dcrat | 71a721a54e5f37c49b47c512acce2b07327c2184849cbc062f652d4a4af01448

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_71a721a54e5f37c49b47c512acce2b07327c2184849cbc062f652d4a4af01448.exe
Size

1.3MB
MD5

fd428c712b8ff93b969382a18da83e24
SHA1

b93099c3adb113d2ef4b13bcb59956ba27751adb
SHA256

71a721a54e5f37c49b47c512acce2b07327c2184849cbc062f652d4a4af01448
SHA512

8cd9cee4192b6124b8892923c26b009759a4b0d87a60f83eef2eedfeed023214ec21a09cdddce398c1e4f09ecc3b76888882dbfa1d72b66034004c3e3e251fe7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2624	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2624	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d19-9.dat	dcrat
behavioral1/memory/2256-13-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2672-119-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/2428-178-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/788-535-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/2388-655-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1848	powershell.exe
1652	powershell.exe
572	powershell.exe
2396	powershell.exe
892	powershell.exe
1224	powershell.exe
1816	powershell.exe
3032	powershell.exe
596	powershell.exe
1656	powershell.exe
1640	powershell.exe
560	powershell.exe
2388	powershell.exe
2600	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2256	DllCommonsvc.exe
2672	lsm.exe
2428	lsm.exe
2188	lsm.exe
2484	lsm.exe
2296	lsm.exe
1288	lsm.exe
340	lsm.exe
788	lsm.exe
2876	lsm.exe
2388	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2908	cmd.exe
2908	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
35	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_71a721a54e5f37c49b47c512acce2b07327c2184849cbc062f652d4a4af01448.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2876	schtasks.exe
2340	schtasks.exe
2540	schtasks.exe
1696	schtasks.exe
2084	schtasks.exe
1508	schtasks.exe
1908	schtasks.exe
1736	schtasks.exe
792	schtasks.exe
2628	schtasks.exe
2856	schtasks.exe
2792	schtasks.exe
2496	schtasks.exe
2480	schtasks.exe
2960	schtasks.exe
3000	schtasks.exe
1380	schtasks.exe
1680	schtasks.exe
2984	schtasks.exe
1724	schtasks.exe
1832	schtasks.exe
808	schtasks.exe
2376	schtasks.exe
2092	schtasks.exe
2068	schtasks.exe
2800	schtasks.exe
2664	schtasks.exe
2676	schtasks.exe
1676	schtasks.exe
1084	schtasks.exe
1612	schtasks.exe
620	schtasks.exe
1556	schtasks.exe
2672	schtasks.exe
1308	schtasks.exe
2712	schtasks.exe
2532	schtasks.exe
680	schtasks.exe
1668	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
3032	powershell.exe
572	powershell.exe
892	powershell.exe
1656	powershell.exe
2600	powershell.exe
1224	powershell.exe
1848	powershell.exe
1816	powershell.exe
1640	powershell.exe
560	powershell.exe
596	powershell.exe
2388	powershell.exe
1652	powershell.exe
2396	powershell.exe
2672	lsm.exe
2428	lsm.exe
2188	lsm.exe
2484	lsm.exe
2296	lsm.exe
1288	lsm.exe
340	lsm.exe
788	lsm.exe
2876	lsm.exe
2388	lsm.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	DllCommonsvc.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2672	lsm.exe
Token: SeDebugPrivilege	2428	lsm.exe
Token: SeDebugPrivilege	2188	lsm.exe
Token: SeDebugPrivilege	2484	lsm.exe
Token: SeDebugPrivilege	2296	lsm.exe
Token: SeDebugPrivilege	1288	lsm.exe
Token: SeDebugPrivilege	340	lsm.exe
Token: SeDebugPrivilege	788	lsm.exe
Token: SeDebugPrivilege	2876	lsm.exe
Token: SeDebugPrivilege	2388	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1836 wrote to memory of 840	1836	JaffaCakes118_71a721a54e5f37c49b47c512acce2b07327c2184849cbc062f652d4a4af01448.exe	30
PID 1836 wrote to memory of 840	1836	JaffaCakes118_71a721a54e5f37c49b47c512acce2b07327c2184849cbc062f652d4a4af01448.exe	30
PID 1836 wrote to memory of 840	1836	JaffaCakes118_71a721a54e5f37c49b47c512acce2b07327c2184849cbc062f652d4a4af01448.exe	30
PID 1836 wrote to memory of 840	1836	JaffaCakes118_71a721a54e5f37c49b47c512acce2b07327c2184849cbc062f652d4a4af01448.exe	30
PID 840 wrote to memory of 2908	840	WScript.exe	32
PID 840 wrote to memory of 2908	840	WScript.exe	32
PID 840 wrote to memory of 2908	840	WScript.exe	32
PID 840 wrote to memory of 2908	840	WScript.exe	32
PID 2908 wrote to memory of 2256	2908	cmd.exe	34
PID 2908 wrote to memory of 2256	2908	cmd.exe	34
PID 2908 wrote to memory of 2256	2908	cmd.exe	34
PID 2908 wrote to memory of 2256	2908	cmd.exe	34
PID 2256 wrote to memory of 2600	2256	DllCommonsvc.exe	75
PID 2256 wrote to memory of 2600	2256	DllCommonsvc.exe	75
PID 2256 wrote to memory of 2600	2256	DllCommonsvc.exe	75
PID 2256 wrote to memory of 3032	2256	DllCommonsvc.exe	76
PID 2256 wrote to memory of 3032	2256	DllCommonsvc.exe	76
PID 2256 wrote to memory of 3032	2256	DllCommonsvc.exe	76
PID 2256 wrote to memory of 1848	2256	DllCommonsvc.exe	77
PID 2256 wrote to memory of 1848	2256	DllCommonsvc.exe	77
PID 2256 wrote to memory of 1848	2256	DllCommonsvc.exe	77
PID 2256 wrote to memory of 2396	2256	DllCommonsvc.exe	79
PID 2256 wrote to memory of 2396	2256	DllCommonsvc.exe	79
PID 2256 wrote to memory of 2396	2256	DllCommonsvc.exe	79
PID 2256 wrote to memory of 2388	2256	DllCommonsvc.exe	80
PID 2256 wrote to memory of 2388	2256	DllCommonsvc.exe	80
PID 2256 wrote to memory of 2388	2256	DllCommonsvc.exe	80
PID 2256 wrote to memory of 1816	2256	DllCommonsvc.exe	81
PID 2256 wrote to memory of 1816	2256	DllCommonsvc.exe	81
PID 2256 wrote to memory of 1816	2256	DllCommonsvc.exe	81
PID 2256 wrote to memory of 572	2256	DllCommonsvc.exe	83
PID 2256 wrote to memory of 572	2256	DllCommonsvc.exe	83
PID 2256 wrote to memory of 572	2256	DllCommonsvc.exe	83
PID 2256 wrote to memory of 596	2256	DllCommonsvc.exe	85
PID 2256 wrote to memory of 596	2256	DllCommonsvc.exe	85
PID 2256 wrote to memory of 596	2256	DllCommonsvc.exe	85
PID 2256 wrote to memory of 1652	2256	DllCommonsvc.exe	86
PID 2256 wrote to memory of 1652	2256	DllCommonsvc.exe	86
PID 2256 wrote to memory of 1652	2256	DllCommonsvc.exe	86
PID 2256 wrote to memory of 1640	2256	DllCommonsvc.exe	88
PID 2256 wrote to memory of 1640	2256	DllCommonsvc.exe	88
PID 2256 wrote to memory of 1640	2256	DllCommonsvc.exe	88
PID 2256 wrote to memory of 1224	2256	DllCommonsvc.exe	89
PID 2256 wrote to memory of 1224	2256	DllCommonsvc.exe	89
PID 2256 wrote to memory of 1224	2256	DllCommonsvc.exe	89
PID 2256 wrote to memory of 1656	2256	DllCommonsvc.exe	90
PID 2256 wrote to memory of 1656	2256	DllCommonsvc.exe	90
PID 2256 wrote to memory of 1656	2256	DllCommonsvc.exe	90
PID 2256 wrote to memory of 560	2256	DllCommonsvc.exe	91
PID 2256 wrote to memory of 560	2256	DllCommonsvc.exe	91
PID 2256 wrote to memory of 560	2256	DllCommonsvc.exe	91
PID 2256 wrote to memory of 892	2256	DllCommonsvc.exe	92
PID 2256 wrote to memory of 892	2256	DllCommonsvc.exe	92
PID 2256 wrote to memory of 892	2256	DllCommonsvc.exe	92
PID 2256 wrote to memory of 1252	2256	DllCommonsvc.exe	103
PID 2256 wrote to memory of 1252	2256	DllCommonsvc.exe	103
PID 2256 wrote to memory of 1252	2256	DllCommonsvc.exe	103
PID 1252 wrote to memory of 288	1252	cmd.exe	105
PID 1252 wrote to memory of 288	1252	cmd.exe	105
PID 1252 wrote to memory of 288	1252	cmd.exe	105
PID 1252 wrote to memory of 2672	1252	cmd.exe	106
PID 1252 wrote to memory of 2672	1252	cmd.exe	106
PID 1252 wrote to memory of 2672	1252	cmd.exe	106
PID 2672 wrote to memory of 2488	2672	lsm.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71a721a54e5f37c49b47c512acce2b07327c2184849cbc062f652d4a4af01448.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71a721a54e5f37c49b47c512acce2b07327c2184849cbc062f652d4a4af01448.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\spv6U4VDBc.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1252
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:288
      - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"
        7⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1736
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat"
        9⤵
        
        PID:2036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2180
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        11⤵
        
        PID:2092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1720
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"
        13⤵
        
        PID:788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2324
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat"
        15⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2432
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"
        17⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1756
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        19⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2728
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        21⤵
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2228
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
        23⤵
        
        PID:332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1968
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat"
        25⤵
        
        PID:2872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Photo Viewer\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.Transactions.Bridge.Dtc\v4.0_4.0.0.0__b03f5f7f11d50a3a\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Searches\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Searches\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aef0c631c166e7db944c84315dccc97d

SHA1
84ada3b457427f2fdd5587413e310a07702c996b

SHA256
22b2ebdfd85e74924c6ff48b364ae54a3918b932e3ba1d7fe1611bb1a1427c96

SHA512
96e1b8b7a5e3b9c7e5393227798baee299efb6ae676e786aa6274429f6e525b7fade0f45af3852d621f740fd03fae553616559bd62f43920154707d55bf29159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
903113677e0555d809b8a9ac68a8ea23

SHA1
e9e9a8a566eff6142d03b8d5295faf2b5dc53f6a

SHA256
3882660408b90e6e95f713e74525eaffa8425c8f95cb580af02d20cd671027c2

SHA512
cffffd657d16c87277960d65f8fdc38996ad07ba0e3a29128318c57fafe678096ee6446e4e7339f943d98cad88e96d16db68c42dbf7a9aa6ec7f1ddc4620401d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa4d4ed319a91659dc7d176e5f13c522

SHA1
7913cb92bfe569d2568427afa9803df7c381f953

SHA256
601232645ef86febcf23b00501487ce41740f4723b99475e0969f27bd2fb055d

SHA512
fb376163675e18797b14d6c60ad05496724b268b5b151ff3a99a3b908462bee6a264bfcbabb8ab20c933c5efa17c9dcce60c57ee00be1d1ddaacb5b90a3e5459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f95ca075f4ed840f7bf8e2bcc16cc655

SHA1
86618435630fbaa92043841135e193a4195801d6

SHA256
48a43d11f77908a2aa5d08ef3bfd190cdfa2707ec31f7ed8025d8b3aa366e0f9

SHA512
14a636325875f9ea2c42cf1ebb8c020dc73acc3de5c0fc9e49032a63db8aaf618aef811d58e0cd8ee644cd84b32a8beb59c7a6dcc73456a5570b835d2723e4c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e10ac6108f2642173af6706320376768

SHA1
8443e2c9a06c153051f97f13a7021ea998d09c7f

SHA256
8602662f4e88ac749d8cc72a023a3550fe78f39242bb903edb90c63db848b5b0

SHA512
6cb7d7e9fc851838aac81ad0870b2559d58bdc80404992b9866a9052f37c4e24ac991ccc3d400521ad66e488c676b5706cbfcd75979b47c3a0dbd988d4491178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da5964c29f0c09327a87f84ac89c614b

SHA1
a575b40bc635d5b841b688dee112ce28870d869d

SHA256
7f37614effec2a77ea588ad12f80952bdeb6c43172d6910aabc1ccc4cda1a90b

SHA512
6f6c5268bb5765a48cb64961f1776bb09832dfbad4d4a5eece210e7bbc96afaf6333e8d140902372b126384f50ddf59dedc8f19950495b495685be34bd0ecdd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
950347cc2964229dcce9639547715502

SHA1
bdafede64208eebed097fe166ad2105ee13cd8b9

SHA256
2fe54b08ff54591de0ff986969ca17b9288981afac63eeea81e534428e75546f

SHA512
a27c9a71c90bd118f4cf0d94a329dd5e0f51dfae539fa9377a264ced45699744262bced398acfdf2848a1eb98821b119cc9f85a17044f68c08986fbeea9cb0d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66b887ee62997cc5345ff89639d513d1

SHA1
71da2dbc53d815940d187fb146386c30a18b32a7

SHA256
190778f803eb34d4379f13755c9e19de5d7fce8a23b865aafd42e975b9725894

SHA512
298eecc85c5cc26b04eaa4bd5d6c8ffa37b09ff1ccd3aa9b30c10804150a39fc4a64229406a8deeae9027f05124c426350732f35230953640d25126b364d82df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b969a797fc048b36e104dbfecd0820ba

SHA1
d414c6267e25e0646b425163d6d972bdcb978643

SHA256
4256fb5a7f2342d52b2eba7c91f077d92db8b5a37c6c3965cdaa57f5ce8efa7e

SHA512
287964226f473b3738dd21e5f2c1692c6ae6ee79c9d4ffac71c89e4d13a52a98062549fc4fc3325c25b8b2b0b9379f3df137989271e9938b6dfe8961e92492b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat

Filesize
240B

MD5
461c8593ead948c460426e49e90cb41e

SHA1
965afde4928685019baa31f0ec7f43de69868c00

SHA256
2df83498356aa2dbd4fcdb34a951ce05c48ab2bcca3640aa1368492167339785

SHA512
9e51e0a43f912e24d71c5af529ac63d999ac78e8d0158ace2a0027a67124270a451b428732c0195ea460534684d2b8d43d4dd1f9d2e52c237fc5f0e95473fdf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
240B

MD5
9f8a03e172d1b7726b57ed7817e31cb4

SHA1
8e639fce9c64958c3609967b8cd489c39136222c

SHA256
a2142c2b175fbc79da486080c57b7259b54a09396cc444a80ebf4556094886b3

SHA512
b0f9786af934ee40e744846aa2047cbce1c32af7c3f27e7a4b405701fa7a64a1f52ffd0325bf837f838a5cb9654a1d4f6fb56ca1914984750a410092b4ad7e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

Filesize
240B

MD5
6caef6f8cbca30bbf6c83b17cfeac6da

SHA1
6a414b7a9efff055f128733bdd6831f406a72049

SHA256
18ad31d3044108f8c87564975a19a8a5ad950e2490ffb9f6c75af5eb9a75d334

SHA512
02fe4ebe4253e5ab06561219d0a8ba4be6f59ea9dcaab1f57f4404e80f49225578a0eded0bb24812f9fdd7617c11fe6af00ca1a3aeb65d762f73102dcf95ef2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat

Filesize
240B

MD5
1a2cc168559c0d477fc6b164e6ae87e7

SHA1
dac7d7d819d0915b478425110473c77b24c534bd

SHA256
a3201fb736b25c52e751939aaf20e0e6def54e81779511729d56745459ccb38b

SHA512
d7d0730118bfc4ef9595c36ec193edcd3bdc120a63aec08cee12ac44b47b22675ca24ff25ce4eb2ea4c7c1c7f320d0d191e5834ba1e9f758ae1a7387bebc69a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab18E0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgAoPiAcVL.bat

Filesize
240B

MD5
55a46e7dd84a11fd3b7cadcedd7a7841

SHA1
fe4fa9c736d571d0c947e7422a2111ccad1cbfc9

SHA256
4079f20751ec10fdba5aae26642571d6972b25e4fe0ba26025f46860aef8749f

SHA512
101eb689b1d72886aebac391ea85455d7d38a80036cea6c0d168640892f2198f76bc91b97e88b770aaf9dbb0667260f0f0e84960bf29545c5869e0dcb8749e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar18F2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
240B

MD5
2cd20d4c8cc39c81201fd0560d80ad52

SHA1
cf06bd559ff6e2a0e74146ca7a6dd0d3dc39b3f5

SHA256
cc624c38514136b1c587e31648441a012e6f4a5deb866e530c7656a387b7f1e4

SHA512
d578e5fe515b46979b2ba2a98ebb3cce1eac21e13d4d63cad0c03ae69f515ad5132e131db38f92d259c3b7d2f376a29e8037306a7a548e710591660b0a10264f

Download Submit
C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat

Filesize
240B

MD5
551fa439c86c961038e3fa58cebefc7c

SHA1
58443cf8a55b178ecb54de1f1c9817df30fa9207

SHA256
84cdfa65977048486968757a180e3a1bece65b9c384346809e976dfe45e3947c

SHA512
1625d9a569c581ba29d2f94565297fc38557244a672d9b14804bf287f014eb3dd379d65bf71a5ac01c06e71a3d45f66409daaf22af0441492d465ffd2c758333

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

Filesize
240B

MD5
832f5ff7eec48d9fa308fd7278a4ec3e

SHA1
0046d77da9864c2246b685cc9046af08f1afae3d

SHA256
d230d4a9a20a2fe03fe2efe70217368c6b5709594071e385ef397f922e087eee

SHA512
6f1b078c922fad0c30e6566fb056375ee7f212d05b1edc4ed1da247100ba580c78c7162e193e66909222b82c3d5f3eb6bbd48206a6806837cb7d828cebf3ffa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFE2FgvhS1.bat

Filesize
240B

MD5
b145e5efb9ceb8583fa395185f4c7db9

SHA1
4e89b3612d4f9a829617faf17df2a30460de0ff6

SHA256
622fb94d16d15e904a3848e611ba4496b5d5797f3e62afeaab8ab850eabaeb46

SHA512
c425e1373408b0c99757a1b625ca3bcb1ae2ad7001ad31184a90c94e62407da733521988ee3e24b8a1a0ac74de10cd09ff8cbe74ad50e356c4486d2c0593acdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\spv6U4VDBc.bat

Filesize
240B

MD5
4dbeefda27564aeaed641fe14956c673

SHA1
b6c3c37260e3711766f91dbf7cde7942e60562f9

SHA256
d5a85e5099ceca0dcd02b0ea5f7505bdfcc9201c1f78ba5ecebadfc83b44f08f

SHA512
e3324885ac7dc8d7eccc413f96a21560b38c6ba77676af17c0d6a9bbb742e370b35e4f66bcb957dba4664b94b4aebfc66ac8057923caf925fff9fd168e786882

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
240B

MD5
61e92fe3f28c7e3816e3b21b41ae6ec9

SHA1
f90cc4625e599bee696c6dde253398aa8c02c315

SHA256
ba93ed3948c6c9908df76e7385d394097c6e499e8eb60423fde5bbdc3b82a69d

SHA512
9b0b2fb7a24a621b5590e629d56d31e0c185f4bc041e7459e871ebe3a38e84148a0f63151d1bdd577fb13b0dd685e2288696cf62064935692f5d6d39fe681236

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fcaa51e12fb373190c19a9484a62f547

SHA1
e92b022aade40603126af8624a69aa2633f480e8

SHA256
a652e64503c7334dbd1a2c5b79a9c04f6358b98d5ff58ae960d6495d5ef65ffd

SHA512
7b8c582c367bca15ff6ef5b48931623d097e470567178e2adf3977fd5d7228491c76c2c43121fe4a8097ab6e9fc9911361988573189b2aa67f7a276132ac8a05

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/788-535-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/2188-238-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2256-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2256-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2256-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2256-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2256-13-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2296-357-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2388-655-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/2428-178-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/2672-119-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/2876-595-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/3032-50-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/3032-56-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download