dcrat | e3529eb712ee92dd5865fe0864991723527e3c920395254127070a3a6b165997

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e3529eb712ee92dd5865fe0864991723527e3c920395254127070a3a6b165997.exe
Size

1.3MB
MD5

2bdfa8a0de12bd056f3f2bab8a94c68a
SHA1

3453f07f76daaca47a4af3239e5835f1cf7daf82
SHA256

e3529eb712ee92dd5865fe0864991723527e3c920395254127070a3a6b165997
SHA512

0c5d82d1aa1983a62eb90f14827d3815ddf91a88edc7b4b38c655ca76f74b68e3a0a7091bde7fcf8954c31b7f188f9bac5988119dafb26be84bb1cf2541ddccc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2572	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2572	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018741-11.dat	dcrat
behavioral1/memory/2848-13-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2608-136-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/2592-254-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/1392-315-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/3036-375-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat
behavioral1/memory/2900-435-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/2316-495-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/memory/2524-614-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2356	powershell.exe
2860	powershell.exe
1096	powershell.exe
824	powershell.exe
2756	powershell.exe
2308	powershell.exe
2344	powershell.exe
2184	powershell.exe
2664	powershell.exe
1492	powershell.exe
2328	powershell.exe
3068	powershell.exe
1780	powershell.exe
884	powershell.exe
1852	powershell.exe
2296	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2848	DllCommonsvc.exe
2608	smss.exe
2004	smss.exe
2592	smss.exe
1392	smss.exe
3036	smss.exe
2900	smss.exe
2316	smss.exe
408	smss.exe
2524	smss.exe
2192	smss.exe
2408	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
796	cmd.exe
796	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\de-DE\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\audiodg.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e3529eb712ee92dd5865fe0864991723527e3c920395254127070a3a6b165997.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe
2228	schtasks.exe
2524	schtasks.exe
976	schtasks.exe
2252	schtasks.exe
2928	schtasks.exe
2984	schtasks.exe
2268	schtasks.exe
1916	schtasks.exe
2028	schtasks.exe
1604	schtasks.exe
2272	schtasks.exe
2892	schtasks.exe
2752	schtasks.exe
1224	schtasks.exe
1392	schtasks.exe
752	schtasks.exe
1720	schtasks.exe
988	schtasks.exe
1844	schtasks.exe
2120	schtasks.exe
1388	schtasks.exe
2364	schtasks.exe
1256	schtasks.exe
1452	schtasks.exe
1288	schtasks.exe
2924	schtasks.exe
1308	schtasks.exe
1892	schtasks.exe
1996	schtasks.exe
2240	schtasks.exe
2932	schtasks.exe
2740	schtasks.exe
2424	schtasks.exe
2948	schtasks.exe
2460	schtasks.exe
2428	schtasks.exe
2088	schtasks.exe
3028	schtasks.exe
744	schtasks.exe
632	schtasks.exe
568	schtasks.exe
1920	schtasks.exe
1948	schtasks.exe
1688	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2848	DllCommonsvc.exe
2848	DllCommonsvc.exe
2848	DllCommonsvc.exe
2296	powershell.exe
2308	powershell.exe
2356	powershell.exe
2860	powershell.exe
1852	powershell.exe
2664	powershell.exe
1492	powershell.exe
2756	powershell.exe
3068	powershell.exe
2184	powershell.exe
824	powershell.exe
2344	powershell.exe
1096	powershell.exe
884	powershell.exe
2328	powershell.exe
1780	powershell.exe
2608	smss.exe
2004	smss.exe
2592	smss.exe
1392	smss.exe
3036	smss.exe
2900	smss.exe
2316	smss.exe
408	smss.exe
2524	smss.exe
2192	smss.exe
2408	smss.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	DllCommonsvc.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2608	smss.exe
Token: SeDebugPrivilege	2004	smss.exe
Token: SeDebugPrivilege	2592	smss.exe
Token: SeDebugPrivilege	1392	smss.exe
Token: SeDebugPrivilege	3036	smss.exe
Token: SeDebugPrivilege	2900	smss.exe
Token: SeDebugPrivilege	2316	smss.exe
Token: SeDebugPrivilege	408	smss.exe
Token: SeDebugPrivilege	2524	smss.exe
Token: SeDebugPrivilege	2192	smss.exe
Token: SeDebugPrivilege	2408	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 1744	1780	JaffaCakes118_e3529eb712ee92dd5865fe0864991723527e3c920395254127070a3a6b165997.exe	31
PID 1780 wrote to memory of 1744	1780	JaffaCakes118_e3529eb712ee92dd5865fe0864991723527e3c920395254127070a3a6b165997.exe	31
PID 1780 wrote to memory of 1744	1780	JaffaCakes118_e3529eb712ee92dd5865fe0864991723527e3c920395254127070a3a6b165997.exe	31
PID 1780 wrote to memory of 1744	1780	JaffaCakes118_e3529eb712ee92dd5865fe0864991723527e3c920395254127070a3a6b165997.exe	31
PID 1744 wrote to memory of 796	1744	WScript.exe	32
PID 1744 wrote to memory of 796	1744	WScript.exe	32
PID 1744 wrote to memory of 796	1744	WScript.exe	32
PID 1744 wrote to memory of 796	1744	WScript.exe	32
PID 796 wrote to memory of 2848	796	cmd.exe	34
PID 796 wrote to memory of 2848	796	cmd.exe	34
PID 796 wrote to memory of 2848	796	cmd.exe	34
PID 796 wrote to memory of 2848	796	cmd.exe	34
PID 2848 wrote to memory of 2308	2848	DllCommonsvc.exe	81
PID 2848 wrote to memory of 2308	2848	DllCommonsvc.exe	81
PID 2848 wrote to memory of 2308	2848	DllCommonsvc.exe	81
PID 2848 wrote to memory of 1852	2848	DllCommonsvc.exe	82
PID 2848 wrote to memory of 1852	2848	DllCommonsvc.exe	82
PID 2848 wrote to memory of 1852	2848	DllCommonsvc.exe	82
PID 2848 wrote to memory of 2344	2848	DllCommonsvc.exe	83
PID 2848 wrote to memory of 2344	2848	DllCommonsvc.exe	83
PID 2848 wrote to memory of 2344	2848	DllCommonsvc.exe	83
PID 2848 wrote to memory of 2296	2848	DllCommonsvc.exe	84
PID 2848 wrote to memory of 2296	2848	DllCommonsvc.exe	84
PID 2848 wrote to memory of 2296	2848	DllCommonsvc.exe	84
PID 2848 wrote to memory of 2356	2848	DllCommonsvc.exe	85
PID 2848 wrote to memory of 2356	2848	DllCommonsvc.exe	85
PID 2848 wrote to memory of 2356	2848	DllCommonsvc.exe	85
PID 2848 wrote to memory of 2664	2848	DllCommonsvc.exe	86
PID 2848 wrote to memory of 2664	2848	DllCommonsvc.exe	86
PID 2848 wrote to memory of 2664	2848	DllCommonsvc.exe	86
PID 2848 wrote to memory of 1492	2848	DllCommonsvc.exe	88
PID 2848 wrote to memory of 1492	2848	DllCommonsvc.exe	88
PID 2848 wrote to memory of 1492	2848	DllCommonsvc.exe	88
PID 2848 wrote to memory of 2328	2848	DllCommonsvc.exe	90
PID 2848 wrote to memory of 2328	2848	DllCommonsvc.exe	90
PID 2848 wrote to memory of 2328	2848	DllCommonsvc.exe	90
PID 2848 wrote to memory of 2184	2848	DllCommonsvc.exe	91
PID 2848 wrote to memory of 2184	2848	DllCommonsvc.exe	91
PID 2848 wrote to memory of 2184	2848	DllCommonsvc.exe	91
PID 2848 wrote to memory of 1096	2848	DllCommonsvc.exe	93
PID 2848 wrote to memory of 1096	2848	DllCommonsvc.exe	93
PID 2848 wrote to memory of 1096	2848	DllCommonsvc.exe	93
PID 2848 wrote to memory of 2860	2848	DllCommonsvc.exe	94
PID 2848 wrote to memory of 2860	2848	DllCommonsvc.exe	94
PID 2848 wrote to memory of 2860	2848	DllCommonsvc.exe	94
PID 2848 wrote to memory of 2756	2848	DllCommonsvc.exe	95
PID 2848 wrote to memory of 2756	2848	DllCommonsvc.exe	95
PID 2848 wrote to memory of 2756	2848	DllCommonsvc.exe	95
PID 2848 wrote to memory of 884	2848	DllCommonsvc.exe	96
PID 2848 wrote to memory of 884	2848	DllCommonsvc.exe	96
PID 2848 wrote to memory of 884	2848	DllCommonsvc.exe	96
PID 2848 wrote to memory of 1780	2848	DllCommonsvc.exe	97
PID 2848 wrote to memory of 1780	2848	DllCommonsvc.exe	97
PID 2848 wrote to memory of 1780	2848	DllCommonsvc.exe	97
PID 2848 wrote to memory of 824	2848	DllCommonsvc.exe	98
PID 2848 wrote to memory of 824	2848	DllCommonsvc.exe	98
PID 2848 wrote to memory of 824	2848	DllCommonsvc.exe	98
PID 2848 wrote to memory of 3068	2848	DllCommonsvc.exe	99
PID 2848 wrote to memory of 3068	2848	DllCommonsvc.exe	99
PID 2848 wrote to memory of 3068	2848	DllCommonsvc.exe	99
PID 2848 wrote to memory of 2188	2848	DllCommonsvc.exe	113
PID 2848 wrote to memory of 2188	2848	DllCommonsvc.exe	113
PID 2848 wrote to memory of 2188	2848	DllCommonsvc.exe	113
PID 2188 wrote to memory of 2776	2188	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3529eb712ee92dd5865fe0864991723527e3c920395254127070a3a6b165997.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e3529eb712ee92dd5865fe0864991723527e3c920395254127070a3a6b165997.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:796
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LoR7XQe1eh.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2188
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2776
      - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"
        7⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2400
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"
        9⤵
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2252
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"
        11⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1480
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"
        13⤵
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1692
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat"
        15⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:832
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        17⤵
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2092
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
        19⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1196
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat"
        21⤵
        
        PID:1468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1204
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
        23⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2088
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
        25⤵
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2176
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Start Menu\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af67befa24d40dbeb165fffe045f5657

SHA1
9e92ec4c141cb89ea94f6bbda88c3577dc6f1d6a

SHA256
86cf38c22c815313287b202eb31f9789066041140bae4e901c522958a57b170d

SHA512
d0506c3578420d91b4ceb62cc68423bd69c955397334c7447d09a5cb9338304c7f10e1a333696c3df1f06bccc6db912dc5e7497a6990fbe86f9798d66a6d9397

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf78a9351b74a4b7cb7ed2186d7a7b1c

SHA1
6eaf0d7374aa9d17b577e5d4de6422127bd5929e

SHA256
340efcdbc97d0c024ca4de60c4de95688124cddf2994d23db3119ebfeb553aec

SHA512
d9efe2535886c26ca1836d36b44b6c740c55233b0d0d01c38c9ab80238e3c3078fe70438e69b829f05f47ad9fd3435794a794b1fe536e485746006bf77367cea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99511893ee4d3dd00f5da28540dd7f60

SHA1
08837f29d3a6603c98d8d6cad32553341878cf81

SHA256
ec007aee3d57848b288058f7e4399d6127de46e4f74f903d8524438f5184045c

SHA512
dd1fdcc14704a450a1268d01d8d4ec90c45e04a45e78d635ce3284782db854133baecb09c6c7e917b6dcc1a39028c32c91661cdf1bfff0a472316ac8123622f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acb02ce7a1120ddd00c14cfa4e050674

SHA1
f0da67fb980c2b33d87518281a1b4402712926c1

SHA256
ffac7272c84f91d4ee2e784b6f9cdc17c1d73b1745048aec4c63442ade1825f6

SHA512
bb64829593b4c5ddbfc885abe042aac4fc9d33985d0dd5ce42b870c8a77c6c62330cb2a79d5a81ab10d0a51b188483c75512cdfd57099539f5ad66d57821aa34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49e2f553e716f066c4cb69de0b0351d7

SHA1
14203214ad236e9bed05dff24692f1e12954aae6

SHA256
3a142a53817bae8ea7360bf883684d043fe12c6a678a3637cb84330949033366

SHA512
0343395c4eca8acefd53dcd573e3c589ed8ed0974214d639b658be060d4d8e9d468de996d680bb66bf6d366ea3d9084000aaa19ae2dd49b642742502a5fdadae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6393bc619f12ac884ef52f0ccb7e12a1

SHA1
0b79a7caf10c52555d2032d960b32a5e2db90735

SHA256
18b66b85957336e1bea7927d80d0cb9edd85bf55d6f39052e668f8b999cf0916

SHA512
bbde533af98b84bd7e4abf7b445bee65edc1a40e32c30d675e005dac38f5948328da6fe7c286f578269e20bad07324e95846dba1f90cdea7cb2d11153985d5f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5db59d1ebd9b48ee1fdcdd3454642b9

SHA1
7f0a77bcf695a7d9d009d3dc5cf3cb4f76345332

SHA256
ffed5fdf993599daa2de219a3382a6f3ca045f95b74cedc3d2f2a632b56e5579

SHA512
fedb016faa8fe06a107bdcfc28b2c00bd5351450b6c256a6461d34b80684b07caa3caf1c2e7eee6bd5bcd2a49732c3c280866ef0dfe474fd6e001b42a453e388

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15d5c20cef271c49eb417bf0ceb24c02

SHA1
c71bdc48185f5051647fbf08f26f76c3c4fbf4a8

SHA256
e9d8c1e41595c5bbc8d80cba38ccd357c228d8e5d35ba7c2f9a0deaf9c9a2803

SHA512
89121fbf7be08d1b85c279407a036f4c796d4d10286056d381e54a845efbc6b5f102b73105d7271ba29bb76341f9cbe5aaad6eaf5b15099128f0abb44ceaf3c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0d723336d03b5d7fb51e0bc39b9b4d4

SHA1
cf7bb3c870a475511198172be46a9e6d029b582d

SHA256
6a781f722a827fbd72d14006907e17dda3e780130732a1aaa26d9fff6b33374e

SHA512
180348df4eebdc8783ca97f0b90dad8e6b85955766fbfd20485f51aee0cb5b3d2e943d5febec40cef555932367df2f50715dbf7b6847369f326b91a6eda6a290

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4A8A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
236B

MD5
24b647c35283966ccfb3882a7e0a2d59

SHA1
844ddf65572171252416d54d177c50d54dc04dc8

SHA256
2cb97669b56dfbf5843524be2adb7f511c7dfd726c824ae6f2d3bffa24cb9ed3

SHA512
70a21ab03435d2a16a0aec4300816dc593c4b77d7441a89513e93cde8055d8d29811e5fa88022c63825cd270c4495aaf8fff911c33f26a9d6857faee629bdcfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\LoR7XQe1eh.bat

Filesize
236B

MD5
e49125893275ac5971a0fbc08f103156

SHA1
31c924a887ef448e545a2ee6127772cce93ee234

SHA256
216b3823b9f5c1123f1a1fa6259c2fe43cb18704d80200993b661024f901297e

SHA512
44c5f0857b9ac40439842e4eea109445a71d0a070dddfe8c3d7d33b40a30cf2edc2bc84a85774f52d33a536bcfad2d26cc72c51b2e43fff7d230c4800dbeeba6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

Filesize
236B

MD5
022e996a2db200921b3b13581b36b1b8

SHA1
39973a25432b8455f5a64c9bfcf226e5ec37fd10

SHA256
fb98bb9a38eadec5c764cc67cbb9e1574073a968798dcccc95f2f7d5874faa88

SHA512
6ff38a013e6f5f0d0e968301fdcedb5fc34e6f68bcbfacf10af0904da72ba77ed5f0d044b19cabc4bbb5c1f194914fcf5396fa926d6eb7cb74426efe752b62df

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

Filesize
236B

MD5
9125c9bc18ac3fde688f93b899743c12

SHA1
db1f4792208d942086e0262042a2aea601f30c3e

SHA256
82416e4522a2f33847d777e0eaf25a231e759cddf737ff1b0322a51d862d059c

SHA512
d00e5aed9626fefd5a7c8ac13f109ddb287834d27d7c87a79c0c0fcc0c470278ad62c1daee9da91d15114022f340509c0283bdf57804dedf3612ec0c694b16c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RdAvGBYmjZ.bat

Filesize
236B

MD5
7cb0fb3da4dd3676f422b4807c642eac

SHA1
178985453dbc12f03ec9744e671bebb4f51a2896

SHA256
97f5b467a62da0e4824a80f89dd68e25a31ecf7ecec71dd368cba8fa26408029

SHA512
7f894491821dc1a2554660fe9bde28c8a6123545ed972dd5e96b2353321c3069f3767e85d8cf6b6ccd6d1826b24525d0dfe772429f5abdcdd6556a3722c07e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A9C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

Filesize
236B

MD5
d8bf132675abadbb50d311654b1652a8

SHA1
6fdb7350de5847cebdc465c96b7e6e12d9682ef8

SHA256
84b0fc73d4eaddb5b09cf3cf78f500903be576baa9a79ad7cfbb18436769b57b

SHA512
8cc79de9d4e9ae20592a510d8603464a08edbff3567bdcbbaeefca2eb423746a01a43aa6381b3f4980bf4be5ff933b81463df87f27c4f50e56337745a12d4d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

Filesize
236B

MD5
aba329598cef88af7172f2732b8af3a5

SHA1
0fc67c3afd562831c3e1b4be0a9c60e77f4b4119

SHA256
83e14bdd2c43e2ee0ccc0e3ba94328f7de8e4f7b7192efc4116206b73490d779

SHA512
17d16f1deb38b9fc713720cf1c992c227f8cf051223f8a61315c32d9ee34d1f98c52f641b09f7a4a34683db5167f2a4a8438fed7ec4606b75d90e6616d6aefc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat

Filesize
236B

MD5
905b8564fce962cc932d432225743bde

SHA1
508b11c32904feda13d645b963b32c62739b2572

SHA256
0169c9c59f800f364c4b64530c9f3f38494b3630f8d570ba6043cf7cd570a93f

SHA512
6d3f97ef1ddd54b6b81c38be3154d776d9413e96478a74b50b2e81d67d9993a383e0e17922e7a26927a3bd8acf987a3aca954938c55c0a45b4be5abf29a674cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat

Filesize
236B

MD5
0661f158ed6111eee8dfa474f2e4f6ea

SHA1
1efebec833199729a8da78b7e46f18ebb8accafb

SHA256
c30ef1accc34e5f904e28332e33f28615a5dc5b7ef98ef00a92986878459d39f

SHA512
2c2f7494e9fea7280baa1df2fa718b7d7f1bd8261c9f18a988836e7679dbb3a55edb97205ff957ca70f83f2052bba348ebc7d644896584f68f83bce6290c2245

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

Filesize
236B

MD5
fc61708eeb576efe5d1b1aea07b1f058

SHA1
31947e8548e81a1931d6d2c3eacae03f4bbae06c

SHA256
759a32aa81ca737cac858012f15d63d8fa064b748c922e7b2569357a7889ed19

SHA512
07452c48bcd81ce461c021fdd579ce2c9394dc1990fba6bcbffb39bb2e2f26bfc498b18e5bf5360b10f81bf0a0b546add236cec16552e54a0384d217a70c53fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nokcDIWAC5.bat

Filesize
236B

MD5
58784b5564e09d8eb621ddf65658e0ad

SHA1
93bff71c9c5efcf30a5151716310286f9bfc528a

SHA256
0d1a57223258548d88059ab1d8f48c3d73d21c8955ab7103099eadb6f9a2b9f1

SHA512
5149d69265aab48e4fc2a34b02c08455cf65162ea4bcff4d6b0b9a48f70d92e52bb2f29589eb5fe23a468fb5f78148e4448ea587374fed45c686aab41d2122bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Z66FA0WWZ1V4D5FUJC3V.temp

Filesize
7KB

MD5
3c3a2620a1f229c2b7d265b797fdde36

SHA1
8b0ee3caf2ad7bc49028981c43a3c3d26bb24617

SHA256
709f3831c4ba3b2befd6aee33d3b2384c17ae83ddca34abb26083a8691f73826

SHA512
489c64647bb95c751a4d1a6a0450182e21eb234aa3d6b9c01ab911cff75ccd2e0be3c5195e33e365263ba1867be99499d7173bc163455848a9527426fa4279aa

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1392-315-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/2296-66-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2308-68-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/2316-495-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/2524-615-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/2524-614-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2592-255-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2592-254-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2608-136-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/2848-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2848-13-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2848-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2848-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2848-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2900-435-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/3036-375-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download