dcrat | 67dd2b7ac549a10c961a5cdd66a6f8850857fb750d0376658d4e01081be6ef7a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67dd2b7ac549a10c961a5cdd66a6f8850857fb750d0376658d4e01081be6ef7a.exe
Size

1.3MB
MD5

919c12ef658d42167d446eddeaeb957a
SHA1

65e8d2c1585d83f05feb26b0bb12c5079a93b89d
SHA256

67dd2b7ac549a10c961a5cdd66a6f8850857fb750d0376658d4e01081be6ef7a
SHA512

216d8eaf32227072fe6d08874670cd54ecfafe6934fb946de9eb80dba3558abb2a15209f487fcb557c55a2b9ec7d510a696c7579230ab122d35f18b297304d65
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2612	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2612	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001921d-9.dat	dcrat
behavioral1/memory/2736-13-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/2116-54-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat
behavioral1/memory/2648-195-0x0000000000FB0000-0x00000000010C0000-memory.dmp	dcrat
behavioral1/memory/2092-255-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2140-315-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/2628-375-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/1852-435-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/2444-496-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat
behavioral1/memory/296-615-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1580	powershell.exe
1564	powershell.exe
2748	powershell.exe
2100	powershell.exe
3068	powershell.exe
2524	powershell.exe
2316	powershell.exe
1740	powershell.exe
1696	powershell.exe
2464	powershell.exe
1852	powershell.exe
2072	powershell.exe
756	powershell.exe
2392	powershell.exe
884	powershell.exe
2400	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2736	DllCommonsvc.exe
2116	csrss.exe
2648	csrss.exe
2092	csrss.exe
2140	csrss.exe
2628	csrss.exe
1852	csrss.exe
2444	csrss.exe
2460	csrss.exe
296	csrss.exe
2220	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	cmd.exe
2752	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\twain_32\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\twain_32\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67dd2b7ac549a10c961a5cdd66a6f8850857fb750d0376658d4e01081be6ef7a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2092	schtasks.exe
568	schtasks.exe
1572	schtasks.exe
1552	schtasks.exe
2220	schtasks.exe
2812	schtasks.exe
668	schtasks.exe
684	schtasks.exe
2180	schtasks.exe
1972	schtasks.exe
1752	schtasks.exe
1712	schtasks.exe
1576	schtasks.exe
2604	schtasks.exe
1364	schtasks.exe
484	schtasks.exe
2120	schtasks.exe
776	schtasks.exe
1764	schtasks.exe
2740	schtasks.exe
2056	schtasks.exe
2680	schtasks.exe
2188	schtasks.exe
340	schtasks.exe
3056	schtasks.exe
1804	schtasks.exe
1600	schtasks.exe
1648	schtasks.exe
2436	schtasks.exe
2980	schtasks.exe
1768	schtasks.exe
2520	schtasks.exe
2408	schtasks.exe
2444	schtasks.exe
2208	schtasks.exe
692	schtasks.exe
2140	schtasks.exe
2384	schtasks.exe
2192	schtasks.exe
2168	schtasks.exe
2428	schtasks.exe
1824	schtasks.exe
2836	schtasks.exe
2228	schtasks.exe
2312	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2736	DllCommonsvc.exe
2736	DllCommonsvc.exe
2736	DllCommonsvc.exe
2736	DllCommonsvc.exe
2736	DllCommonsvc.exe
2116	csrss.exe
884	powershell.exe
1580	powershell.exe
1740	powershell.exe
756	powershell.exe
2100	powershell.exe
3068	powershell.exe
1852	powershell.exe
2464	powershell.exe
2316	powershell.exe
1696	powershell.exe
2072	powershell.exe
2400	powershell.exe
1564	powershell.exe
2748	powershell.exe
2392	powershell.exe
2524	powershell.exe
2648	csrss.exe
2092	csrss.exe
2140	csrss.exe
2628	csrss.exe
1852	csrss.exe
2444	csrss.exe
2460	csrss.exe
296	csrss.exe
2220	csrss.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	DllCommonsvc.exe
Token: SeDebugPrivilege	2116	csrss.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2464	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2648	csrss.exe
Token: SeDebugPrivilege	2092	csrss.exe
Token: SeDebugPrivilege	2140	csrss.exe
Token: SeDebugPrivilege	2628	csrss.exe
Token: SeDebugPrivilege	1852	csrss.exe
Token: SeDebugPrivilege	2444	csrss.exe
Token: SeDebugPrivilege	2460	csrss.exe
Token: SeDebugPrivilege	296	csrss.exe
Token: SeDebugPrivilege	2220	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2884	2956	67dd2b7ac549a10c961a5cdd66a6f8850857fb750d0376658d4e01081be6ef7a.exe	31
PID 2956 wrote to memory of 2884	2956	67dd2b7ac549a10c961a5cdd66a6f8850857fb750d0376658d4e01081be6ef7a.exe	31
PID 2956 wrote to memory of 2884	2956	67dd2b7ac549a10c961a5cdd66a6f8850857fb750d0376658d4e01081be6ef7a.exe	31
PID 2956 wrote to memory of 2884	2956	67dd2b7ac549a10c961a5cdd66a6f8850857fb750d0376658d4e01081be6ef7a.exe	31
PID 2884 wrote to memory of 2752	2884	WScript.exe	32
PID 2884 wrote to memory of 2752	2884	WScript.exe	32
PID 2884 wrote to memory of 2752	2884	WScript.exe	32
PID 2884 wrote to memory of 2752	2884	WScript.exe	32
PID 2752 wrote to memory of 2736	2752	cmd.exe	34
PID 2752 wrote to memory of 2736	2752	cmd.exe	34
PID 2752 wrote to memory of 2736	2752	cmd.exe	34
PID 2752 wrote to memory of 2736	2752	cmd.exe	34
PID 2736 wrote to memory of 884	2736	DllCommonsvc.exe	81
PID 2736 wrote to memory of 884	2736	DllCommonsvc.exe	81
PID 2736 wrote to memory of 884	2736	DllCommonsvc.exe	81
PID 2736 wrote to memory of 1852	2736	DllCommonsvc.exe	83
PID 2736 wrote to memory of 1852	2736	DllCommonsvc.exe	83
PID 2736 wrote to memory of 1852	2736	DllCommonsvc.exe	83
PID 2736 wrote to memory of 2524	2736	DllCommonsvc.exe	84
PID 2736 wrote to memory of 2524	2736	DllCommonsvc.exe	84
PID 2736 wrote to memory of 2524	2736	DllCommonsvc.exe	84
PID 2736 wrote to memory of 2316	2736	DllCommonsvc.exe	85
PID 2736 wrote to memory of 2316	2736	DllCommonsvc.exe	85
PID 2736 wrote to memory of 2316	2736	DllCommonsvc.exe	85
PID 2736 wrote to memory of 1740	2736	DllCommonsvc.exe	86
PID 2736 wrote to memory of 1740	2736	DllCommonsvc.exe	86
PID 2736 wrote to memory of 1740	2736	DllCommonsvc.exe	86
PID 2736 wrote to memory of 2072	2736	DllCommonsvc.exe	87
PID 2736 wrote to memory of 2072	2736	DllCommonsvc.exe	87
PID 2736 wrote to memory of 2072	2736	DllCommonsvc.exe	87
PID 2736 wrote to memory of 1580	2736	DllCommonsvc.exe	88
PID 2736 wrote to memory of 1580	2736	DllCommonsvc.exe	88
PID 2736 wrote to memory of 1580	2736	DllCommonsvc.exe	88
PID 2736 wrote to memory of 1564	2736	DllCommonsvc.exe	89
PID 2736 wrote to memory of 1564	2736	DllCommonsvc.exe	89
PID 2736 wrote to memory of 1564	2736	DllCommonsvc.exe	89
PID 2736 wrote to memory of 1696	2736	DllCommonsvc.exe	90
PID 2736 wrote to memory of 1696	2736	DllCommonsvc.exe	90
PID 2736 wrote to memory of 1696	2736	DllCommonsvc.exe	90
PID 2736 wrote to memory of 3068	2736	DllCommonsvc.exe	91
PID 2736 wrote to memory of 3068	2736	DllCommonsvc.exe	91
PID 2736 wrote to memory of 3068	2736	DllCommonsvc.exe	91
PID 2736 wrote to memory of 756	2736	DllCommonsvc.exe	92
PID 2736 wrote to memory of 756	2736	DllCommonsvc.exe	92
PID 2736 wrote to memory of 756	2736	DllCommonsvc.exe	92
PID 2736 wrote to memory of 2392	2736	DllCommonsvc.exe	93
PID 2736 wrote to memory of 2392	2736	DllCommonsvc.exe	93
PID 2736 wrote to memory of 2392	2736	DllCommonsvc.exe	93
PID 2736 wrote to memory of 2400	2736	DllCommonsvc.exe	94
PID 2736 wrote to memory of 2400	2736	DllCommonsvc.exe	94
PID 2736 wrote to memory of 2400	2736	DllCommonsvc.exe	94
PID 2736 wrote to memory of 2748	2736	DllCommonsvc.exe	95
PID 2736 wrote to memory of 2748	2736	DllCommonsvc.exe	95
PID 2736 wrote to memory of 2748	2736	DllCommonsvc.exe	95
PID 2736 wrote to memory of 2100	2736	DllCommonsvc.exe	96
PID 2736 wrote to memory of 2100	2736	DllCommonsvc.exe	96
PID 2736 wrote to memory of 2100	2736	DllCommonsvc.exe	96
PID 2736 wrote to memory of 2464	2736	DllCommonsvc.exe	97
PID 2736 wrote to memory of 2464	2736	DllCommonsvc.exe	97
PID 2736 wrote to memory of 2464	2736	DllCommonsvc.exe	97
PID 2736 wrote to memory of 2116	2736	DllCommonsvc.exe	105
PID 2736 wrote to memory of 2116	2736	DllCommonsvc.exe	105
PID 2736 wrote to memory of 2116	2736	DllCommonsvc.exe	105
PID 2116 wrote to memory of 2784	2116	csrss.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\67dd2b7ac549a10c961a5cdd66a6f8850857fb750d0376658d4e01081be6ef7a.exe
"C:\Users\Admin\AppData\Local\Temp\67dd2b7ac549a10c961a5cdd66a6f8850857fb750d0376658d4e01081be6ef7a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\twain_32\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
    - - C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat"
        6⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2588
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
        8⤵
        
        PID:1768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1364
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat"
        10⤵
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1764
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        12⤵
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2708
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        14⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2544
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat"
        16⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2152
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"
        18⤵
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2200
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
        20⤵
        
        PID:2644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2008
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
        22⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:764
        
        C:\Users\Default User\csrss.exe
        
        "C:\Users\Default User\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\twain_32\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Windows\twain_32\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Favorites\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Public\Pictures\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07dbab7cd434a59673e5b2bf4a075ba9

SHA1
2fe25b5e3231165b8f591844b0838d97eb13a5c1

SHA256
4b231893d1c3a78e42f52cf88972b5a7c72af0192ea75ec84e40033bc9d65642

SHA512
c6035b41c9d939ec6d17b7c1723a81c272c1ad6d30285dc7511bb71b874d205c9931efaba9b98889b1736fa2012895f78f50c0d02d7ea197c9929b0ce768b470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
085f607e598199d0f10db8dff2a89e03

SHA1
1cb9cdd745192b74b5d008b11b5efe778c7e7fb0

SHA256
e5d3a1049e50b3189487c6df0c197e9d9b95e3a13ecb3002544e7124f0617e44

SHA512
b107ccd437ffaf195ea165c9161c548473fd213978d8fc51b390ad4be98419ccc5616875cdd535d791b723c11f650988b6ac011fbec33c7ff5a50c015ef765b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3177a2751edb999a4b66e718635eeb35

SHA1
a7c9a94ae3796c0314260aad0b3a7f9f9fe358cb

SHA256
86aafef6388d708d4ad87ff30cf9962a3cf7e7ece135f19b418c6fca91abe518

SHA512
92a5b27b53d90f3f02c04646ac40e7fcae1d11cb91c4fa7b8fb3c5cc5d9c167eff27e3c32ced4cc16897c17ced907417ea272b73f96f511f3a23cc754782a18f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5185a9609572bc0c919551e6377fdfb

SHA1
b96a377c319da7e414ca8d41ad7af96f576e1f1d

SHA256
8bf9a910c7cdad2347735b5516aa0f8386577677ebcb9f22c107a4af69ed8748

SHA512
c94ffcae89f6599d6c4e0309b25450c1709294fb1f549aa1cc29d2b803760ba4a36937f80d8afc65d17a28664dd4887c91ebd33e69a670154f7f56bc1d7089a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
592a17ea170aaef2f8decdada7c60c97

SHA1
2123ff3c391ef894022c7dd209e9261384255fe7

SHA256
c6d4ef0ee36a5890596108e0d269471d2098c8bfeb4128a8304d8636655cef00

SHA512
67e5df328760c128bb348eaaf3122359567914e0e2a36d61784077d9125cea95244c611e9058d74aeea6395b1b85ddde9ad8e7748db47bbf59d0efac7681db68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8a1a7b0f5c63d0f595e2f7c60836f9c

SHA1
1acac3627d6d4aa4eaaa819545bafc66305dca39

SHA256
a4c6193e96baa4b697b6aba37489b88767093bdf150d8e999d6ef8d652034584

SHA512
f5c0a9b39253436771d8b5efd60032bff9e4234b499f6f344089c1befec524b5451be1322747983ca0ee43a60c20b7441b6f7fa6a71195d7802dd303b3a38e95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4530a08c8b4604a983e7ada9382707f9

SHA1
641b984f61d080b6f703d58287deabaa7c61e736

SHA256
63c9bc78aa6d450ad87e62897a74b9307e14b196836ac1be1e9c2eaf0441cb66

SHA512
170ba398c0aadbb32f933bb9a8d8ffe0e53bcbb87aa641f8d5b2d3b82bdab22ad0dee3d2529121d5cb41335a1ff26caebe4502c454b90005e745d54bfd42c92c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
503246fa9e2fcbf0471e0c7d4b0442b4

SHA1
4b5e87f9bc94f685779b8d44446f043ebf4d0b67

SHA256
dc6d4b427f90fbae13b203feae97ce1174524c7cc6202b448c4185387adc728d

SHA512
6f7b293b782241281c305145c5f00c88fbcf23c11f6bbc7b1bbe6ed552cdf3fe21371d66bbb80bcf6162264e86b0a0f989794867e97e4d3ee0750cf04c891810

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0208168c154ed64223ef793974cc65b

SHA1
c70cbbb7c8c1bf42c3740fe078e7181d0b5bbc43

SHA256
7027e082d2980a55e5b165d83e71d02bbf937f32f8814540b91d0f097a772553

SHA512
879560e32dabd609e38f77b5c0d1e046e7caf53c9b1c77612b11ac5cd914a64c83d17f72317142167aba0e275edc7ca926897960bd0765d4b9ffbe50afd5c779

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat

Filesize
196B

MD5
a690f1b2111b04b0371ea5eede40e69b

SHA1
74709c615eafd55f9549ec7b176609ea060dd303

SHA256
2f4e21b3d5002605d89cbe8274ff19ec8e509bef93afc5cd0d5e8a305c3f8aaa

SHA512
48cf535315810d9ca76e957a446b147726f12408e943e2b0a3f90ee1bb969b8b56dd97cfc91e777e258e31615b1c2493a85607c228de1578df1b65248e5d8e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4DB5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

Filesize
196B

MD5
82d05d0ab2a67d01add67785ab959b4b

SHA1
79311532a99fa6ff560d0f53d22831b5f188eedd

SHA256
c8affe6006820b80ac8bc8b1681e7aafa0a24809f2e76e8df9be41bf09b03de9

SHA512
6282cf419953dc0580471ddf32f230d0b2fd506b7f552057720b627651a64596e278cad3a39aace4af65dc45b47b9566a95f383ad6f69ccef251070729debb06

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
196B

MD5
637cc4f796fd77613026b347544be8d3

SHA1
30de035cb20d7a611bcf8db060d5108c598166b2

SHA256
fd10b2067bcb3caf5c56e1e812bcf618e5154afa15195e22fc417b4668ef7de9

SHA512
38e63a83888f8684811f9fdcda4e933e7c37a0446de89e8df5964633d83d957b301d7daaf0ac6952286f5ae1b42bb2eae338e47af7f9bc00117dd393117ddd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
196B

MD5
17ef5af8b5b7bbc025cc16bcfaf2584f

SHA1
e01c0ea462af627091a49865ec09255ab2144ddf

SHA256
ea1e86b3d5c9cc1a584ee52749e58aed674f1f5cf91dfff279fccd15386885be

SHA512
ba1aa9476d6e9ba21d5c4a424116cef080452032ee345efc1a10fce406ea68332060a91d5209e2856a59ced699c99895ead83fd7e521d30e9436efd679409567

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4DC7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

Filesize
196B

MD5
bebc2c8cdae085b02bb80e4ee1ccbb62

SHA1
48e630b812acb6db745bc46dc0f0fe04be3c2340

SHA256
740e6b56e34006d2cb98ca339d37b757a670ccc2508ae218b9cf3aac1831a9a2

SHA512
487187c5c06ffbd3fd8ff2323ba172c5b7e489016416dc4615f6536e8b0d87f42ac2d36da21ab3ea74dd00e69599ca0ec7d9d8a9e71881a7084fee26afd20b15

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat

Filesize
196B

MD5
6b3c937f8ce4f77b1373774fb56540be

SHA1
ce4dcbbd35d9c7a877e45471ffe88c64a0180376

SHA256
f301d94f665e188783d1511e12f1d590138dc83cad2c079b4981f572447ee338

SHA512
c0845eb5895578a592122d880ddc8a6f007eae6d125958d334ffc989b54356e78741baee488fb5c166fcb2c93c9d5c6d2c6f25f73d03287af3bc823bb74d8aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwHeC7tSxv.bat

Filesize
196B

MD5
c2142d48220625a867f1588fe940a426

SHA1
aa405c74b38152b3d26dc15ea1125afd118f4258

SHA256
0cb8bfa8efa60eb98e1a360d60fd4b2e80b892f0b799ce5959cda7b8c04b4337

SHA512
40b94424e1228099bf13dfe4d3de4d6e060a843ff3263b5b5d19b6efefd6d2ae360eb878e83302a2d31be9361bc8acb5c76d52a1313fddc9d025acaecc215301

Download Submit
C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

Filesize
196B

MD5
bd33943390d1a0e3c5ab31c6732583c2

SHA1
cfece4c3b0a42ec2036d754db4c58582ffd84452

SHA256
c84d9d1d5883e72beec8413a32ac4568cf7ff2f207cd20b51a18e0c127177774

SHA512
207d08f41d0178b0368ec5fb6e82864ad7b383993928644f7d85f1663530de0103e33217c9d853fc85913d8f8b3fb16af6fe9368604d9233876abb2cf3065961

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSuCPwp4Rh.bat

Filesize
196B

MD5
e5d5d2a7de47a060a0281d68ce8a48d1

SHA1
594e5899d42f9300c5d17657fec6ebe0317c08db

SHA256
c1857a5e66ee406bcc0ef014915c65545d3f0e26cff1efa49a6fa5c2bc1cac4a

SHA512
3b64baa1282260afaf2883b39f5dcbea9202f95c1b0b711254d1df5edb74308b0ccca0f317e7a34bede8ea5be21c61c5e56ffd242d030f2ee725445ee6f5f195

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0RSD89O7T647KK4O90A6.temp

Filesize
7KB

MD5
0dca301622da4df3327bdb2116a345ed

SHA1
bffd3445db31915b3b9d2df02777c4e279807a81

SHA256
e2f229238b2fc8109b69124f28faaa1b49ee9ea1346be7ba7868676a6c2a3f36

SHA512
eba255c5be5bf6a5f8877ab9e6f17bf86ec11ef59a13a660444584edb7eae4bc6602a0fe3a03935723de22c6f987aa9b236250d2e6eea4ea98846f18d8dbef89

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/296-615-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/884-64-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1580-65-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/1852-435-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/1852-436-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2092-255-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2116-54-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download
memory/2140-315-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/2444-496-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/2628-375-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/2648-195-0x0000000000FB0000-0x00000000010C0000-memory.dmp

Filesize
1.1MB

Download
memory/2736-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2736-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2736-13-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/2736-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2736-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download