dcrat | ef1b784bac9d4cb8c64d92dd9d9eceaa5a4018da4c406a4be3dfd439b57cc9e3

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ef1b784bac9d4cb8c64d92dd9d9eceaa5a4018da4c406a4be3dfd439b57cc9e3.exe
Size

1.3MB
MD5

d83b9b65ba17eb7ddce59d1beda9287b
SHA1

22df0f01969523d8b25a0fc21f3160443f39b668
SHA256

ef1b784bac9d4cb8c64d92dd9d9eceaa5a4018da4c406a4be3dfd439b57cc9e3
SHA512

c4ce882521277955882577bd19e6f3d380279bef02f33d43e1fbeda81b2a5cc288c12958d231cf428b2e681a905ec2d70651c734f0720eb2f5c6bf8d1ef46a80
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2256	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016458-11.dat	dcrat
behavioral1/memory/2660-13-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/2952-68-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/736-185-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/656-245-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/3004-306-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/892-425-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2904-485-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/memory/2364-546-0x0000000000D50000-0x0000000000E60000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2872	powershell.exe
1600	powershell.exe
1688	powershell.exe
2900	powershell.exe
2772	powershell.exe
2876	powershell.exe
1568	powershell.exe
1684	powershell.exe
2620	powershell.exe
2848	powershell.exe
2128	powershell.exe
2808	powershell.exe
2024	powershell.exe
2248	powershell.exe
992	powershell.exe
2736	powershell.exe
2784	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2660	DllCommonsvc.exe
2952	cmd.exe
736	cmd.exe
656	cmd.exe
3004	cmd.exe
944	cmd.exe
892	cmd.exe
2904	cmd.exe
2364	cmd.exe
2832	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	cmd.exe
2672	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\winlogon.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\addins\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\Tasks\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\56085415360792	DllCommonsvc.exe
File created	C:\Windows\addins\OSPPSVC.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ef1b784bac9d4cb8c64d92dd9d9eceaa5a4018da4c406a4be3dfd439b57cc9e3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1524	schtasks.exe
980	schtasks.exe
544	schtasks.exe
2152	schtasks.exe
2540	schtasks.exe
2620	schtasks.exe
1612	schtasks.exe
2920	schtasks.exe
2880	schtasks.exe
1388	schtasks.exe
1724	schtasks.exe
2028	schtasks.exe
2320	schtasks.exe
1928	schtasks.exe
1476	schtasks.exe
812	schtasks.exe
2112	schtasks.exe
1544	schtasks.exe
1252	schtasks.exe
2932	schtasks.exe
2224	schtasks.exe
1272	schtasks.exe
2596	schtasks.exe
824	schtasks.exe
2388	schtasks.exe
2004	schtasks.exe
2476	schtasks.exe
2608	schtasks.exe
1976	schtasks.exe
1360	schtasks.exe
1548	schtasks.exe
1184	schtasks.exe
2536	schtasks.exe
1336	schtasks.exe
2992	schtasks.exe
1916	schtasks.exe
1832	schtasks.exe
2452	schtasks.exe
2408	schtasks.exe
1288	schtasks.exe
1800	schtasks.exe
2716	schtasks.exe
1852	schtasks.exe
2312	schtasks.exe
740	schtasks.exe
924	schtasks.exe
1840	schtasks.exe
2524	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
1568	powershell.exe
2848	powershell.exe
2736	powershell.exe
2784	powershell.exe
1600	powershell.exe
2248	powershell.exe
1684	powershell.exe
2872	powershell.exe
2900	powershell.exe
2772	powershell.exe
2620	powershell.exe
2808	powershell.exe
2024	powershell.exe
2128	powershell.exe
1688	powershell.exe
2876	powershell.exe
2952	cmd.exe
736	cmd.exe
656	cmd.exe
3004	cmd.exe
944	cmd.exe
892	cmd.exe
2904	cmd.exe
2364	cmd.exe
2832	cmd.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	DllCommonsvc.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2952	cmd.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	736	cmd.exe
Token: SeDebugPrivilege	656	cmd.exe
Token: SeDebugPrivilege	3004	cmd.exe
Token: SeDebugPrivilege	944	cmd.exe
Token: SeDebugPrivilege	892	cmd.exe
Token: SeDebugPrivilege	2904	cmd.exe
Token: SeDebugPrivilege	2364	cmd.exe
Token: SeDebugPrivilege	2832	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2784	2772	JaffaCakes118_ef1b784bac9d4cb8c64d92dd9d9eceaa5a4018da4c406a4be3dfd439b57cc9e3.exe	30
PID 2772 wrote to memory of 2784	2772	JaffaCakes118_ef1b784bac9d4cb8c64d92dd9d9eceaa5a4018da4c406a4be3dfd439b57cc9e3.exe	30
PID 2772 wrote to memory of 2784	2772	JaffaCakes118_ef1b784bac9d4cb8c64d92dd9d9eceaa5a4018da4c406a4be3dfd439b57cc9e3.exe	30
PID 2772 wrote to memory of 2784	2772	JaffaCakes118_ef1b784bac9d4cb8c64d92dd9d9eceaa5a4018da4c406a4be3dfd439b57cc9e3.exe	30
PID 2784 wrote to memory of 2672	2784	WScript.exe	31
PID 2784 wrote to memory of 2672	2784	WScript.exe	31
PID 2784 wrote to memory of 2672	2784	WScript.exe	31
PID 2784 wrote to memory of 2672	2784	WScript.exe	31
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2672 wrote to memory of 2660	2672	cmd.exe	33
PID 2660 wrote to memory of 992	2660	DllCommonsvc.exe	83
PID 2660 wrote to memory of 992	2660	DllCommonsvc.exe	83
PID 2660 wrote to memory of 992	2660	DllCommonsvc.exe	83
PID 2660 wrote to memory of 1568	2660	DllCommonsvc.exe	84
PID 2660 wrote to memory of 1568	2660	DllCommonsvc.exe	84
PID 2660 wrote to memory of 1568	2660	DllCommonsvc.exe	84
PID 2660 wrote to memory of 1688	2660	DllCommonsvc.exe	85
PID 2660 wrote to memory of 1688	2660	DllCommonsvc.exe	85
PID 2660 wrote to memory of 1688	2660	DllCommonsvc.exe	85
PID 2660 wrote to memory of 1684	2660	DllCommonsvc.exe	86
PID 2660 wrote to memory of 1684	2660	DllCommonsvc.exe	86
PID 2660 wrote to memory of 1684	2660	DllCommonsvc.exe	86
PID 2660 wrote to memory of 1600	2660	DllCommonsvc.exe	87
PID 2660 wrote to memory of 1600	2660	DllCommonsvc.exe	87
PID 2660 wrote to memory of 1600	2660	DllCommonsvc.exe	87
PID 2660 wrote to memory of 2848	2660	DllCommonsvc.exe	88
PID 2660 wrote to memory of 2848	2660	DllCommonsvc.exe	88
PID 2660 wrote to memory of 2848	2660	DllCommonsvc.exe	88
PID 2660 wrote to memory of 2872	2660	DllCommonsvc.exe	90
PID 2660 wrote to memory of 2872	2660	DllCommonsvc.exe	90
PID 2660 wrote to memory of 2872	2660	DllCommonsvc.exe	90
PID 2660 wrote to memory of 2876	2660	DllCommonsvc.exe	91
PID 2660 wrote to memory of 2876	2660	DllCommonsvc.exe	91
PID 2660 wrote to memory of 2876	2660	DllCommonsvc.exe	91
PID 2660 wrote to memory of 2772	2660	DllCommonsvc.exe	94
PID 2660 wrote to memory of 2772	2660	DllCommonsvc.exe	94
PID 2660 wrote to memory of 2772	2660	DllCommonsvc.exe	94
PID 2660 wrote to memory of 2736	2660	DllCommonsvc.exe	97
PID 2660 wrote to memory of 2736	2660	DllCommonsvc.exe	97
PID 2660 wrote to memory of 2736	2660	DllCommonsvc.exe	97
PID 2660 wrote to memory of 2808	2660	DllCommonsvc.exe	99
PID 2660 wrote to memory of 2808	2660	DllCommonsvc.exe	99
PID 2660 wrote to memory of 2808	2660	DllCommonsvc.exe	99
PID 2660 wrote to memory of 2900	2660	DllCommonsvc.exe	100
PID 2660 wrote to memory of 2900	2660	DllCommonsvc.exe	100
PID 2660 wrote to memory of 2900	2660	DllCommonsvc.exe	100
PID 2660 wrote to memory of 2784	2660	DllCommonsvc.exe	102
PID 2660 wrote to memory of 2784	2660	DllCommonsvc.exe	102
PID 2660 wrote to memory of 2784	2660	DllCommonsvc.exe	102
PID 2660 wrote to memory of 2248	2660	DllCommonsvc.exe	105
PID 2660 wrote to memory of 2248	2660	DllCommonsvc.exe	105
PID 2660 wrote to memory of 2248	2660	DllCommonsvc.exe	105
PID 2660 wrote to memory of 2024	2660	DllCommonsvc.exe	110
PID 2660 wrote to memory of 2024	2660	DllCommonsvc.exe	110
PID 2660 wrote to memory of 2024	2660	DllCommonsvc.exe	110
PID 2660 wrote to memory of 2620	2660	DllCommonsvc.exe	111
PID 2660 wrote to memory of 2620	2660	DllCommonsvc.exe	111
PID 2660 wrote to memory of 2620	2660	DllCommonsvc.exe	111
PID 2660 wrote to memory of 2128	2660	DllCommonsvc.exe	112
PID 2660 wrote to memory of 2128	2660	DllCommonsvc.exe	112
PID 2660 wrote to memory of 2128	2660	DllCommonsvc.exe	112
PID 2660 wrote to memory of 2952	2660	DllCommonsvc.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef1b784bac9d4cb8c64d92dd9d9eceaa5a4018da4c406a4be3dfd439b57cc9e3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef1b784bac9d4cb8c64d92dd9d9eceaa5a4018da4c406a4be3dfd439b57cc9e3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat"
        6⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1288
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
        8⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2464
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"
        10⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2116
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        12⤵
        
        PID:2076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2084
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"
        14⤵
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2608
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat"
        16⤵
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2948
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"
        18⤵
        
        PID:2320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1256
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat"
        20⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2396
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\addins\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\addins\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Templates\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Templates\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\Public\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Public\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16ca8c714ac23ecb857356a81de599e0

SHA1
a513721b50b04934bc00a95efee2835402951cf8

SHA256
b96b20c9104a08168185d976296fa76a783e7f8213b91c675567366bb997a205

SHA512
1839addf3990c3c8dd0695b1ec068a7f3958fdd9c388acdf3696bbe4aa0023420b334dbaa1c9c5497807dc460fe21d999d006c8f0eadc08c7c60f3a8923e1d5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0712c6908807204349cd1a2f3c069e5b

SHA1
a45973117e9d886c5598d3a2124ba5d97e0aa331

SHA256
55b2f45361ce6ee7c990d2e55d4c36472b8cf6738eec5daafbfaec41401923cf

SHA512
b4e00c6566931fd3c65f1ce3f100adb7bb7995ffa7e0fe3bd2a6730286aff34d070662adaf6ece65d536a4727d18ac7d630382985a39ca9c0c98e1ff6b40801e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
736a2314dc514854445371c6223ea403

SHA1
5ef06c9f9b1c339fb59eebfe70eaa2a5b2243c8f

SHA256
e45399916feccbdd3910b5cd840c7bc6fae0501004260ba8344bdcd60198f4f6

SHA512
4b0467b52864d8b281bc3f653a9849cd6a35c290eca563f15a6d07ad236b70cbb5137e093f23b00ba0d7d2f06707101b51796f6d5f689e00e119ea1a0ac40808

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0e3d378ade8ccd17cfe9ef16137f5a2

SHA1
c2dab5a9bde12329913c033f34c85367d6951436

SHA256
8a27629f1a1e749529eca0f5f01d3a793988964260f356681d0db4d214cfb7ed

SHA512
3827aac79ebdd1ceaef92fc68260a5747ba78807b8bb04392b34155f6531b29d20ee2ad6112516b3f4372020d2c4b6f5be92c6e8d9180a8becf2973818de885b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cdff33bad0131ea6504adc28deaeeda

SHA1
0beb379d5c2fd0bd79d8a0fb4813d979bfd5e05f

SHA256
51eb9b575ce21fb8d6a93b4c25b40f51a71c8a1cd3ce623cffcd5566d37754c7

SHA512
03840580c21db554c131deae048aadb2a08d7a8d3442a706176a9ff04c66dc773a94705104086154999534f38e73525ad5065fa6a4d90cc6c1e6853d34bf4fd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c969bd6b02b29bf8a69dbd96e45e169d

SHA1
7c6f11991752577fa04cf5667cd3066fbd7b5e13

SHA256
7718f858e98e259bdad7813002ed062f1d0d1e7bd7b8acb8ee6141352e140c92

SHA512
24301220b14c39c35f47b0bb8a3cc601e5fb2409d10394785f9e03e1d99360acc4f764be9d08306643a80ddbde4249d6636a7797b66d46ca57a6662090fc7dd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
070450cc76288c03df333fe03492755e

SHA1
db4b43743a71bc4a6e2c39681da9b79264715132

SHA256
5a00543c690ffa03b21d8e5135ae0726cccec5bce5e4e38296d876dd49a97731

SHA512
8b6723f57a74c88ca157d6dc3116af1a9c521b42df331cb0a294075de6f40c257fcd024d877b8fe825d947355f7009517da2ef1f28102e499ac47927910b05f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat

Filesize
221B

MD5
1028e15693a99c23c27e84b8d8e812c9

SHA1
83c7a7b3534ea5fcb1bf53e0a2261d43826a4b4e

SHA256
91fda6cc3c7042001481a95d0120ccc3c044a4c6ce6bdb0ba7e78be25dfc52f8

SHA512
6b5fe6e7644c0399b9a352e2e531245ce1ed4daccb7b025970db480d49a5a6eb405f052004564a7029d06584cf40fc3cf82a9c94fcdad7e258a2bebff9f9adab

Download Submit
C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat

Filesize
221B

MD5
abe010b6db423bd747cf41b8aa541bbe

SHA1
f53a95b1a623455f10905701d0811cb85c08bde3

SHA256
f000d22da8e9e44142eb17075e46ed5db9691aea905fa984deb338958f4d41ea

SHA512
4cdc99cd275e1e4191bbdb42bd9d2f8680532a72d7234d17d77db868a25670a466159aa888a7cea000d37d6def85f4178b55b8a4bfae2aa9bf361385ae6a2a65

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat

Filesize
221B

MD5
2eeda4dc278a0a909bd72726c8467c99

SHA1
e32e3f525507767648df39f96a1c739fd68f318e

SHA256
495648c267ba2e5b9c5fa60cacd77b712bd1673743cd732b3da8cfd46abf7e1f

SHA512
a07c84192638de73144c95c04e909108a902e0e01e984d30740027d63f24d6b36e4e2d03273ce358a1b8427944b87a8f0d00528d3e4b96e180eb30634cfa006d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat

Filesize
221B

MD5
1f1c344ccf7d797491318a559d45ce32

SHA1
c6909bb73add328673062a14b4395c616d5e69f0

SHA256
c761b0b1f4ffb6048c00bedd8a216e628db2e6fcfb630e068eb27b4762c36edc

SHA512
8da548171dd3ffb5c982dbd5a1f04afbf6bdc0e84f5dbb041e8bd7f1b677847916f3fc4771d19e798e480290f1f7bef3894f5d8291e3ec8e81e5ca7027cc9fde

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA372.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat

Filesize
221B

MD5
2f7eb02773d2f6002f0e97722b0ef8d8

SHA1
a91e3ce3a0eed8696015b5aafe4ef10cdce5dea8

SHA256
715df7fec079ba7f994bbc5aa638771e2272c8fe21410fafdcd8964b00680fcc

SHA512
791a6d4fc1e1a787b9b1fd2b0d2b7d0f629166bcc8b86511b641a4448743d86238e8c24074090bea98cbca756f5aedb3b3fd11ed3ae40748492b21a76c3de362

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA4AD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
221B

MD5
1439f4a22dc70bfea2c5fd2697ca4194

SHA1
b65deeb948afe49ee02cb6e9d9b218ddcf11cd27

SHA256
bfcdabe9eb33b8145e52039516cc7fae3a19a422d47cc6b5ecc7abc4be29452b

SHA512
69c0d64cbb33e4435221363354bc97bb80df39bebbb652ccd4352b0ab771608c4c31128ed09f044456830f6419161f5788adb6b6960b1271f8b12d5d2a205464

Download Submit
C:\Users\Admin\AppData\Local\Temp\epFjAgKouK.bat

Filesize
221B

MD5
a239124bd435f74f91398f0a3d2531f8

SHA1
9bb3da8f3d288ad56c4a69d2adf696ea778356d1

SHA256
112fe2760a99f01b2b288f5d4345eb734788e6353833a8515ccccbb9734f2f1e

SHA512
6a568fd79c3ed733c315d7967cb7a985cfb32ce38dd8b108237b30ef75807304f0f7ec93029a0499120e6a7c559bc410ebdd59d4d7aa6c07889d1dcfa5df06de

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat

Filesize
221B

MD5
e44f4d13be186e3d3e36e98fb908d0b7

SHA1
8e96a98242535d6cb03e1e6b4e27d38fbd3a5de4

SHA256
5673633247a0904c9654570c5c706e7b256d13c8d90651b531e88fb42f33ff91

SHA512
6886e48ce221f5aaec1347bcccf923e06511661977d91b06ab191a14061659a2662bd60ea3bb1e3c61af93b47f4d13c180ab2b1712111a0ab8a374911e2daa5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4ce4606854c3f6629b6d0c8f872841a5

SHA1
880f0bb488086a9ac4f4e37c3dbd2851e98ad928

SHA256
8ca333402e43673e363d2be202390bd720b0d28dcdbe9fb61ecae7eb13ef962f

SHA512
62cfab180a64ce212f1fde0ea2c6c8304b197ba44055c2a5d662271039c097c41cbe81cd156cc015ddab21f4a0a9934063d220e5fd776f013a2a097300afbb57

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/656-245-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/656-246-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/736-185-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/892-425-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/1568-107-0x0000000002300000-0x0000000002308000-memory.dmp

Filesize
32KB

Download
memory/1568-106-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/2364-546-0x0000000000D50000-0x0000000000E60000-memory.dmp

Filesize
1.1MB

Download
memory/2660-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2660-16-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2660-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2660-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2660-13-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2904-485-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/2904-486-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2952-68-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/3004-306-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download