dcrat | 2e5be39bd6dce72df5d3daac121d4313ec37f145ca380533084d428c844847b9

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2e5be39bd6dce72df5d3daac121d4313ec37f145ca380533084d428c844847b9.exe
Size

1.3MB
MD5

5958a7f04c8b1456d54f53e16e00930a
SHA1

a918a4f9e74b941fbc368fcbba3a5baf740f5a4f
SHA256

2e5be39bd6dce72df5d3daac121d4313ec37f145ca380533084d428c844847b9
SHA512

521354a37b0cf90661c3d85c38dcbe966a03b2acfec9812334d444cb2687759f0a1e29dfe868b3f7738ba6cc82613238a440e3d8c998ae9c5974931fc60dd6ec
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2960	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2960	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019609-9.dat	dcrat
behavioral1/memory/2192-13-0x0000000001190000-0x00000000012A0000-memory.dmp	dcrat
behavioral1/memory/2572-144-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/2732-439-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/1916-499-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/2820-677-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1936	powershell.exe
2904	powershell.exe
560	powershell.exe
2968	powershell.exe
2804	powershell.exe
1848	powershell.exe
2676	powershell.exe
1508	powershell.exe
2660	powershell.exe
2704	powershell.exe
2876	powershell.exe
576	powershell.exe
2624	powershell.exe
2552	powershell.exe
2516	powershell.exe
2652	powershell.exe
2228	powershell.exe
2256	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2192	DllCommonsvc.exe
2572	winlogon.exe
2100	winlogon.exe
1064	winlogon.exe
1704	winlogon.exe
2128	winlogon.exe
2732	winlogon.exe
1916	winlogon.exe
2728	winlogon.exe
2548	winlogon.exe
2820	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1052	cmd.exe
1052	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
36	raw.githubusercontent.com
23	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\dwm.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\inf\UGTHRSVC\0409\smss.exe	DllCommonsvc.exe
File created	C:\Windows\inf\UGTHRSVC\0409\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Speech\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Windows\Speech\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Windows\rescache\rc0005\sppsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2e5be39bd6dce72df5d3daac121d4313ec37f145ca380533084d428c844847b9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1304	schtasks.exe
536	schtasks.exe
1948	schtasks.exe
2040	schtasks.exe
1856	schtasks.exe
1788	schtasks.exe
2200	schtasks.exe
2440	schtasks.exe
2004	schtasks.exe
2772	schtasks.exe
2220	schtasks.exe
1008	schtasks.exe
1744	schtasks.exe
1564	schtasks.exe
2572	schtasks.exe
824	schtasks.exe
1100	schtasks.exe
1708	schtasks.exe
1660	schtasks.exe
1248	schtasks.exe
2500	schtasks.exe
2912	schtasks.exe
2800	schtasks.exe
2684	schtasks.exe
2544	schtasks.exe
3060	schtasks.exe
2616	schtasks.exe
376	schtasks.exe
2284	schtasks.exe
336	schtasks.exe
2240	schtasks.exe
3040	schtasks.exe
1932	schtasks.exe
2356	schtasks.exe
2476	schtasks.exe
1800	schtasks.exe
1916	schtasks.exe
892	schtasks.exe
808	schtasks.exe
1700	schtasks.exe
3052	schtasks.exe
444	schtasks.exe
960	schtasks.exe
2576	schtasks.exe
2668	schtasks.exe
2756	schtasks.exe
2088	schtasks.exe
2068	schtasks.exe
788	schtasks.exe
1672	schtasks.exe
544	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2192	DllCommonsvc.exe
2192	DllCommonsvc.exe
2192	DllCommonsvc.exe
1936	powershell.exe
2516	powershell.exe
2624	powershell.exe
560	powershell.exe
2552	powershell.exe
2652	powershell.exe
1508	powershell.exe
576	powershell.exe
2876	powershell.exe
2228	powershell.exe
2804	powershell.exe
2904	powershell.exe
2660	powershell.exe
2704	powershell.exe
1848	powershell.exe
2256	powershell.exe
2968	powershell.exe
2676	powershell.exe
2572	winlogon.exe
2100	winlogon.exe
1064	winlogon.exe
1704	winlogon.exe
2128	winlogon.exe
2732	winlogon.exe
1916	winlogon.exe
2728	winlogon.exe
2548	winlogon.exe
2820	winlogon.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	DllCommonsvc.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2652	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2572	winlogon.exe
Token: SeDebugPrivilege	2100	winlogon.exe
Token: SeDebugPrivilege	1064	winlogon.exe
Token: SeDebugPrivilege	1704	winlogon.exe
Token: SeDebugPrivilege	2128	winlogon.exe
Token: SeDebugPrivilege	2732	winlogon.exe
Token: SeDebugPrivilege	1916	winlogon.exe
Token: SeDebugPrivilege	2728	winlogon.exe
Token: SeDebugPrivilege	2548	winlogon.exe
Token: SeDebugPrivilege	2820	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 576 wrote to memory of 560	576	JaffaCakes118_2e5be39bd6dce72df5d3daac121d4313ec37f145ca380533084d428c844847b9.exe	31
PID 576 wrote to memory of 560	576	JaffaCakes118_2e5be39bd6dce72df5d3daac121d4313ec37f145ca380533084d428c844847b9.exe	31
PID 576 wrote to memory of 560	576	JaffaCakes118_2e5be39bd6dce72df5d3daac121d4313ec37f145ca380533084d428c844847b9.exe	31
PID 576 wrote to memory of 560	576	JaffaCakes118_2e5be39bd6dce72df5d3daac121d4313ec37f145ca380533084d428c844847b9.exe	31
PID 560 wrote to memory of 1052	560	WScript.exe	32
PID 560 wrote to memory of 1052	560	WScript.exe	32
PID 560 wrote to memory of 1052	560	WScript.exe	32
PID 560 wrote to memory of 1052	560	WScript.exe	32
PID 1052 wrote to memory of 2192	1052	cmd.exe	34
PID 1052 wrote to memory of 2192	1052	cmd.exe	34
PID 1052 wrote to memory of 2192	1052	cmd.exe	34
PID 1052 wrote to memory of 2192	1052	cmd.exe	34
PID 2192 wrote to memory of 1936	2192	DllCommonsvc.exe	87
PID 2192 wrote to memory of 1936	2192	DllCommonsvc.exe	87
PID 2192 wrote to memory of 1936	2192	DllCommonsvc.exe	87
PID 2192 wrote to memory of 2516	2192	DllCommonsvc.exe	88
PID 2192 wrote to memory of 2516	2192	DllCommonsvc.exe	88
PID 2192 wrote to memory of 2516	2192	DllCommonsvc.exe	88
PID 2192 wrote to memory of 576	2192	DllCommonsvc.exe	89
PID 2192 wrote to memory of 576	2192	DllCommonsvc.exe	89
PID 2192 wrote to memory of 576	2192	DllCommonsvc.exe	89
PID 2192 wrote to memory of 2876	2192	DllCommonsvc.exe	91
PID 2192 wrote to memory of 2876	2192	DllCommonsvc.exe	91
PID 2192 wrote to memory of 2876	2192	DllCommonsvc.exe	91
PID 2192 wrote to memory of 2256	2192	DllCommonsvc.exe	92
PID 2192 wrote to memory of 2256	2192	DllCommonsvc.exe	92
PID 2192 wrote to memory of 2256	2192	DllCommonsvc.exe	92
PID 2192 wrote to memory of 1848	2192	DllCommonsvc.exe	94
PID 2192 wrote to memory of 1848	2192	DllCommonsvc.exe	94
PID 2192 wrote to memory of 1848	2192	DllCommonsvc.exe	94
PID 2192 wrote to memory of 560	2192	DllCommonsvc.exe	96
PID 2192 wrote to memory of 560	2192	DllCommonsvc.exe	96
PID 2192 wrote to memory of 560	2192	DllCommonsvc.exe	96
PID 2192 wrote to memory of 2228	2192	DllCommonsvc.exe	97
PID 2192 wrote to memory of 2228	2192	DllCommonsvc.exe	97
PID 2192 wrote to memory of 2228	2192	DllCommonsvc.exe	97
PID 2192 wrote to memory of 2652	2192	DllCommonsvc.exe	98
PID 2192 wrote to memory of 2652	2192	DllCommonsvc.exe	98
PID 2192 wrote to memory of 2652	2192	DllCommonsvc.exe	98
PID 2192 wrote to memory of 2804	2192	DllCommonsvc.exe	99
PID 2192 wrote to memory of 2804	2192	DllCommonsvc.exe	99
PID 2192 wrote to memory of 2804	2192	DllCommonsvc.exe	99
PID 2192 wrote to memory of 2704	2192	DllCommonsvc.exe	100
PID 2192 wrote to memory of 2704	2192	DllCommonsvc.exe	100
PID 2192 wrote to memory of 2704	2192	DllCommonsvc.exe	100
PID 2192 wrote to memory of 2552	2192	DllCommonsvc.exe	101
PID 2192 wrote to memory of 2552	2192	DllCommonsvc.exe	101
PID 2192 wrote to memory of 2552	2192	DllCommonsvc.exe	101
PID 2192 wrote to memory of 2676	2192	DllCommonsvc.exe	102
PID 2192 wrote to memory of 2676	2192	DllCommonsvc.exe	102
PID 2192 wrote to memory of 2676	2192	DllCommonsvc.exe	102
PID 2192 wrote to memory of 2904	2192	DllCommonsvc.exe	103
PID 2192 wrote to memory of 2904	2192	DllCommonsvc.exe	103
PID 2192 wrote to memory of 2904	2192	DllCommonsvc.exe	103
PID 2192 wrote to memory of 1508	2192	DllCommonsvc.exe	104
PID 2192 wrote to memory of 1508	2192	DllCommonsvc.exe	104
PID 2192 wrote to memory of 1508	2192	DllCommonsvc.exe	104
PID 2192 wrote to memory of 2660	2192	DllCommonsvc.exe	106
PID 2192 wrote to memory of 2660	2192	DllCommonsvc.exe	106
PID 2192 wrote to memory of 2660	2192	DllCommonsvc.exe	106
PID 2192 wrote to memory of 2624	2192	DllCommonsvc.exe	108
PID 2192 wrote to memory of 2624	2192	DllCommonsvc.exe	108
PID 2192 wrote to memory of 2624	2192	DllCommonsvc.exe	108
PID 2192 wrote to memory of 2968	2192	DllCommonsvc.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e5be39bd6dce72df5d3daac121d4313ec37f145ca380533084d428c844847b9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2e5be39bd6dce72df5d3daac121d4313ec37f145ca380533084d428c844847b9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\UGTHRSVC\0409\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TslGBvPUvr.bat"
        5⤵
        
        PID:2724
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2612
      - C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
        7⤵
        
        PID:536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2148
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
        9⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2584
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"
        11⤵
        
        PID:2104
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1104
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat"
        13⤵
        
        PID:1588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:788
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
        15⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2932
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"
        17⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1064
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        19⤵
        
        PID:2976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:280
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"
        21⤵
        
        PID:912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2364
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"
        23⤵
        
        PID:2152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2908
        
        C:\Users\Default User\winlogon.exe
        
        "C:\Users\Default User\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"
        25⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Esl\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\inf\UGTHRSVC\0409\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\inf\UGTHRSVC\0409\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\inf\UGTHRSVC\0409\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Saved Games\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Saved Games\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Speech\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Windows\Speech\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a68d15310a791b3d458a84ce410f4b16

SHA1
49a068c5ad6eb2160cd634be83ce866e8e313af6

SHA256
0acf2d264093a466a27e2650db0bac934e007cd4f3e80c707ca3302a6f0ec7b6

SHA512
4254cb4daabab109ba8a603b025349ff61a0a116fc5d4f97d179c28f2106ff88c347987d9cc68e573ff67efc41c36ed92c61235a8e887c4deea9ab6c7aa5e4cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab383a6c9b3a48bbd8b598f472eb9e3d

SHA1
5ef086013b298ebf365116d78d687991d556f447

SHA256
d8e6c3dfb364cd528cad9e0d5416182b0508fc57f14806a890dcb2eec35cd14c

SHA512
86ca7ec6033eb5c0d7f031dcdaddb86013a6725ba060ec75bf4dce1b6a8a23f212df20abf93b60dc4f0ce0bc5998911db938ea16d672e96e1ec435d56291ba6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3780d945ae227d4cf8224143a7f2c68

SHA1
a69d33eca3343b3c26479fc6b15fd59e28b8edd8

SHA256
999659b6d1ca7921bb0cf13014df81941ded077d03cf64e9c4e411eb2f7c8bee

SHA512
1e7566dbb16d92f6f7d9d18e5721102037842e6c8ec5d4c36a327edf9900e63365666cc206d6341db3bf18a0a8b017ec5ad7d9f4707fd5325ada9ac57c527a23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c98c51dfce23d8633ea90c787e36057

SHA1
02d603189ac56b238d4af4aaa8bab76828c84fd7

SHA256
2e8115864bfb467a8e711d6e75d47f2dc1194a7397239aeecead09fc9a5513aa

SHA512
c4b1faaaa3b8e3354fb202bb7d2a92d68146666f65c5e0cef75846733865a763c2eb3bf350c47d77600561568c5f89e51f147d9c92612ca1a59368914ae84796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f645bb30ba9a276c63c992494a68e37

SHA1
a99a620a60a10cf159f70e8dc9d3ea3aa5c21f58

SHA256
22c2a6f2e9531f19038ebde12ce2e83b3648f83abfcaef97adba6191cca34c06

SHA512
fa2095f5ca63ff2dd50789f5767ec9f38c19a00248416982ebaf0a9dc8c3ddb62c9423570912c3fe7c36b34d7404292b1b246fc830140b9124c60b8564a75012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fe95e9382075e6493f1290498b70f3c

SHA1
a9dd74c2824c1070e9b66cd7edbfdc050a4eb70c

SHA256
8aad399211121e01c97275be8d8e102f158c8e344e2596e07268106337207ed7

SHA512
37a66152cc1cc888a125d16f34dedc7e8dfd155e9d19eae21ff2907ab9ba23beee71e8dd07ac0c93d79197b4d51f93e2d9af920423b895356f4f1e185b7d5303

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e599283dd309cd1064e9abbad44b1ceb

SHA1
e9230ce3c7cd4629831ca2036636d766e013bffe

SHA256
9dd5f2ed33c715cceac641103210e9f6f66f5f4db666719fd84f11983aaa72be

SHA512
b3ed981c5e30e4badc9144bc6e286330d6e158752f0cd5d876e351d26bb8db9c5c67c4f2ee684e254b979445e6880c774c057f4ee4cc5b7479e6c7cbf3316696

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b2beec6361bffe6390607a16e8cf081

SHA1
9ed31a7f7c3a244dd4569721820da86502c4feb2

SHA256
03afaa411c0115719e84d8fcd6892fb80fc42f88cee5cb0e21fea4e2b75281b4

SHA512
e36aaf09dbc1db32425c9a577fc5a0fa342bd7a1df11a23e9b522b4883b9663f35117357d250a2465640bca69dc277719bf2d34ea1b3e2c8f103ba5a70bd5685

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff1f8a33a1913af231135d311bf3e570

SHA1
cf0d6818dd43ca2460b630d43b94a5934a438672

SHA256
43e20dabd007c6e815bf005269a90577a60ef914d1bd27a7fd39749907363954

SHA512
037625c7bd1d1fae4a5336c657c6235699c32454e2613799eeb84f3ebf1cf7fb674bc3b2b2404ceb1c9a0e28702704c7ebb2f4d3eb4f605a4b9a0e8427e77833

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat

Filesize
199B

MD5
4ea0874ab2a41cab2c298f6abf03f644

SHA1
a9d978230d35c1494babd3b678fb3e150d9756d7

SHA256
3bc0a3ad0ac9913878b82f7d3f37a7951022ee8798dcd2a514fd081e50756864

SHA512
6a47fc4d76a73019f03fc39f717dc1c8613969694509deb086df0890683d8a4617ea7c7d1270668e90c279d437ac24d9bf4ad821dcd27603ab39dfdf0d6f55ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

Filesize
199B

MD5
b49758a907b9fc94278427abb3534be4

SHA1
cdfafc7676275af85bcb145e6b75ce50c1aa6d70

SHA256
96b96a0077128350388b7b231c885baba1aa43a8a757a3e2b119b807da91f72b

SHA512
f455805156221dc656de92163dbb2aa93792e2819258c9fbc36aa72d9ecc918fbecf5f6084028f494b9a86148a8c2fef6758417c63793c6848b953d93722dbc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab30A4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat

Filesize
199B

MD5
c2e72b257b77cc3a82609fe8a396b1e8

SHA1
9df2241ee6df3f43dbf44e2f578352a2db675c74

SHA256
99b3977cacc362a498e3f0ac274f022f952bcc77a203dfec849028d82a1dde5b

SHA512
753606d7240071100fb269997f7dd550c90268259c275d2b845e70eee78b411e563aea1817c6c1e59ff5bafc417d071f1f5185c824501bdb48ef916c56e36347

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar30B6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TslGBvPUvr.bat

Filesize
199B

MD5
19787c3dea03b3a0d63cac65f5dc1c45

SHA1
1a43380b39b58997f0b9dcc2f5adbe33ba34ebfd

SHA256
d935817f36a574a6a5efd7751ba170b31fcb00224d676766447b90d0929ed867

SHA512
6cf1417da6a9828dc9b0270d4c5c6404a9d1a9df93bbb28b1ca8d09f3d51ff9e0acb7b213e6d8736c16ab0a981ea6d57d7228f6b6b60a81e0eee255a4d78322e

Download Submit
C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

Filesize
199B

MD5
e3069d7f03cf81fa9280861a364e85f2

SHA1
deeb70fc18434da09b12da56024998f6c5158229

SHA256
4bafe866d6d98b022f87b0de4b718dcd121cfa4f76fb3ce40e25fe6d0f9d004b

SHA512
e665b38f75ef0a0ea9c68d218d3bcca1f3afaedfbaa42215cb94684378c3e1b6cb92b0cb2bccd18625532fbc06220e6df3c8bf1a915c50df2bd823f9cf108e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat

Filesize
199B

MD5
74eafbf2e38258d621fd1eed6f8c346a

SHA1
7ba8521e39ad2acc391257d45d5a401d6d3e664d

SHA256
480aaf383610f37527b20228a003ce67eccdf005c95b5b9e4e66408d81f06548

SHA512
f032055b509ff258c0f1c73bcedf2a1d714c275e5bcc1c251cfc3f3ca41805acbd6ea0fa00977f40f31cbe5310614a2ea60f3378a42b7f96421494275f1e8c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat

Filesize
199B

MD5
a0ac60be5fa7647d86b37d7ad921a976

SHA1
2dbae10b2089b998f2b7399b8bc7dd3c74004645

SHA256
11e6b561de85f7a2ec7b14748c4f392824a4952a21185d0f95f423faa686132c

SHA512
e7d525afb632da2da7b637d0aa76161b28f0eb0c34d12f753abe9eb54a265aa61a601eefebf7d78415016bbccd8e1cf1fdef12b3c1aea312d69ca0528926f3be

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat

Filesize
199B

MD5
66c3774bdc45d4bc16d241897110ac19

SHA1
474352e9b13e84e9cb15a22ba37600f077f62fae

SHA256
eb51292684a97fc53e64368d225e125403648fc95c3bd88753a75d708286be2e

SHA512
075ce54073e8764eda910868b5fd0c0faa89ea6268f196a823c69b7d6a4f284df5a2dcb775b3682a51d68cece29854d53f492dd6197416889765b80c7ab663e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
199B

MD5
60d92e9cd838ad3e8af5cb402e538b67

SHA1
8653f5d27b86e1bc77c54e0ef46822d5da30d5a6

SHA256
ea4f145c66f8fce167fb4e1179e1f9f68f4311316784cf9164815106596799c2

SHA512
8675de169c237484a48548e7e76e9f319aa0615b831c234b8b4d714edf4407e46bf3865c7b62d04a9c88aa99a0e2226918261dc84d4b4e922a98ec25594ced22

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

Filesize
199B

MD5
3892b47aa350721e809154a980eb2c05

SHA1
9865d191ef5016aa07c6aa0f30066672ea9a5e77

SHA256
e6078af4a35fd4f64e878042216bf486c0048a7281595935a962ed06469f0845

SHA512
f5bda3f9b9a8955163feb37514858ad330238bcc34396b0a4e3e78c0164d434a6f5ffec392a7aa10f88ad937cbb50b31b75770f155b2c1fedc4e64281754498b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
90c5230f93902f0099b04c3f4ede53bd

SHA1
ad4d3a53396dbd336e17bffe6fcdeffb5ac56374

SHA256
8839041ced7fbf55d4162415acface7679259a4d40f39f5990bad4faabdfce58

SHA512
8fe3409f61ac5845d39ffff59667d388db594e9dce1040fd9d0658d19835ed48c659de2a638764e9d21c0bcf198f189aac186b604c16e9bbc88bf6aa8d256d09

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1916-499-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/1936-61-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/1936-60-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2192-16-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2192-13-0x0000000001190000-0x00000000012A0000-memory.dmp

Filesize
1.1MB

Download
memory/2192-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2192-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2192-17-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2572-144-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-439-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2820-677-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download