dcrat | d027426746243e552db0e534b11307e9f11eda154d28e7c102eb9d6e99a18ca2

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d027426746243e552db0e534b11307e9f11eda154d28e7c102eb9d6e99a18ca2.exe
Size

1.3MB
MD5

0e4b1848978d70d11368b80c778e8d48
SHA1

8fb0bd0fc39474beadd72bc0fdc328e6b96f7fba
SHA256

d027426746243e552db0e534b11307e9f11eda154d28e7c102eb9d6e99a18ca2
SHA512

c780f9d39a39761130cf511b42a89c20604cad26c480e03d2e1496f2a401c571cc44dd5664027665fbde881aec115406cb6b8bb25b862fa65b16091d6735c97c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2876	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2876	schtasks.exe	33

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001958e-10.dat	dcrat
behavioral1/memory/3048-13-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/2344-143-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/1776-202-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat
behavioral1/memory/1256-262-0x00000000009F0000-0x0000000000B00000-memory.dmp	dcrat
behavioral1/memory/2852-381-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/2336-441-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/1284-501-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/536-561-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/memory/2244-681-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
888	powershell.exe
2568	powershell.exe
1576	powershell.exe
1704	powershell.exe
2768	powershell.exe
2868	powershell.exe
2608	powershell.exe
1572	powershell.exe
2800	powershell.exe
1584	powershell.exe
3032	powershell.exe
1588	powershell.exe
2880	powershell.exe
2296	powershell.exe
2960	powershell.exe
944	powershell.exe
3036	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3048	DllCommonsvc.exe
2344	services.exe
1776	services.exe
1256	services.exe
2424	services.exe
2852	services.exe
2336	services.exe
1284	services.exe
536	services.exe
2268	services.exe
2244	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2964	cmd.exe
2964	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
15	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\27d1bcfc3c54e0	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\System.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d027426746243e552db0e534b11307e9f11eda154d28e7c102eb9d6e99a18ca2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2244	schtasks.exe
1724	schtasks.exe
1628	schtasks.exe
2672	schtasks.exe
580	schtasks.exe
2312	schtasks.exe
2744	schtasks.exe
2404	schtasks.exe
840	schtasks.exe
2132	schtasks.exe
1476	schtasks.exe
2920	schtasks.exe
2888	schtasks.exe
2272	schtasks.exe
2240	schtasks.exe
2452	schtasks.exe
2736	schtasks.exe
2988	schtasks.exe
1040	schtasks.exe
1668	schtasks.exe
3052	schtasks.exe
920	schtasks.exe
1916	schtasks.exe
2108	schtasks.exe
2576	schtasks.exe
2128	schtasks.exe
624	schtasks.exe
2456	schtasks.exe
2288	schtasks.exe
2656	schtasks.exe
2424	schtasks.exe
2468	schtasks.exe
2500	schtasks.exe
1732	schtasks.exe
1928	schtasks.exe
2620	schtasks.exe
2268	schtasks.exe
2144	schtasks.exe
3056	schtasks.exe
2632	schtasks.exe
1036	schtasks.exe
620	schtasks.exe
2464	schtasks.exe
752	schtasks.exe
2996	schtasks.exe
2124	schtasks.exe
2416	schtasks.exe
1192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
3048	DllCommonsvc.exe
3048	DllCommonsvc.exe
3048	DllCommonsvc.exe
3048	DllCommonsvc.exe
3048	DllCommonsvc.exe
888	powershell.exe
1704	powershell.exe
1572	powershell.exe
2296	powershell.exe
2868	powershell.exe
2960	powershell.exe
3032	powershell.exe
1584	powershell.exe
2608	powershell.exe
1576	powershell.exe
944	powershell.exe
2768	powershell.exe
2880	powershell.exe
2568	powershell.exe
3036	powershell.exe
1588	powershell.exe
2800	powershell.exe
2344	services.exe
1776	services.exe
1256	services.exe
2424	services.exe
2852	services.exe
2336	services.exe
1284	services.exe
536	services.exe
2268	services.exe
2244	services.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	DllCommonsvc.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2344	services.exe
Token: SeDebugPrivilege	1776	services.exe
Token: SeDebugPrivilege	1256	services.exe
Token: SeDebugPrivilege	2424	services.exe
Token: SeDebugPrivilege	2852	services.exe
Token: SeDebugPrivilege	2336	services.exe
Token: SeDebugPrivilege	1284	services.exe
Token: SeDebugPrivilege	536	services.exe
Token: SeDebugPrivilege	2268	services.exe
Token: SeDebugPrivilege	2244	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2072	1308	d027426746243e552db0e534b11307e9f11eda154d28e7c102eb9d6e99a18ca2.exe	29
PID 1308 wrote to memory of 2072	1308	d027426746243e552db0e534b11307e9f11eda154d28e7c102eb9d6e99a18ca2.exe	29
PID 1308 wrote to memory of 2072	1308	d027426746243e552db0e534b11307e9f11eda154d28e7c102eb9d6e99a18ca2.exe	29
PID 1308 wrote to memory of 2072	1308	d027426746243e552db0e534b11307e9f11eda154d28e7c102eb9d6e99a18ca2.exe	29
PID 2072 wrote to memory of 2964	2072	WScript.exe	30
PID 2072 wrote to memory of 2964	2072	WScript.exe	30
PID 2072 wrote to memory of 2964	2072	WScript.exe	30
PID 2072 wrote to memory of 2964	2072	WScript.exe	30
PID 2964 wrote to memory of 3048	2964	cmd.exe	32
PID 2964 wrote to memory of 3048	2964	cmd.exe	32
PID 2964 wrote to memory of 3048	2964	cmd.exe	32
PID 2964 wrote to memory of 3048	2964	cmd.exe	32
PID 3048 wrote to memory of 1572	3048	DllCommonsvc.exe	82
PID 3048 wrote to memory of 1572	3048	DllCommonsvc.exe	82
PID 3048 wrote to memory of 1572	3048	DllCommonsvc.exe	82
PID 3048 wrote to memory of 888	3048	DllCommonsvc.exe	83
PID 3048 wrote to memory of 888	3048	DllCommonsvc.exe	83
PID 3048 wrote to memory of 888	3048	DllCommonsvc.exe	83
PID 3048 wrote to memory of 2568	3048	DllCommonsvc.exe	85
PID 3048 wrote to memory of 2568	3048	DllCommonsvc.exe	85
PID 3048 wrote to memory of 2568	3048	DllCommonsvc.exe	85
PID 3048 wrote to memory of 1704	3048	DllCommonsvc.exe	86
PID 3048 wrote to memory of 1704	3048	DllCommonsvc.exe	86
PID 3048 wrote to memory of 1704	3048	DllCommonsvc.exe	86
PID 3048 wrote to memory of 1576	3048	DllCommonsvc.exe	88
PID 3048 wrote to memory of 1576	3048	DllCommonsvc.exe	88
PID 3048 wrote to memory of 1576	3048	DllCommonsvc.exe	88
PID 3048 wrote to memory of 1588	3048	DllCommonsvc.exe	89
PID 3048 wrote to memory of 1588	3048	DllCommonsvc.exe	89
PID 3048 wrote to memory of 1588	3048	DllCommonsvc.exe	89
PID 3048 wrote to memory of 1584	3048	DllCommonsvc.exe	91
PID 3048 wrote to memory of 1584	3048	DllCommonsvc.exe	91
PID 3048 wrote to memory of 1584	3048	DllCommonsvc.exe	91
PID 3048 wrote to memory of 2880	3048	DllCommonsvc.exe	92
PID 3048 wrote to memory of 2880	3048	DllCommonsvc.exe	92
PID 3048 wrote to memory of 2880	3048	DllCommonsvc.exe	92
PID 3048 wrote to memory of 3032	3048	DllCommonsvc.exe	93
PID 3048 wrote to memory of 3032	3048	DllCommonsvc.exe	93
PID 3048 wrote to memory of 3032	3048	DllCommonsvc.exe	93
PID 3048 wrote to memory of 2608	3048	DllCommonsvc.exe	94
PID 3048 wrote to memory of 2608	3048	DllCommonsvc.exe	94
PID 3048 wrote to memory of 2608	3048	DllCommonsvc.exe	94
PID 3048 wrote to memory of 3036	3048	DllCommonsvc.exe	95
PID 3048 wrote to memory of 3036	3048	DllCommonsvc.exe	95
PID 3048 wrote to memory of 3036	3048	DllCommonsvc.exe	95
PID 3048 wrote to memory of 944	3048	DllCommonsvc.exe	96
PID 3048 wrote to memory of 944	3048	DllCommonsvc.exe	96
PID 3048 wrote to memory of 944	3048	DllCommonsvc.exe	96
PID 3048 wrote to memory of 2296	3048	DllCommonsvc.exe	97
PID 3048 wrote to memory of 2296	3048	DllCommonsvc.exe	97
PID 3048 wrote to memory of 2296	3048	DllCommonsvc.exe	97
PID 3048 wrote to memory of 2768	3048	DllCommonsvc.exe	98
PID 3048 wrote to memory of 2768	3048	DllCommonsvc.exe	98
PID 3048 wrote to memory of 2768	3048	DllCommonsvc.exe	98
PID 3048 wrote to memory of 2960	3048	DllCommonsvc.exe	99
PID 3048 wrote to memory of 2960	3048	DllCommonsvc.exe	99
PID 3048 wrote to memory of 2960	3048	DllCommonsvc.exe	99
PID 3048 wrote to memory of 2800	3048	DllCommonsvc.exe	101
PID 3048 wrote to memory of 2800	3048	DllCommonsvc.exe	101
PID 3048 wrote to memory of 2800	3048	DllCommonsvc.exe	101
PID 3048 wrote to memory of 2868	3048	DllCommonsvc.exe	103
PID 3048 wrote to memory of 2868	3048	DllCommonsvc.exe	103
PID 3048 wrote to memory of 2868	3048	DllCommonsvc.exe	103
PID 3048 wrote to memory of 2672	3048	DllCommonsvc.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d027426746243e552db0e534b11307e9f11eda154d28e7c102eb9d6e99a18ca2.exe
"C:\Users\Admin\AppData\Local\Temp\d027426746243e552db0e534b11307e9f11eda154d28e7c102eb9d6e99a18ca2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\en-US\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZcgs6686p.bat"
        5⤵
        
        PID:2672
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1732
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat"
        7⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:620
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat"
        9⤵
        
        PID:2400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2816
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
        11⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2204
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"
        13⤵
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2920
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
        15⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1432
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        17⤵
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2500
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
        19⤵
        
        PID:2060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2940
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat"
        21⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2364
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        23⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2384
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c22015e6b5ae0ab254d619d3e3679f99

SHA1
bd2cd549003a4413174a52fb16cc3a417dac5eac

SHA256
ba32fc57d3e79e6e77845221604215b7d54ad0ddff57446f78717ed27d214c9b

SHA512
66fa91f4cdcf2dcecff2ed2f71255cdc5176b0f317c5c6626f48c59e789674d5233b996831879f32b963cb9ff7810bee9db223863b81e6ecf128c6642c30acb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d303ef79b9c104ca6b527681dfc44d9

SHA1
659b02f9bce061b0e4c6dd45bde32211d85a3bb7

SHA256
5613291a2b1c761912ac6cd754b01e20195f2b705408ad45c8d40844b7598c43

SHA512
37a73aedab93643b7f3f7f4605606ae63f9c787aacd061e8ceffd086c22762e191a98857110f39ca0de5d3dfaf9980d5d33833c818b2c427c6b0bc3c9b8486d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53ddc3b3bb8bdd5f691c47a8137c8047

SHA1
82122597d0785b8275c0bdd78d344235a7c47234

SHA256
a7e5a990287e336db7850f1fa2843d3c2417674c3bf6118c0fff9dea9369f407

SHA512
0a56951c64aaf6092b79a2aa29191de109bda587158a14f7a48742bb35df2bfe2c30c0cc9cd33923c8a8b8c05848a0e0f1ac7611da94c4f9bed754e09e4c8fe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e67ed96e8442484caae966f4c2da935a

SHA1
faeaefe5ade9f50cfe83922c0d864943cef83a85

SHA256
4d0561c788a5f515033a88780a7484f102009aeefa45d8fd946f4eafedf79463

SHA512
5f30adb264b9954fa8db1df6ecba50c58518b7260b474bb6fbb94735c4340527ae2a53424ff14dc92a7f57982fd3812eb32ea0f5ca9c6bb51ff155182286ef3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09fda74d5c164160c4a7d65b8c5451b7

SHA1
f3ea924169e7a379e0c006db847b5f9a5d47bf6f

SHA256
e2d162c345b81e20825afb9b6ff28654bc5133ab11baf184a3608032fe8150fb

SHA512
65442fd5f8dc4b6fd68fa57a408a32f027a07202aab9c45655149e1e5d9636d3a81a9c10dfa94ec3467453a5af5d475893501bca34f22f7651862d38a9ab7436

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3c3faafbca89251221f96c135a6fac1

SHA1
89ff59fb0ca20fc970b5d88701ff60a1cd647d4b

SHA256
c8f1039524ffdf5ba14bec65fe677a553f81c18ce851643e8710c0827eb15a21

SHA512
972afffcb2e6482731efe091e7e8d11be909ec52f390e32f6a1ac5c3e22c746ca8d1a4a45edd8604ba9e2342692dd3ba35a81f262d62b017650d723ce7643311

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
303abbd117406c65d25b0cd979d8b0df

SHA1
e42d0bab0318233a5247ce9efa9e825e95ecbf4c

SHA256
520b52c5c3c112a5613602b360a97d8c0f3f382df29b675de67cda4f8e3ac1b1

SHA512
bda66e2ab4a3babf7d772483a01a6297c900606d584b3aa3004173c3c9ec524060fc090394a8b1fa146866417ebd52817851a42befcc6125c767f069ac98cad1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f69a998cdd0c5c05d0987dcdfefca7da

SHA1
4b111bf12b256c161a041ecb6b03908687e788f5

SHA256
f0d98490b47c4d2deb73aa2cdbb2f57ee1e7c248952c237878cf8b7dcd009e8f

SHA512
8008bb3c363bc5d2cfa6564e2995109238c113512afeac60a7516ec20d0c382cda4a9963a5a38a5416b0a92c6b73bbe38c13bff9da2e792707554ac967c04cf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat

Filesize
226B

MD5
b1288d5ea992b9bca1f9f8985b455892

SHA1
f4caf4afb49357e78e6a0bc61e2319f87b558031

SHA256
3252d6fa05e2d089383c6955e252972f510205d4fcafa9f74c255beecd1cf465

SHA512
583282d65bdc1296e167ac559fd2eecd15a191d4b3a139b9a6650f87c8263552600bd7c1c07ebd3aae299eacdcfa67c22d8ea010483d9e917705f73bed460326

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat

Filesize
226B

MD5
0ddfcca61eb428713838488ba6a6a750

SHA1
e8616efc23e8d8bd18683e14a9fc739c0356b29a

SHA256
8d5020b66322926f8c4a379025a68fac13459c1e5ad530a59ad468564893bfe7

SHA512
b2e2297ee7c2e8d55cdc648ce342bd645aaa0f87b6591beb40f18ecfc497e26771099d61585ccdf98c195b187fd4c2faaff459dd2809ebd61ff97104fcdd1941

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat

Filesize
226B

MD5
ad7e9888e2a6e027df7e91c9ade52a6b

SHA1
fc5cd5974dc9b3d22caa646177e02819ba4924ca

SHA256
9d35b255d0e86d2bc4c9abd8280dbeba42ca1315116d1095de39f278bc223ed9

SHA512
0722932efe2813d8ca886225d361b7d043fd7f46bd315dc802b4df1507d9eec706e8a496a1c8ed228f101de9b37d903802cd7dfe26c67f56ab590808afec997b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5717.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FIx4sKIZfl.bat

Filesize
226B

MD5
a3f1845f018260f90ee06bab197aaa4b

SHA1
3ae89e82d8b5fc1f45b7a1eb4b9f37d2a3b76ae9

SHA256
c7404b1200be1270ac9c3da2f3814f3ee91578dc7934003f77a39f1f80fd524b

SHA512
d47ad6fb68afc878702eaac051118cdfd207a060cb732910fb6fa2f4f15a2208f1223aa70343a8edfdfd306981009794cf7a029f6d3796ec3880455142c8850c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat

Filesize
226B

MD5
fd33095d34eacae04fe7fd3152118cee

SHA1
16b7c98f2fdfa228bfb4b8bf88a6682bc86d4c17

SHA256
883582ab84b461abd308fbb78c560d86b258e917343bcb8ed4b430026f439ebd

SHA512
8f838892128187890f9f71274558731f574297cc69350eb16499424cc03841438728172e8859a2dc3c2c53b7d5022358f20aae92079b0f26c1cf9051ff0c7f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar572A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
226B

MD5
55386a92d0dce5730e9f1b318789861b

SHA1
c1f8323329e0dc57287aebd2becc8bf1f96c2d8e

SHA256
4ad22d6ef855c680bd2f3942469d7d09d9a2e8cf1e191aad9ed22a21c8f041ce

SHA512
1920dde58d0f3dae4b11b83c97bc77e887feee7600517398a642ad8b59f1670e2012a3522b1db4828659624cbb7a91e55ab54fc318942bbff91e22df04e1a37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

Filesize
226B

MD5
30648a0f147237c472e8771157541b45

SHA1
2ce58546a0f6c3987f7f983bb0024c85df467819

SHA256
35234099044d2ae92973e9a6ff3b7c8c59ef36803198e8d15ed2248a5ab25d44

SHA512
b65da25fcba06104f4e59efe3b4ba8aa39c620f80ad242fcbf47fc1ec0f2040045f77d8be5f456630b8c171f8cecf317831612eb83e173739e0cb58cf09b2428

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZcgs6686p.bat

Filesize
226B

MD5
a0045afd331f22be32b105f63bdb5a58

SHA1
b15675d9b8d3561beb1c992ec52ff6abc4f58842

SHA256
a77b429069f058053e6cde0cf9663cc196b58f757b210fc360b43e504d386264

SHA512
b53fcb405acad6d81560cb6a6b3e21823cd5473b3250f70f5d9ba7b8e7ab2dbd18b0c36c937108447b05eb670b80cae8d234a4cf7c1e045c9cefe643db48b40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

Filesize
226B

MD5
fb9532b15bcb0990e05b5be08209666f

SHA1
f7226c3286f3d5de720be6851a10ef1831fbe135

SHA256
9cb0989fa5897db0149edb35e6ffeb0b68a1419299676f45e74c23131b2ecd9c

SHA512
ebcc1597c52ff320710a6a166632c24edc24dbd1d86662b8e0240f6ace79a3a8838520aaebc5e795e9c01ca9310112ff136f113312a7a3804843a9ef53bef7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

Filesize
226B

MD5
7b10fee5143e51281cb8680ea50c819a

SHA1
a8da561fb72256cc36f52d05b97c539d1b3dc727

SHA256
233ab990affe765e4e50739a56cef852b13ba733f50761db4ae54c2abcbf45ce

SHA512
65826d429c1d84d9621700da8518f6f84bd956b5e376dd8253920a7c24c353b5d70d14124a161a3022e9824d8fe8de48ec0bbdbd3394865d6f0a7cc16f492202

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ae1a48c1758d731a81509f907b6dc396

SHA1
46ddaa108a4008dc741d7ca01c15e0a43cc4b5cf

SHA256
b2c619f4630ac7362f787c78b0a227a98109c61e649bb132b025dda60f563d9b

SHA512
b3a87ee3ad7e2e87169f86b41c2715b4e24eb876d69a6c1ce4988a367b301c22849fb7812c546d7b340f4fd9a7b55438f2b9f5e03473ee620618224c458a3d3c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/536-561-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/888-77-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download
memory/888-76-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/1256-262-0x00000000009F0000-0x0000000000B00000-memory.dmp

Filesize
1.1MB

Download
memory/1284-501-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1776-202-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download
memory/2244-681-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2268-621-0x0000000000190000-0x00000000001A2000-memory.dmp

Filesize
72KB

Download
memory/2336-441-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2344-143-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2852-381-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/3048-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/3048-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/3048-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/3048-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/3048-13-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download