dcrat | 11990050abf6505fea0378f1e4638e7cd41aea3392bc21f657a4c36ac7392303

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_11990050abf6505fea0378f1e4638e7cd41aea3392bc21f657a4c36ac7392303.exe
Size

1.3MB
MD5

22965b5224cda430132f72572992f837
SHA1

9ad727d782ae5d991c7048189111f1b68494f441
SHA256

11990050abf6505fea0378f1e4638e7cd41aea3392bc21f657a4c36ac7392303
SHA512

d5aeac871188030cf8d707b41d3f20cedd0487a1a8aebc0fe307ac64296c6ccba6cf0599fdf3923161db335bfcc1b2556a72abf7eadb4460f33240767bb0a642
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2000	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2000	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d46-11.dat	dcrat
behavioral1/memory/1688-13-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/2440-123-0x0000000000840000-0x0000000000950000-memory.dmp	dcrat
behavioral1/memory/3048-183-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2284-243-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2636-303-0x0000000001240000-0x0000000001350000-memory.dmp	dcrat
behavioral1/memory/1540-363-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/1596-423-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/2752-484-0x0000000000FB0000-0x00000000010C0000-memory.dmp	dcrat
behavioral1/memory/2692-663-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/2312-723-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2208	powershell.exe
540	powershell.exe
2188	powershell.exe
2692	powershell.exe
1644	powershell.exe
1744	powershell.exe
1564	powershell.exe
2136	powershell.exe
1796	powershell.exe
1668	powershell.exe
1692	powershell.exe
1948	powershell.exe
1700	powershell.exe
344	powershell.exe
832	powershell.exe
1596	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1688	DllCommonsvc.exe
2440	explorer.exe
3048	explorer.exe
2284	explorer.exe
2636	explorer.exe
1540	explorer.exe
1596	explorer.exe
2752	explorer.exe
872	explorer.exe
2132	explorer.exe
2692	explorer.exe
2312	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2828	cmd.exe
2828	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Skins\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Skins\taskhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Help\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Help\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_11990050abf6505fea0378f1e4638e7cd41aea3392bc21f657a4c36ac7392303.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1048	schtasks.exe
1988	schtasks.exe
2244	schtasks.exe
1476	schtasks.exe
2016	schtasks.exe
2660	schtasks.exe
320	schtasks.exe
912	schtasks.exe
2672	schtasks.exe
2924	schtasks.exe
1032	schtasks.exe
764	schtasks.exe
2864	schtasks.exe
1056	schtasks.exe
3056	schtasks.exe
1344	schtasks.exe
1720	schtasks.exe
2284	schtasks.exe
2844	schtasks.exe
1624	schtasks.exe
492	schtasks.exe
372	schtasks.exe
1836	schtasks.exe
2204	schtasks.exe
1780	schtasks.exe
1060	schtasks.exe
560	schtasks.exe
2056	schtasks.exe
1228	schtasks.exe
1300	schtasks.exe
3064	schtasks.exe
2216	schtasks.exe
2232	schtasks.exe
1488	schtasks.exe
2268	schtasks.exe
1868	schtasks.exe
2896	schtasks.exe
2984	schtasks.exe
772	schtasks.exe
1244	schtasks.exe
2492	schtasks.exe
2572	schtasks.exe
448	schtasks.exe
1608	schtasks.exe
1760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1688	DllCommonsvc.exe
832	powershell.exe
540	powershell.exe
2208	powershell.exe
2188	powershell.exe
344	powershell.exe
1692	powershell.exe
2136	powershell.exe
2692	powershell.exe
1948	powershell.exe
1564	powershell.exe
1700	powershell.exe
1596	powershell.exe
1668	powershell.exe
1644	powershell.exe
1744	powershell.exe
2440	explorer.exe
3048	explorer.exe
2284	explorer.exe
2636	explorer.exe
1540	explorer.exe
1596	explorer.exe
2752	explorer.exe
872	explorer.exe
2132	explorer.exe
2692	explorer.exe
2312	explorer.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	1688	DllCommonsvc.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2440	explorer.exe
Token: SeDebugPrivilege	3048	explorer.exe
Token: SeDebugPrivilege	2284	explorer.exe
Token: SeDebugPrivilege	2636	explorer.exe
Token: SeDebugPrivilege	1540	explorer.exe
Token: SeDebugPrivilege	1596	explorer.exe
Token: SeDebugPrivilege	2752	explorer.exe
Token: SeDebugPrivilege	872	explorer.exe
Token: SeDebugPrivilege	2132	explorer.exe
Token: SeDebugPrivilege	2692	explorer.exe
Token: SeDebugPrivilege	2312	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2744	1992	JaffaCakes118_11990050abf6505fea0378f1e4638e7cd41aea3392bc21f657a4c36ac7392303.exe	30
PID 1992 wrote to memory of 2744	1992	JaffaCakes118_11990050abf6505fea0378f1e4638e7cd41aea3392bc21f657a4c36ac7392303.exe	30
PID 1992 wrote to memory of 2744	1992	JaffaCakes118_11990050abf6505fea0378f1e4638e7cd41aea3392bc21f657a4c36ac7392303.exe	30
PID 1992 wrote to memory of 2744	1992	JaffaCakes118_11990050abf6505fea0378f1e4638e7cd41aea3392bc21f657a4c36ac7392303.exe	30
PID 2744 wrote to memory of 2828	2744	WScript.exe	31
PID 2744 wrote to memory of 2828	2744	WScript.exe	31
PID 2744 wrote to memory of 2828	2744	WScript.exe	31
PID 2744 wrote to memory of 2828	2744	WScript.exe	31
PID 2828 wrote to memory of 1688	2828	cmd.exe	33
PID 2828 wrote to memory of 1688	2828	cmd.exe	33
PID 2828 wrote to memory of 1688	2828	cmd.exe	33
PID 2828 wrote to memory of 1688	2828	cmd.exe	33
PID 1688 wrote to memory of 344	1688	DllCommonsvc.exe	80
PID 1688 wrote to memory of 344	1688	DllCommonsvc.exe	80
PID 1688 wrote to memory of 344	1688	DllCommonsvc.exe	80
PID 1688 wrote to memory of 540	1688	DllCommonsvc.exe	81
PID 1688 wrote to memory of 540	1688	DllCommonsvc.exe	81
PID 1688 wrote to memory of 540	1688	DllCommonsvc.exe	81
PID 1688 wrote to memory of 832	1688	DllCommonsvc.exe	82
PID 1688 wrote to memory of 832	1688	DllCommonsvc.exe	82
PID 1688 wrote to memory of 832	1688	DllCommonsvc.exe	82
PID 1688 wrote to memory of 1644	1688	DllCommonsvc.exe	84
PID 1688 wrote to memory of 1644	1688	DllCommonsvc.exe	84
PID 1688 wrote to memory of 1644	1688	DllCommonsvc.exe	84
PID 1688 wrote to memory of 1744	1688	DllCommonsvc.exe	85
PID 1688 wrote to memory of 1744	1688	DllCommonsvc.exe	85
PID 1688 wrote to memory of 1744	1688	DllCommonsvc.exe	85
PID 1688 wrote to memory of 1692	1688	DllCommonsvc.exe	87
PID 1688 wrote to memory of 1692	1688	DllCommonsvc.exe	87
PID 1688 wrote to memory of 1692	1688	DllCommonsvc.exe	87
PID 1688 wrote to memory of 1668	1688	DllCommonsvc.exe	88
PID 1688 wrote to memory of 1668	1688	DllCommonsvc.exe	88
PID 1688 wrote to memory of 1668	1688	DllCommonsvc.exe	88
PID 1688 wrote to memory of 2188	1688	DllCommonsvc.exe	90
PID 1688 wrote to memory of 2188	1688	DllCommonsvc.exe	90
PID 1688 wrote to memory of 2188	1688	DllCommonsvc.exe	90
PID 1688 wrote to memory of 1948	1688	DllCommonsvc.exe	92
PID 1688 wrote to memory of 1948	1688	DllCommonsvc.exe	92
PID 1688 wrote to memory of 1948	1688	DllCommonsvc.exe	92
PID 1688 wrote to memory of 1796	1688	DllCommonsvc.exe	94
PID 1688 wrote to memory of 1796	1688	DllCommonsvc.exe	94
PID 1688 wrote to memory of 1796	1688	DllCommonsvc.exe	94
PID 1688 wrote to memory of 1564	1688	DllCommonsvc.exe	95
PID 1688 wrote to memory of 1564	1688	DllCommonsvc.exe	95
PID 1688 wrote to memory of 1564	1688	DllCommonsvc.exe	95
PID 1688 wrote to memory of 2208	1688	DllCommonsvc.exe	96
PID 1688 wrote to memory of 2208	1688	DllCommonsvc.exe	96
PID 1688 wrote to memory of 2208	1688	DllCommonsvc.exe	96
PID 1688 wrote to memory of 1700	1688	DllCommonsvc.exe	97
PID 1688 wrote to memory of 1700	1688	DllCommonsvc.exe	97
PID 1688 wrote to memory of 1700	1688	DllCommonsvc.exe	97
PID 1688 wrote to memory of 1596	1688	DllCommonsvc.exe	98
PID 1688 wrote to memory of 1596	1688	DllCommonsvc.exe	98
PID 1688 wrote to memory of 1596	1688	DllCommonsvc.exe	98
PID 1688 wrote to memory of 2692	1688	DllCommonsvc.exe	99
PID 1688 wrote to memory of 2692	1688	DllCommonsvc.exe	99
PID 1688 wrote to memory of 2692	1688	DllCommonsvc.exe	99
PID 1688 wrote to memory of 2136	1688	DllCommonsvc.exe	100
PID 1688 wrote to memory of 2136	1688	DllCommonsvc.exe	100
PID 1688 wrote to memory of 2136	1688	DllCommonsvc.exe	100
PID 1688 wrote to memory of 1496	1688	DllCommonsvc.exe	112
PID 1688 wrote to memory of 1496	1688	DllCommonsvc.exe	112
PID 1688 wrote to memory of 1496	1688	DllCommonsvc.exe	112
PID 1496 wrote to memory of 1328	1496	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11990050abf6505fea0378f1e4638e7cd41aea3392bc21f657a4c36ac7392303.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11990050abf6505fea0378f1e4638e7cd41aea3392bc21f657a4c36ac7392303.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Skins\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r7KHzNKMtF.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1328
      - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat"
        7⤵
        
        PID:1052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2008
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
        9⤵
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2900
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
        11⤵
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3000
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
        13⤵
        
        PID:1056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:836
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
        15⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1784
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        17⤵
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1600
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        19⤵
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:952
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat"
        21⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2936
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat"
        23⤵
        
        PID:1584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2472
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        25⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:772
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Help\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Adobe\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\Skins\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Skins\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Skins\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf00f730564766f5e92313855a7a64c9

SHA1
a60664619f34ac9eb349b47e1a0f00aad97ae3e5

SHA256
f187748215d56c125ea87c851490b0b6bb7801a8a0264ad32c545e68ee3aa8f2

SHA512
cd4a7941c9903e74484735b9427cb1456bed5342b2176552276909eea2ccf075460727a50f9ac5ff812e29ee7222376de148dd47e0955868f7cafb679b0bbd6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a951a11140b63f08bedb2c0d6064fae3

SHA1
9c0125932bf372717f731076e2b2d63921b61253

SHA256
1fff037e3b2b1a9b91eef94fde1404cc225a5ccdbe3bda859171c91d9cfd4a75

SHA512
e991959d4b08d518c97c0e7973e5967d86d04269d0b0f08cf4e131da869b453cd8466ab4cca65770fad61501e563859d6bb435319e4fc0f1b6b49d3150a2cd34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e993b715ae28d5b3600d0b96c4799d7a

SHA1
dc431e80e4d442b0c47c5ab3cab59d1347c65fc5

SHA256
ef48f315ccada6560fd0ad06120d187a9a5dc06bf8fe951deb046ea4915e0c0a

SHA512
61673be655a5b1674c696e143a3a8545b33705ce9e36f15035b14117c8deec1b85d089b4c039cdb0a399b378a77339559b877b1a6d924eacfb8bdb5967b41032

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1234cafca545938e57d309b4587b0e05

SHA1
bb8ddac7cf7528c4985d0d33173deb1f50247617

SHA256
8b5dc5a61ee6424266165e8a71648211ee5534229fec61ae41e9c582411b633f

SHA512
e2a478a08a13d18cf5b9571c2bf8159279ecc6709d968364d7f69ca70f86069dd62ad64451cd50a967f6075dea6b6522119433a9e67dd35ba03fd4e070bf366d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b71ab11d43a4d4876ba508559f2fa130

SHA1
bb7235f9d991f05e2ea1933b3b4490bb5dd8f3b4

SHA256
5539aa17643d8f5122abf030ec4619f03e45b4badfce84530c13a3bc63ae98d5

SHA512
bf2ba8fd7fede55a09296eaae98598b17e89865c843d728023ba5dfab1d16b3bc36d53fd257640435b9822cc88d530eb36f23049c5719ce9f55dfa54dbc43fab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2925663c1a9ed160b32d646babd4e9a4

SHA1
0bbf233db9f93f5981399e3a1425359f1d7e1f3b

SHA256
ff8c49400d41e1269c0704b8a607cd688907e779ba567e8414b17533bf151c76

SHA512
048564c70eb4c31da59284d2cf8087ca0d38785cbf60ba8962de382574e76615896d4f342ecbf9dfe14075a49d3295a1c67553f6f3eb65bf69c7e44f8d6f6150

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
770669764aec32710adbb7b0da3a9460

SHA1
771b11058aeeb9041ba8d1894e8520eafaf0b61e

SHA256
c81597e34836eabc2cfa64dadcb60b00bad837dcd1420214f63f0c1d478fd586

SHA512
3e530ee03fd6d6f75c9a8815622213e622ba836a89fd7447a63c8a091fef190615a64876dc91e47ce0ad5386e7dbc80c2144ca02a1f80368154b3fcfbdd40ecc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c754d9667e4322608528c22a58401892

SHA1
6d0a21525f599eaed47d432af08ea59b6363c6f2

SHA256
b149b4956223fc0638ad9dddb44afe48fb6389945e1f601cbee5f9409346dd9a

SHA512
9b9d373f1f55af18d106d569d15a351fb04e26e7fb3a0d3537a90d3926157fa7210f08fec6e9488d42bb12e3389864435aa268fffa8666105b7c4fd37566756b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d20c623e668b99c610bcf6d03396953

SHA1
8b1b7fd96609c9168162c693ea9668ffef46b510

SHA256
07cf8749fed02fc7193ab5cb12a26639eec0fbd51055a4715d339f0265a9904c

SHA512
3ef46dafcc18499dd17a98777fed6ca22a06328e37d1ceb80d3da01f0afa988c2ebc39ee324ec4f3d30842f08e869c825c0e2224211bbae45cfc673d25543954

Download Submit
C:\Users\Admin\AppData\Local\Temp\5G5G1KH0qy.bat

Filesize
245B

MD5
573e23cb87e3583f133bd2de1673c2f4

SHA1
c36272d79b27d6b054e4b07a0b452b83649f1cad

SHA256
9e24c84c5fe2b609c7807678b34dc375bf9416217d25139abe4d0628b119074d

SHA512
5e42806bfc7e58f4cc20cddbfe792aa3bd16dcdf0284b1a7f3abe41e365f80b99884d4baaca605db30dbf419ea5f2f646642b2675ee18eaadafacce63d4564df

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
245B

MD5
80c3ce4f09ba4698406e1ee3ee95258c

SHA1
f4795cbf3c336bc592f297f4078d68733d2a458a

SHA256
1f629fb616c8f6885d6f0df365f087388383832a1681894d0ade39649d3e8f3e

SHA512
d1cfac5e13e9d7a317acd03f01353dc741183d7a45e017316818d3de8f07fea6bd75c42fd298bcf487db765dfa0e1c885013633e9a28001c8ee2d5ff561520d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat

Filesize
245B

MD5
27823b82f74b9659362c88fb034db336

SHA1
7d61d1210a2d057692d8fc989c50bd32d69fa495

SHA256
3e6d22f6327dd7b7f2aa684f106bf93c60353fa25a56453ab13de795f0343c7f

SHA512
411e43a40b4d5d6ad83ecd5cdb59d6297bfb51cda3106d5b27695db215205c61eac98844b5e80553360782a4b24d51910bb292bfbd19ba2e8ce3beb01b349bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
245B

MD5
5fc7574fc168595e88af39c455a30f2b

SHA1
d8c2d4963edb6b820088e61815778bc1fa403dce

SHA256
c6646c0200cb7fcb923865ed643aae701d9d9744a73ff255919e0a3ac12b12b9

SHA512
ed9bd59161e1e5a2acacfd6166d1855c8b0ef20a4c4d27164f3cc9554274ea17c90cf3593b63f65c02273e656e810d4473f78ac83515c9c6844b10894f30ec08

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC802.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
245B

MD5
8669e23c411d3cb17df5eecb55f6ace5

SHA1
98536d7928a1d82f666c6428f1a109b254dabf18

SHA256
8e8294b62f474d3a31552e7cf6b8866a92553fab8b1d5bccb895b1fa6db4b8fd

SHA512
0c48b5238897c25124ff438e493e4b95450a206ce60e0df098f66ddf51814e2dc0cbbcedd34e9bdf6a941384ab220dd626dbbaa4ce3652bfaba2b2b99a63f250

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

Filesize
245B

MD5
64e5e1cd5c069ae29e976a5764a593b4

SHA1
0c2cc1627dd1eae7ea033062b2acb0c2852a8963

SHA256
70ea81ce2ea96ed0a84f88d68442b544a9bb84d01c5d2bcda34d2a82974d509d

SHA512
2131ff517273766760df7df5c737c095b474d1debc1373facdb7af7154c52f1848da30f9711366cf1b86297149170d1fc4595441768dcff9a21cf8ebfb802d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC815.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wm5t4PlH1R.bat

Filesize
245B

MD5
577bd43e1a76b338624a41b992660958

SHA1
bd9c10813c92c1e76084a4c710bb3f41421e6dbe

SHA256
032bdbc2a49072ec4f806649c260e6a5a63b714e303a4dd53675c0c08f6405b9

SHA512
71edd2eac520c2b38f43fa569fb0baf34f9be5cf4a8d9936cebaef45b86449947f6d764b255c2724a9a9340a71a9fde6c842a0f4ff2569a250b8abdc2e42c6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

Filesize
245B

MD5
ed96aac24b76835c470b68561b7d8f0f

SHA1
05a10870b0ee039afc35095d31d67e69c963fdeb

SHA256
05af8eea7b5001190d94072d1dedf066e2a9c05394037a2fc50023130aae8e7d

SHA512
698145b07b4060966397515eb3d7c52dea53f8685038a80917a1898874c8291d6f9b7f9c825ff321e4988cfa79241580caeee4bc6c3376a55547af51fe27cf53

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat

Filesize
245B

MD5
e10e987bbed3fc526c466eb5572b71d3

SHA1
b635222b20ba5d4df7f7bdf128cceb065d8f0548

SHA256
cd2bf3f360a01956da6c3f06951c632db8bd304090b35e10911c05f9dce4fb8f

SHA512
ef86b60fc0bbb320ced7225af0a4eb61dc4930915c24d9664cbd605d7612d128466f0d605930bc0212853ca925f21f2bd85ed2693661c639fcf11db81239e5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\r7KHzNKMtF.bat

Filesize
245B

MD5
023841aac49f51639991d7f8787630bf

SHA1
9c1b54d70a011e3eba9df4c3b0c79efc2217ac3e

SHA256
cea7a13640f61b4c94695be3212533241b723bad4fc65063bfe9b5c502d842e2

SHA512
52465190d44e003cf9be90a0879cb38d26be2be579ac0d1e597db376c9c8bfc097f0c4bbaacfc9764973944620a20797d8d5395922ab1a8e85a417c66862b305

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat

Filesize
245B

MD5
b4946c4670cf9e608076f52100db1242

SHA1
b50768d548e979bdcc0e077ec8d127a0cf32fad8

SHA256
80423d90e62c4150199ed0a309d7331d4538697f898b661095ee766aa7919b6b

SHA512
2da605f782c22806d30a3377a8be0bf1dcf2cdc9988989fb40bc754bf054c3062f12e8694a0ad7369eb314082ad93aaaeddcb5ac20d0897fb07d8843abea4064

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8f821625415f6d94ac078d43a2447b8d

SHA1
a8868fa93206a3c44c47ae05eac71ebb46e6ef91

SHA256
25f6327433e82454ecc448dbafd6a1aa118f923691a70d2ec52c9a558e80fe8d

SHA512
1669bcc1d21cb8bd3a04af88548e0d29e673b56a956de268d42f0c0af17c3f9a9ea641c583637f12fc84ba5ffa8fd0ba208d91be1642adf58af0aafd67787263

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/832-58-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/832-57-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/872-544-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/1540-363-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/1596-423-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/1596-424-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1688-14-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/1688-13-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/1688-17-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/1688-16-0x0000000000670000-0x000000000067C000-memory.dmp

Filesize
48KB

Download
memory/1688-15-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2284-243-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2312-723-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2440-123-0x0000000000840000-0x0000000000950000-memory.dmp

Filesize
1.1MB

Download
memory/2440-124-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2636-303-0x0000000001240000-0x0000000001350000-memory.dmp

Filesize
1.1MB

Download
memory/2692-663-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2752-484-0x0000000000FB0000-0x00000000010C0000-memory.dmp

Filesize
1.1MB

Download
memory/3048-183-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download