dcrat | ed3ede75650a932174650a79dae859ba97ed5b1c592da6027d37df804f3de8e1

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 00:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ed3ede75650a932174650a79dae859ba97ed5b1c592da6027d37df804f3de8e1.exe
Size

1.3MB
MD5

c55a7b62e06a6988bec8eddf1fe6b25b
SHA1

605b3bf965b6a086ed45f0ed3cdcb9df360b6e1b
SHA256

ed3ede75650a932174650a79dae859ba97ed5b1c592da6027d37df804f3de8e1
SHA512

daf230aea99317befc1030d7f7526d5ab363990e45d2f127036e196651ae6701f922fcca56711e934d4b889d3ad2ccb311094d6f8d5151f46bbed20573d2b9e3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	1044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	1044	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018634-9.dat	dcrat
behavioral1/memory/2832-13-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/1788-139-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/1848-198-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/1804-258-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2688-318-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/1788-378-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/1848-438-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/1748-499-0x00000000009A0000-0x0000000000AB0000-memory.dmp	dcrat
behavioral1/memory/2008-559-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/1540-737-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1668	powershell.exe
1544	powershell.exe
1572	powershell.exe
2928	powershell.exe
2824	powershell.exe
2676	powershell.exe
2504	powershell.exe
1660	powershell.exe
2780	powershell.exe
2692	powershell.exe
2684	powershell.exe
2492	powershell.exe
2768	powershell.exe
2712	powershell.exe
2716	powershell.exe
1580	powershell.exe
2776	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2832	DllCommonsvc.exe
1788	smss.exe
1848	smss.exe
1804	smss.exe
2688	smss.exe
1788	smss.exe
1848	smss.exe
1748	smss.exe
2008	smss.exe
1944	smss.exe
2296	smss.exe
1540	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2592	cmd.exe
2592	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\Aero\ja-JP\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\ja-JP\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ed3ede75650a932174650a79dae859ba97ed5b1c592da6027d37df804f3de8e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1504	schtasks.exe
264	schtasks.exe
2168	schtasks.exe
2392	schtasks.exe
788	schtasks.exe
336	schtasks.exe
740	schtasks.exe
1588	schtasks.exe
2596	schtasks.exe
1844	schtasks.exe
2180	schtasks.exe
604	schtasks.exe
944	schtasks.exe
2524	schtasks.exe
2500	schtasks.exe
2032	schtasks.exe
2620	schtasks.exe
1532	schtasks.exe
2408	schtasks.exe
3044	schtasks.exe
2544	schtasks.exe
2292	schtasks.exe
1632	schtasks.exe
376	schtasks.exe
2952	schtasks.exe
3012	schtasks.exe
2192	schtasks.exe
2400	schtasks.exe
2064	schtasks.exe
1224	schtasks.exe
660	schtasks.exe
996	schtasks.exe
2176	schtasks.exe
2280	schtasks.exe
2660	schtasks.exe
884	schtasks.exe
2300	schtasks.exe
304	schtasks.exe
1376	schtasks.exe
1612	schtasks.exe
2932	schtasks.exe
1852	schtasks.exe
2228	schtasks.exe
1600	schtasks.exe
1676	schtasks.exe
2380	schtasks.exe
1244	schtasks.exe
1900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
1580	powershell.exe
2492	powershell.exe
1572	powershell.exe
2504	powershell.exe
2716	powershell.exe
2928	powershell.exe
2768	powershell.exe
2824	powershell.exe
1544	powershell.exe
2712	powershell.exe
2776	powershell.exe
2684	powershell.exe
2676	powershell.exe
1668	powershell.exe
2780	powershell.exe
2692	powershell.exe
1788	smss.exe
1848	smss.exe
1804	smss.exe
2688	smss.exe
1788	smss.exe
1848	smss.exe
1748	smss.exe
2008	smss.exe
1944	smss.exe
2296	smss.exe
1540	smss.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	DllCommonsvc.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	1788	smss.exe
Token: SeDebugPrivilege	1848	smss.exe
Token: SeDebugPrivilege	1804	smss.exe
Token: SeDebugPrivilege	2688	smss.exe
Token: SeDebugPrivilege	1788	smss.exe
Token: SeDebugPrivilege	1848	smss.exe
Token: SeDebugPrivilege	1748	smss.exe
Token: SeDebugPrivilege	2008	smss.exe
Token: SeDebugPrivilege	1944	smss.exe
Token: SeDebugPrivilege	2296	smss.exe
Token: SeDebugPrivilege	1540	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2940	2028	JaffaCakes118_ed3ede75650a932174650a79dae859ba97ed5b1c592da6027d37df804f3de8e1.exe	30
PID 2028 wrote to memory of 2940	2028	JaffaCakes118_ed3ede75650a932174650a79dae859ba97ed5b1c592da6027d37df804f3de8e1.exe	30
PID 2028 wrote to memory of 2940	2028	JaffaCakes118_ed3ede75650a932174650a79dae859ba97ed5b1c592da6027d37df804f3de8e1.exe	30
PID 2028 wrote to memory of 2940	2028	JaffaCakes118_ed3ede75650a932174650a79dae859ba97ed5b1c592da6027d37df804f3de8e1.exe	30
PID 2940 wrote to memory of 2592	2940	WScript.exe	31
PID 2940 wrote to memory of 2592	2940	WScript.exe	31
PID 2940 wrote to memory of 2592	2940	WScript.exe	31
PID 2940 wrote to memory of 2592	2940	WScript.exe	31
PID 2592 wrote to memory of 2832	2592	cmd.exe	33
PID 2592 wrote to memory of 2832	2592	cmd.exe	33
PID 2592 wrote to memory of 2832	2592	cmd.exe	33
PID 2592 wrote to memory of 2832	2592	cmd.exe	33
PID 2832 wrote to memory of 2492	2832	DllCommonsvc.exe	83
PID 2832 wrote to memory of 2492	2832	DllCommonsvc.exe	83
PID 2832 wrote to memory of 2492	2832	DllCommonsvc.exe	83
PID 2832 wrote to memory of 2504	2832	DllCommonsvc.exe	84
PID 2832 wrote to memory of 2504	2832	DllCommonsvc.exe	84
PID 2832 wrote to memory of 2504	2832	DllCommonsvc.exe	84
PID 2832 wrote to memory of 1660	2832	DllCommonsvc.exe	85
PID 2832 wrote to memory of 1660	2832	DllCommonsvc.exe	85
PID 2832 wrote to memory of 1660	2832	DllCommonsvc.exe	85
PID 2832 wrote to memory of 1544	2832	DllCommonsvc.exe	86
PID 2832 wrote to memory of 1544	2832	DllCommonsvc.exe	86
PID 2832 wrote to memory of 1544	2832	DllCommonsvc.exe	86
PID 2832 wrote to memory of 1580	2832	DllCommonsvc.exe	87
PID 2832 wrote to memory of 1580	2832	DllCommonsvc.exe	87
PID 2832 wrote to memory of 1580	2832	DllCommonsvc.exe	87
PID 2832 wrote to memory of 1572	2832	DllCommonsvc.exe	88
PID 2832 wrote to memory of 1572	2832	DllCommonsvc.exe	88
PID 2832 wrote to memory of 1572	2832	DllCommonsvc.exe	88
PID 2832 wrote to memory of 1668	2832	DllCommonsvc.exe	89
PID 2832 wrote to memory of 1668	2832	DllCommonsvc.exe	89
PID 2832 wrote to memory of 1668	2832	DllCommonsvc.exe	89
PID 2832 wrote to memory of 2776	2832	DllCommonsvc.exe	90
PID 2832 wrote to memory of 2776	2832	DllCommonsvc.exe	90
PID 2832 wrote to memory of 2776	2832	DllCommonsvc.exe	90
PID 2832 wrote to memory of 2768	2832	DllCommonsvc.exe	91
PID 2832 wrote to memory of 2768	2832	DllCommonsvc.exe	91
PID 2832 wrote to memory of 2768	2832	DllCommonsvc.exe	91
PID 2832 wrote to memory of 2928	2832	DllCommonsvc.exe	92
PID 2832 wrote to memory of 2928	2832	DllCommonsvc.exe	92
PID 2832 wrote to memory of 2928	2832	DllCommonsvc.exe	92
PID 2832 wrote to memory of 2780	2832	DllCommonsvc.exe	93
PID 2832 wrote to memory of 2780	2832	DllCommonsvc.exe	93
PID 2832 wrote to memory of 2780	2832	DllCommonsvc.exe	93
PID 2832 wrote to memory of 2712	2832	DllCommonsvc.exe	94
PID 2832 wrote to memory of 2712	2832	DllCommonsvc.exe	94
PID 2832 wrote to memory of 2712	2832	DllCommonsvc.exe	94
PID 2832 wrote to memory of 2716	2832	DllCommonsvc.exe	95
PID 2832 wrote to memory of 2716	2832	DllCommonsvc.exe	95
PID 2832 wrote to memory of 2716	2832	DllCommonsvc.exe	95
PID 2832 wrote to memory of 2824	2832	DllCommonsvc.exe	96
PID 2832 wrote to memory of 2824	2832	DllCommonsvc.exe	96
PID 2832 wrote to memory of 2824	2832	DllCommonsvc.exe	96
PID 2832 wrote to memory of 2692	2832	DllCommonsvc.exe	97
PID 2832 wrote to memory of 2692	2832	DllCommonsvc.exe	97
PID 2832 wrote to memory of 2692	2832	DllCommonsvc.exe	97
PID 2832 wrote to memory of 2676	2832	DllCommonsvc.exe	98
PID 2832 wrote to memory of 2676	2832	DllCommonsvc.exe	98
PID 2832 wrote to memory of 2676	2832	DllCommonsvc.exe	98
PID 2832 wrote to memory of 2684	2832	DllCommonsvc.exe	99
PID 2832 wrote to memory of 2684	2832	DllCommonsvc.exe	99
PID 2832 wrote to memory of 2684	2832	DllCommonsvc.exe	99
PID 2832 wrote to memory of 2236	2832	DllCommonsvc.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ed3ede75650a932174650a79dae859ba97ed5b1c592da6027d37df804f3de8e1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ed3ede75650a932174650a79dae859ba97ed5b1c592da6027d37df804f3de8e1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\ja-JP\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuLg2sxQhA.bat"
        5⤵
        
        PID:2236
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1276
      - C:\Users\Admin\smss.exe
        
        "C:\Users\Admin\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
        7⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2808
        
        C:\Users\Admin\smss.exe
        
        "C:\Users\Admin\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"
        9⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1988
        
        C:\Users\Admin\smss.exe
        
        "C:\Users\Admin\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"
        11⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:336
        
        C:\Users\Admin\smss.exe
        
        "C:\Users\Admin\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
        13⤵
        
        PID:572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1580
        
        C:\Users\Admin\smss.exe
        
        "C:\Users\Admin\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        15⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1192
        
        C:\Users\Admin\smss.exe
        
        "C:\Users\Admin\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
        17⤵
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1900
        
        C:\Users\Admin\smss.exe
        
        "C:\Users\Admin\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
        19⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2460
        
        C:\Users\Admin\smss.exe
        
        "C:\Users\Admin\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
        21⤵
        
        PID:1924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2744
        
        C:\Users\Admin\smss.exe
        
        "C:\Users\Admin\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
        23⤵
        
        PID:568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2328
        
        C:\Users\Admin\smss.exe
        
        "C:\Users\Admin\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat"
        25⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3036
        
        C:\Users\Admin\smss.exe
        
        "C:\Users\Admin\smss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Music\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Contacts\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
920d64e021784fe9e9ceea3e886eb49c

SHA1
bbb7e0a62612881ff2ded4c2a6ff0efc93415472

SHA256
a05de245769a1d57ed44c0db8088a1717ac0a6cb9b756f90244a88ecbe82beed

SHA512
5accb98a68aa32f07b1eb237bd5d0ecfeae64604057015f584ee4ce4fc5f8df9c3c06eb88fafffecc488e2e12e49bb32ffa07440a29324e6f33e13d0412b1d3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
779ebaafd8b0fd14ea9135f30aa90f8c

SHA1
fb93717524505e7239d3cae606e96cef5d7603c0

SHA256
aaf8543459201f526758c108c0236f08826e50a73eaa9a3257765277d5d3aecf

SHA512
27d5488c256529515b6436296dade04479077a3dba3b038baaf607b9a578a39a4bda71e353ef6889c2d006ff1e6862168212835ab401320a05e7cf4f7fc93fab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9e97a461c659311178f40db8cfd0d09

SHA1
49899c48104be5d1adce2222b719bbf986631a20

SHA256
4e7f3b5765ac0082fea5949e1ff78ae20ef52779ee57dd189143f887260f2f34

SHA512
c8c3d348ce20b01c314ca93ae53b0cd2a45d3ae5fff48a0cf6050164f06860e012acd6c272ab46e50c3411aa153a5b10d23039d6763de31a9536a7589b09cdc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa6f0564c94bc64b2cb55a47b4111dcf

SHA1
86c34514ab84d6077799004fd2cea4dea2838843

SHA256
4561c7abf765dfae2763bd7b83e58700d6ec27fad1314e4d8307c2e997b84b20

SHA512
f2fb93f15274ff5af77991cebee58bffe6c47effbb1ec603fa4be3b824cf2ee3002935ba9c6d1f3f4142ef01f4fea092b5258e291d3b2d31beea3f6213a1014e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cd712ffb5da0e88934b524943d44c09

SHA1
f769f058c21621036fce668efb720b55e477f36f

SHA256
390cdda2352f5261f1514f25f64872f3446b73fc57f8c276ec1e8458635accda

SHA512
8bcaf2e32e99d1ebf9f128f65bae39a10164864e8c9430c1a89874177890cd5fa8656c133751d1f76c5f0aa46b528093e1030a3c1608f8efd155ff84b70c4b26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
503eecafdfcfd8648ee24673d1d80b09

SHA1
e08a30c3b430ec00b7f9df249a5b20e9689022c3

SHA256
552b510977db53ea2142bcc0bc7f96e330e7e9c20089f89ff3ce68404b7cb746

SHA512
bf383f963da85cfa59ff9cca908e4e83097b1de608094e70d74150425f92e133c1d00c9fc27d2d5aac337f233b6c1a35cc40460df60e3f4598c8f1ace3240c37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c6784086612e62ae4e90b60c8186359

SHA1
5bbb6cfd69ac5d220a814f180b1587de96627ef5

SHA256
48c6dd14d934de6c9203a5c96e5b40590a5f377a31b556003b6a93682a12dd46

SHA512
006eee978fd6949ffee5da6fa2e65de2f3f313c9ecfcdbd5a61801f96fc6f58b979da3e6a9a67be0f76c4f2a6f5f433a511629824609fbec9b7c121fce0f1c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9689c5a3e419b9aec7d0e42c8188857

SHA1
863b99cb066f5d4b232b72eab7d79e6f276107b2

SHA256
b0a8cd23f4321ec79d465fb246215724f66ecfebca8265759b7250dd5d624c89

SHA512
c93fc04404406f2f2cf4c63edabe11a26de5a5d7abeffbf247b470bf69e769bcd815c9fb73fbbe29814a23440080ddb860ea7777c78be76bfde7c6eb8b099166

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
779d0f41d9b84a4aeec8efda7a15d5b9

SHA1
809344ebf9850410ddd0155e2c0756d7eea93d6b

SHA256
3be5a559478057d59c522075f6e24c16e015844689585271fe31742d4651d382

SHA512
7c2d42943d7cb67d11dca0b92b848919e90f79bc5ccda96402fe293caeb0f9cc4e625b600a51f5e5782b5f74a6c106610235d3bc825a884259a415999362c00e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

Filesize
188B

MD5
54199fdfa1bf9329e8c7c6f02f0e9cc6

SHA1
bb648478be38e3629a708f960be58284cca6cf0a

SHA256
5b38141995a3b28c4db5a5b60072ffc6fc91a3c498387113955495cd5bea1f12

SHA512
d726bdaee590aa26ac7874baaabe3a631756a1206e6a5044ceacd255959919ed33b2e6069d353ea26b64bd186477397c74e410fca895c6304fd918f8f48e71b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

Filesize
188B

MD5
d64ccdba90b8f6ae5706555dc0fce936

SHA1
ed18e9b2e44b88c225ef15ee3914008d3cf95690

SHA256
8a93b45292d0eef6e4e5833bb94641d8445409cd493c6372010822456624d715

SHA512
9040a713281b28646b09ab961e9cef094414600111db96e1f2c07484c74e26f48f1cdadb1c51bdb2c71c64dcfb6d5483f03f9fe44fc8e9179b850aeb3115e8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8039.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
188B

MD5
0bb2d8b93d00ac6ae7e372e4def809c3

SHA1
c2cb4c2d15506c668cad88553adc279f054c9318

SHA256
0b3adc40b08e67c9a643165502808460e3230c29cd4924dbf634e1bee72b0deb

SHA512
4d3e72577fb3f8334cc5b162ae23366b5e1cb9c8ca86c701898fee877f74336f3216a68b818cc625bfc0868a02cdba861a8a64b268785a1e98f3e26cba526b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
188B

MD5
d5e3f3736e6b0b9e9dc758096a696537

SHA1
6c5cd43ddc4d4f6a400aeca551ef99ffb8a523e4

SHA256
2634f9a2a2f405888a0aa3222c35d220619052bede1357f381d6aa708de36aff

SHA512
790fd458f7198e9e8c2a31cc3f5cabc61daed33047434c2af05ad5d9b63a976175b34eb712f11324dc02ade45c140d668f65084eb404ad302cacce064c6207d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar804C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat

Filesize
188B

MD5
4b43e53630b9fbcc159442ecdc01be4b

SHA1
aa5fba712b6d90fa06da4cd79d73bc7fa900fc69

SHA256
66db34bcb4bd7d841da1eb624f8baaecf9f1fd91db9a44cd58bb0c6e9948b70d

SHA512
a69a89ce5c241e5c45ec681e7454b1215176a1e7249a315b48b56679a5cc5808845664f76c41419612682b0fe121d0c97d8933b7395826a6e2989bb46d20ceba

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat

Filesize
188B

MD5
b785118257a14ad57471072411bac4d5

SHA1
a6e49bb286bae6cd3d3920e342ae72447384e162

SHA256
e50d21234e8be3a3693f86deee56226f2a47ccae0eb21159d69be52ef8860857

SHA512
944bd3531a88598ccad80056ef98600fdbc079224c76a319d2787a5936cb109b11f8a0ab7227743b73b684a5cc641b7eb809a798a2a317a994ca19431b903396

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

Filesize
188B

MD5
93368d09671160c0568af679a4293b70

SHA1
0a2ec2a0886134d093d0dd6694c5f359c1cb4bc0

SHA256
71ec4ae1028154f6bf3186b677c1285b828e9e235e1cbe1b4da73935cbb70d0d

SHA512
774f905d42131bed8381a6da8e085b26c79f3ffdb78542125798dea7df745da700c9767ba560e35788100e323ef41ce18a16b6ff135649ead4dcfa8d08d9ed92

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

Filesize
188B

MD5
80d7d4851017397df83da48865e81d5d

SHA1
275272a1387a6b2653725fd67e999f0a99a977df

SHA256
5b3aaca6f20d5462a3f83cf32a9dbdaa451472a24861d434efc23b1dd4e842df

SHA512
a5be39522c36fa8f909ebb06195097a9436fc8d122e9c50dde187c7a99f07264954a2f074237433df98d6256235a0d45dc1edc7b1176a9e0b7c4f12ab309244b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuLg2sxQhA.bat

Filesize
188B

MD5
633a8a3036d68524c6c3c6f444a28447

SHA1
2f9c5730e6f55bb6c0118ab657d3deeec44b01b0

SHA256
8b891bfa0bb28f9fbb15404e3cfb69a8c8d14ff4935d98435c806964a4563df8

SHA512
0f379cb6220776eeaee0ada80df3bf65efc847d88a70132e0ffb98bf4b45ed7298574d3fbbb06f7e8b8eef8327489332a09f8d67c11fdcccd0968f2758b42a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat

Filesize
188B

MD5
9cbd0f3cc02f9b0998eec0ddf1360b59

SHA1
5871dce0425b2b46c9ce7c7297ae4053530fae83

SHA256
6b4fd44182312d8f4901e4421ce6e3f0aab9e0c5115009f5945bcdb62922b567

SHA512
a55977c10dc497ea7d2a17c96045d240fa6781921258892e49cdcdcbffb2769772f5f0e2b02adda5821ed5476605464f82857a988090c1be012ba790e40ab6fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\xghrCifyI9.bat

Filesize
188B

MD5
3e294832c7ea0d36d43d95c2e7f9bd5c

SHA1
2809c4f86c4b4e977dc50d0d696a71b8345cc4e6

SHA256
740b143642d3c44fcc1ab7193a005d2648eded670e2c7dd0f6d1fdb9dde70c09

SHA512
83df9604d263d3afd37614c20fbe5908716c9ef2d1d925ad174e7e21c6f584c8e9fdce80c3814044efeb2b1451d1ccd50a5a0aff169bf78588f8af43dc51940f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
453d1a64e2d768122276acdaeaf8bd8a

SHA1
ea67d0f7b974652cad7827cddc51c10c4041859b

SHA256
8572a8f2795080dd440384af301a9e93ac6411dae47eb99505bd1750c6ce5087

SHA512
d4dcf2a7816b8204a6114bca83d43b6c8794e7d335d688c0a4265dcac35a71d934dc721c7d28e12170340850aa778bfa79802a61e4b1d3a36ee33cc56a06b3d2

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1540-737-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/1540-738-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1572-91-0x00000000021D0000-0x00000000021D8000-memory.dmp

Filesize
32KB

Download
memory/1580-64-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1580-65-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/1748-499-0x00000000009A0000-0x0000000000AB0000-memory.dmp

Filesize
1.1MB

Download
memory/1788-378-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/1788-139-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/1804-258-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/1848-438-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/1848-439-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/1848-198-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2008-559-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/2688-318-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/2832-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2832-13-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2832-15-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2832-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2832-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download