a8473283e43b0323c51c68d552b89cbef077618fe165f93f85d0933975b186967aa75

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/572-167-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/788-13-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/788-14-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/788-17-0x0000000000C30000-0x0000000000C3C000-memory.dmp

Filesize
48KB

Download
memory/788-16-0x0000000000B90000-0x0000000000B9C000-memory.dmp

Filesize
48KB

Download
memory/788-15-0x0000000000C20000-0x0000000000C2C000-memory.dmp

Filesize
48KB

Download
memory/980-227-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/1584-347-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/1648-528-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/1752-407-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/1956-287-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download
memory/2432-61-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2432-63-0x00000000026D0000-0x00000000026D8000-memory.dmp

Filesize
32KB

Download
memory/2544-468-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download
memory/2968-108-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download