dcrat | 023836d5210e959370c07ecc87195a71cba74891ac49d9eae6763a1d8d0e60ce

Analysis

max time kernel
119s
max time network
113s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

023836d5210e959370c07ecc87195a71cba74891ac49d9eae6763a1d8d0e60ceN.exe
Size

1.3MB
MD5

a016aedda0460c9b0f9f63ed9bce0250
SHA1

7df98029afeb1d6056361eecf04e9d464d20fe4c
SHA256

023836d5210e959370c07ecc87195a71cba74891ac49d9eae6763a1d8d0e60ce
SHA512

df58fab684e2c35170eb2513cb999390b303c2aeb753dff2e4f01c7353d93b9b17059ee2a8eee37dbd920c67c2e97d6ddadfd9702428c8dfa0c853471d367fd6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2316	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2316	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000173f1-9.dat	dcrat
behavioral1/memory/2488-13-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/1084-80-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/2984-548-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/1740-609-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3012	powershell.exe
2604	powershell.exe
2980	powershell.exe
2764	powershell.exe
2516	powershell.exe
2800	powershell.exe
584	powershell.exe
2204	powershell.exe
2824	powershell.exe
2112	powershell.exe
2916	powershell.exe
1484	powershell.exe
2664	powershell.exe
1812	powershell.exe
2508	powershell.exe
1832	powershell.exe
2704	powershell.exe
836	powershell.exe
2844	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2488	DllCommonsvc.exe
1084	winlogon.exe
1284	winlogon.exe
1672	winlogon.exe
2672	winlogon.exe
2928	winlogon.exe
1776	winlogon.exe
2992	winlogon.exe
2984	winlogon.exe
1740	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1028	cmd.exe
1028	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
18	raw.githubusercontent.com
28	raw.githubusercontent.com
25	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
21	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\en-US\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Icons\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\en-US\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\NetworkService\Downloads\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	023836d5210e959370c07ecc87195a71cba74891ac49d9eae6763a1d8d0e60ceN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1316	schtasks.exe
1808	schtasks.exe
3028	schtasks.exe
768	schtasks.exe
2092	schtasks.exe
1944	schtasks.exe
2920	schtasks.exe
1704	schtasks.exe
1688	schtasks.exe
296	schtasks.exe
836	schtasks.exe
1508	schtasks.exe
2588	schtasks.exe
2416	schtasks.exe
2928	schtasks.exe
2404	schtasks.exe
1324	schtasks.exe
2432	schtasks.exe
2544	schtasks.exe
876	schtasks.exe
2468	schtasks.exe
592	schtasks.exe
1960	schtasks.exe
1760	schtasks.exe
2904	schtasks.exe
2076	schtasks.exe
1664	schtasks.exe
2400	schtasks.exe
1952	schtasks.exe
3048	schtasks.exe
2648	schtasks.exe
3068	schtasks.exe
920	schtasks.exe
2372	schtasks.exe
2932	schtasks.exe
1720	schtasks.exe
2636	schtasks.exe
2972	schtasks.exe
2136	schtasks.exe
2324	schtasks.exe
2616	schtasks.exe
3036	schtasks.exe
304	schtasks.exe
1560	schtasks.exe
700	schtasks.exe
2836	schtasks.exe
2300	schtasks.exe
728	schtasks.exe
856	schtasks.exe
1912	schtasks.exe
532	schtasks.exe
596	schtasks.exe
2672	schtasks.exe
1032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2516	powershell.exe
2604	powershell.exe
2824	powershell.exe
2916	powershell.exe
2704	powershell.exe
2664	powershell.exe
2800	powershell.exe
2980	powershell.exe
1832	powershell.exe
2204	powershell.exe
1812	powershell.exe
2844	powershell.exe
2508	powershell.exe
3012	powershell.exe
2112	powershell.exe
836	powershell.exe
584	powershell.exe
1484	powershell.exe
2764	powershell.exe
1084	winlogon.exe
1284	winlogon.exe
1672	winlogon.exe
2672	winlogon.exe
2928	winlogon.exe
1776	winlogon.exe
2992	winlogon.exe
2984	winlogon.exe
1740	winlogon.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	DllCommonsvc.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1084	winlogon.exe
Token: SeDebugPrivilege	1284	winlogon.exe
Token: SeDebugPrivilege	1672	winlogon.exe
Token: SeDebugPrivilege	2672	winlogon.exe
Token: SeDebugPrivilege	2928	winlogon.exe
Token: SeDebugPrivilege	1776	winlogon.exe
Token: SeDebugPrivilege	2992	winlogon.exe
Token: SeDebugPrivilege	2984	winlogon.exe
Token: SeDebugPrivilege	1740	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2096	2548	023836d5210e959370c07ecc87195a71cba74891ac49d9eae6763a1d8d0e60ceN.exe	30
PID 2548 wrote to memory of 2096	2548	023836d5210e959370c07ecc87195a71cba74891ac49d9eae6763a1d8d0e60ceN.exe	30
PID 2548 wrote to memory of 2096	2548	023836d5210e959370c07ecc87195a71cba74891ac49d9eae6763a1d8d0e60ceN.exe	30
PID 2548 wrote to memory of 2096	2548	023836d5210e959370c07ecc87195a71cba74891ac49d9eae6763a1d8d0e60ceN.exe	30
PID 2096 wrote to memory of 1028	2096	WScript.exe	31
PID 2096 wrote to memory of 1028	2096	WScript.exe	31
PID 2096 wrote to memory of 1028	2096	WScript.exe	31
PID 2096 wrote to memory of 1028	2096	WScript.exe	31
PID 1028 wrote to memory of 2488	1028	cmd.exe	33
PID 1028 wrote to memory of 2488	1028	cmd.exe	33
PID 1028 wrote to memory of 2488	1028	cmd.exe	33
PID 1028 wrote to memory of 2488	1028	cmd.exe	33
PID 2488 wrote to memory of 2508	2488	DllCommonsvc.exe	89
PID 2488 wrote to memory of 2508	2488	DllCommonsvc.exe	89
PID 2488 wrote to memory of 2508	2488	DllCommonsvc.exe	89
PID 2488 wrote to memory of 2516	2488	DllCommonsvc.exe	90
PID 2488 wrote to memory of 2516	2488	DllCommonsvc.exe	90
PID 2488 wrote to memory of 2516	2488	DllCommonsvc.exe	90
PID 2488 wrote to memory of 1832	2488	DllCommonsvc.exe	93
PID 2488 wrote to memory of 1832	2488	DllCommonsvc.exe	93
PID 2488 wrote to memory of 1832	2488	DllCommonsvc.exe	93
PID 2488 wrote to memory of 2800	2488	DllCommonsvc.exe	94
PID 2488 wrote to memory of 2800	2488	DllCommonsvc.exe	94
PID 2488 wrote to memory of 2800	2488	DllCommonsvc.exe	94
PID 2488 wrote to memory of 2704	2488	DllCommonsvc.exe	95
PID 2488 wrote to memory of 2704	2488	DllCommonsvc.exe	95
PID 2488 wrote to memory of 2704	2488	DllCommonsvc.exe	95
PID 2488 wrote to memory of 3012	2488	DllCommonsvc.exe	97
PID 2488 wrote to memory of 3012	2488	DllCommonsvc.exe	97
PID 2488 wrote to memory of 3012	2488	DllCommonsvc.exe	97
PID 2488 wrote to memory of 2844	2488	DllCommonsvc.exe	98
PID 2488 wrote to memory of 2844	2488	DllCommonsvc.exe	98
PID 2488 wrote to memory of 2844	2488	DllCommonsvc.exe	98
PID 2488 wrote to memory of 2824	2488	DllCommonsvc.exe	99
PID 2488 wrote to memory of 2824	2488	DllCommonsvc.exe	99
PID 2488 wrote to memory of 2824	2488	DllCommonsvc.exe	99
PID 2488 wrote to memory of 1812	2488	DllCommonsvc.exe	100
PID 2488 wrote to memory of 1812	2488	DllCommonsvc.exe	100
PID 2488 wrote to memory of 1812	2488	DllCommonsvc.exe	100
PID 2488 wrote to memory of 2764	2488	DllCommonsvc.exe	101
PID 2488 wrote to memory of 2764	2488	DllCommonsvc.exe	101
PID 2488 wrote to memory of 2764	2488	DllCommonsvc.exe	101
PID 2488 wrote to memory of 2604	2488	DllCommonsvc.exe	102
PID 2488 wrote to memory of 2604	2488	DllCommonsvc.exe	102
PID 2488 wrote to memory of 2604	2488	DllCommonsvc.exe	102
PID 2488 wrote to memory of 2664	2488	DllCommonsvc.exe	103
PID 2488 wrote to memory of 2664	2488	DllCommonsvc.exe	103
PID 2488 wrote to memory of 2664	2488	DllCommonsvc.exe	103
PID 2488 wrote to memory of 2204	2488	DllCommonsvc.exe	105
PID 2488 wrote to memory of 2204	2488	DllCommonsvc.exe	105
PID 2488 wrote to memory of 2204	2488	DllCommonsvc.exe	105
PID 2488 wrote to memory of 584	2488	DllCommonsvc.exe	107
PID 2488 wrote to memory of 584	2488	DllCommonsvc.exe	107
PID 2488 wrote to memory of 584	2488	DllCommonsvc.exe	107
PID 2488 wrote to memory of 1484	2488	DllCommonsvc.exe	111
PID 2488 wrote to memory of 1484	2488	DllCommonsvc.exe	111
PID 2488 wrote to memory of 1484	2488	DllCommonsvc.exe	111
PID 2488 wrote to memory of 2980	2488	DllCommonsvc.exe	112
PID 2488 wrote to memory of 2980	2488	DllCommonsvc.exe	112
PID 2488 wrote to memory of 2980	2488	DllCommonsvc.exe	112
PID 2488 wrote to memory of 2916	2488	DllCommonsvc.exe	113
PID 2488 wrote to memory of 2916	2488	DllCommonsvc.exe	113
PID 2488 wrote to memory of 2916	2488	DllCommonsvc.exe	113
PID 2488 wrote to memory of 836	2488	DllCommonsvc.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\023836d5210e959370c07ecc87195a71cba74891ac49d9eae6763a1d8d0e60ceN.exe
"C:\Users\Admin\AppData\Local\Temp\023836d5210e959370c07ecc87195a71cba74891ac49d9eae6763a1d8d0e60ceN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\VisualElements\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\NetworkService\Downloads\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\en-US\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Users\Default\Templates\winlogon.exe
        
        "C:\Users\Default\Templates\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
        6⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2916
        
        C:\Users\Default\Templates\winlogon.exe
        
        "C:\Users\Default\Templates\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"
        8⤵
        
        PID:440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2204
        
        C:\Users\Default\Templates\winlogon.exe
        
        "C:\Users\Default\Templates\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
        10⤵
        
        PID:3028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2436
        
        C:\Users\Default\Templates\winlogon.exe
        
        "C:\Users\Default\Templates\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
        12⤵
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2400
        
        C:\Users\Default\Templates\winlogon.exe
        
        "C:\Users\Default\Templates\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        14⤵
        
        PID:584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1544
        
        C:\Users\Default\Templates\winlogon.exe
        
        "C:\Users\Default\Templates\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
        16⤵
        
        PID:768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2324
        
        C:\Users\Default\Templates\winlogon.exe
        
        "C:\Users\Default\Templates\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
        18⤵
        
        PID:308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1988
        
        C:\Users\Default\Templates\winlogon.exe
        
        "C:\Users\Default\Templates\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
        20⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1768
        
        C:\Users\Default\Templates\winlogon.exe
        
        "C:\Users\Default\Templates\winlogon.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files\Mozilla Firefox\browser\VisualElements\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Favorites\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\NetworkService\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\debug\WIA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\debug\WIA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1f9490715386d72ee55fddce8db5cb4

SHA1
e6638e3d8294ce361b47dc0b6ea3d6d5022ae2a6

SHA256
4d33eb72a16b90a37370c9cfdc31647631c055e6dc3ba87b2ae67d946fc006de

SHA512
61c6252324a4bd4a0907f7cb6da1ff10a9c3a4aa97be3e58c6c392a4c856791338c49f139657690ab1e90fddb0a4ec7dddff895d72fee29e15f6230b65a5ca98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bf8fc88412b6398c64d19a774d99185

SHA1
8ab6be6547a6062620d280cb3f4ea056412c8f7b

SHA256
edcf57113cd850ce5b21811fab9dd91e1fa488826481aac06c30765e050cd7f3

SHA512
13189a54deaf8821bad46501f2396b9608f33137862397f4b6ecce6ee5b8b10cc75318edbf9d55cf496fa02258a1b0347f79478ac084aa5fbc6ad3da93805be9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1c556b406a4f79d11e328383c46970f

SHA1
9cf5719d0029f50947d0d5b96816bd25302ea26d

SHA256
65f1e3e44dedd313c5612aaa6d3480765560620b3cf138bfee6b1d2b14e3f7c4

SHA512
f289beb9e6f194eaa20ac82da7ecfe13d607e418a7db2f6a9d8d16372c27b8cf10a521f7456a0694b8c1d991fb6bf89a648f5b7e04470cdc14b86501ceb7a221

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d495d3de2b3b350bd1fb1628d59dfe40

SHA1
bf570e10c141debfad82a3b4752ed548f6f72eb5

SHA256
7f8f5256d07301d8d977633e16ec352e15fea7bbbfe84d05271e7901a1e93802

SHA512
0b4f78e7360fb6f84912b7eac2a4bd3ff184bf4aac123ab4094459ae36380888778585c9eeb479e344e70781b7925eedd992ccc4875219e7aac86352a19dbae9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b082e701a7d660cdb35c83a8484e4a6a

SHA1
48bab8bff45d18870881011ef878f46f426d386a

SHA256
2b9e86cddac81b7912be4fec703895fbe47da9380915d4566907a3760c625ffa

SHA512
cb1fc4278e12a9e014a21a3160a6889d598aab536f0ff317c515d00240af70cdad665f7b8165f6ec46862964ddbcc3608fe6abd2c3cfd8528334921e15d86d71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86e58b5d53e5bc065d91e654e23d49fd

SHA1
d91d38869bfbd28ad07a918cf1c9f4ef70715dff

SHA256
4e0b972d8cd1207c42ad9e1fc61b42a8a1ea0d67c254677ad8d97ba2d05de303

SHA512
d93dc03a94f3a8db3ecfbccf57737cebe4881f778c5f414c0595b60c645085dc1e3e23776ca226817d28466d5ca7375f9a44d523053f91e94835695f2bc9cc49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbeb972f1c0fb677426e4a8817355565

SHA1
d86ff4d43c71328a7f41af649a92129b681ee752

SHA256
f39994ebcffca6289454e4df64fa16030815c8695df3de9bbce36c9a9d073281

SHA512
4740004c122431d93893dfad97d00664ba2b656c0ae5320096afe37091cb8a2ba37e234a2d484d0384310c90e92bbf0c2808076a8cd693169a6431e7b7fb8610

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

Filesize
204B

MD5
fde0e52d743a59a509e38c316bda513c

SHA1
a6f721bd4965d89a034f70bb8ad2e26c8b740d69

SHA256
78d9b883de7553137c3981ac3a25b9a5b7b7fe09761166420b5e6a107ef02e31

SHA512
cd8bbaea0f4c9532a1abd3a7965ce7fe3f1e12980c5625aa4b2e1ea0365f5e2c86ed5a4d4a204e87d936b040ca3719dec79343a76da12e4e325917e1f92ec07b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat

Filesize
204B

MD5
951b34d4f6b1c9d42d44223748be409c

SHA1
a33fd1e47722e1a67f9a67a442c9a327c9bcdc23

SHA256
d01f33154fc788615ad24e85d7f0a671fbed8b8817062f42ebd670bcd43be7f9

SHA512
dd6e283e952c6e063aa27cfce1e58e3d3fc062664b91f5b9b8f8fb1acd901a9ee8d6ad7a4b92f00c31103883314e41cd0aa032520c5b90a10eb6fe3c6fb14862

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD77D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat

Filesize
204B

MD5
5437589410117585b236fe4835883dda

SHA1
1b20df66c4ad21f23bc835b45a402e911ee8702b

SHA256
a2638f2f5933d0ad1dec6a219b2c86d6a567af494d8f469fb3f74e0dee9178a2

SHA512
224ec8edf9573331cf3f06ee3a5bd164df3b2b44a1efa787526cd4abd8aef580d761aade320bb8a08612cc863dd7682334f2c2d947d8eeda09b4ae6e1a65e6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat

Filesize
204B

MD5
04d6f758cdb40e90aff44ed9361be50c

SHA1
715c01ebee2122a185bbab156775a4340550ab9b

SHA256
5d46e7845424a0ba34417e512b92a5d9d8f954ddfef9059e3cae7e5ee1be0a9f

SHA512
eee52e9b15e934b7065acaee6347d63f2da8b71ebb7908c372ba9cb30ed7dae086ca8c05a75a329d3697a9478debf9d67bf0b43a5c9b87770019b789e647397d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD7AE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

Filesize
204B

MD5
98eb04bf4892c38b37214480def22aff

SHA1
9806bb9c691825223566860d98be31b3a403df00

SHA256
1115af742b72c01fbbc4c4ee2e5c9bfb1ff9d01e797824550faff267c4b65dab

SHA512
3ed7bf753b7bc8f4fe8b5f4ca949cb8f957056bd2a4485571f1863f12bd3d3a13d3a30bc5293d8e2a8aa25f61b4bd4a54f59b61c039a989a891c208c45459184

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
204B

MD5
3886a5c55cf82131d33ec5bb940ff742

SHA1
d9bda4bb4daf3262bace20f6bb7927f71619b432

SHA256
c55178818b67108f4e43793d8442c29e6253bfa49630862bab856d69d758fa4a

SHA512
2dd9093b879d8faadb7e66479832c6f75367f1c5556377b142ce6e6191f9c38be3ff824ea665232fcb1706338b3d6b854ea5ba5aa4278ecee672bfb9dcb3bea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

Filesize
204B

MD5
3723f4b1b5c66f1a90479643c4a58011

SHA1
e6be9fbdf06e2570cb00fd40f7660fdbd10585c4

SHA256
52a253bb36b66ca826dd581ddb8d4aff0d6447dbb86501b51970162c0b53fd04

SHA512
60c9a558a4a4dbc7d4bac68e2a1544886ca082ebe3bd107979c8efa0cce5755cd4b84db9e5c0d6c37b0c387e7be95613f7e059a9f948a38b79656b63b8b3317f

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

Filesize
204B

MD5
ea62870031fb0e817a89246e43504f6d

SHA1
98b7aa15eb2a83c0daf5e9431bdcb374621c645b

SHA256
f1163bb881d0d31b9310b4e2685bc12f2f7fb648692df60aebacaa0f8a1f1e5a

SHA512
1051f17303d93d50beca15990a06bfdf435eb46f1a79af8e73d670156f4da80d88c4793829ccba340ebb19069fe2f111faf93cb56d5270cfbdeeb1ea4916efbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e62bc6e59698109fbab3bee82148f51e

SHA1
13ad395eb58e9935000742fcd6e6481aec6386a4

SHA256
ac97a7bddedbe72377d4b02e888d4e32e7257aaf39db799b0eba83211a4b27fa

SHA512
7f1ed698a6ce473d2bd83bc726f690a989d3f0a38014b59b08e1d24420cfd32b0d1d4ddc751bb0e5aebaf6371562af9fa414ffe686409404e52bfa968623c34b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1084-80-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/1740-609-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/2488-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2488-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2488-13-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2488-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2488-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2516-89-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2516-102-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2984-548-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2984-549-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download