dcrat | 2c4c913749e8f093ee3ab40178a0fd668889419009f28691509054e929c831d3

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2c4c913749e8f093ee3ab40178a0fd668889419009f28691509054e929c831d3.exe
Size

1.3MB
MD5

575c971e41cc76614c74fd9e2fe9e4c9
SHA1

88b10301e793c893a4e0d62d8e98e6690de1f6b3
SHA256

2c4c913749e8f093ee3ab40178a0fd668889419009f28691509054e929c831d3
SHA512

604a15278ee54124a8f431f2602fe973b0c7ada834e247aee9c608451fb5fa3ca5aa85fe6cd9cef5d2283a334520ae44f7d69b582b141826413d1700237cba24
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2728	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2728	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016399-12.dat	dcrat
behavioral1/memory/2304-13-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2792-56-0x0000000000890000-0x00000000009A0000-memory.dmp	dcrat
behavioral1/memory/584-194-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/1004-255-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2304-315-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/2960-494-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2164-554-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
592	powershell.exe
1860	powershell.exe
2504	powershell.exe
2524	powershell.exe
2076	powershell.exe
2528	powershell.exe
2020	powershell.exe
1864	powershell.exe
2016	powershell.exe
2064	powershell.exe
2056	powershell.exe
1556	powershell.exe
2208	powershell.exe
2536	powershell.exe
1584	powershell.exe
2396	powershell.exe
2336	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2304	DllCommonsvc.exe
2792	OSPPSVC.exe
584	OSPPSVC.exe
1004	OSPPSVC.exe
2304	OSPPSVC.exe
2564	OSPPSVC.exe
2528	OSPPSVC.exe
2960	OSPPSVC.exe
2164	OSPPSVC.exe
1984	OSPPSVC.exe
1704	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2900	cmd.exe
2900	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
17	raw.githubusercontent.com
24	raw.githubusercontent.com
28	raw.githubusercontent.com
31	raw.githubusercontent.com
21	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\de-DE\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\de-DE\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Branding\ShellBrd\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\1610b97d3ab4a7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2c4c913749e8f093ee3ab40178a0fd668889419009f28691509054e929c831d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2660	schtasks.exe
904	schtasks.exe
2416	schtasks.exe
2232	schtasks.exe
1140	schtasks.exe
1928	schtasks.exe
2952	schtasks.exe
2600	schtasks.exe
2640	schtasks.exe
2928	schtasks.exe
1956	schtasks.exe
944	schtasks.exe
2180	schtasks.exe
692	schtasks.exe
2712	schtasks.exe
2408	schtasks.exe
1444	schtasks.exe
2664	schtasks.exe
2564	schtasks.exe
1988	schtasks.exe
1892	schtasks.exe
2828	schtasks.exe
2164	schtasks.exe
652	schtasks.exe
2224	schtasks.exe
964	schtasks.exe
1648	schtasks.exe
1652	schtasks.exe
2296	schtasks.exe
1748	schtasks.exe
2344	schtasks.exe
2868	schtasks.exe
1316	schtasks.exe
1156	schtasks.exe
2912	schtasks.exe
1668	schtasks.exe
820	schtasks.exe
1728	schtasks.exe
2632	schtasks.exe
2116	schtasks.exe
3048	schtasks.exe
1544	schtasks.exe
1312	schtasks.exe
1972	schtasks.exe
1020	schtasks.exe
2156	schtasks.exe
2308	schtasks.exe
1504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2304	DllCommonsvc.exe
2536	powershell.exe
592	powershell.exe
2336	powershell.exe
2056	powershell.exe
2208	powershell.exe
1556	powershell.exe
2064	powershell.exe
2396	powershell.exe
2076	powershell.exe
1584	powershell.exe
2020	powershell.exe
2504	powershell.exe
2016	powershell.exe
1864	powershell.exe
2524	powershell.exe
2528	powershell.exe
2792	OSPPSVC.exe
584	OSPPSVC.exe
1004	OSPPSVC.exe
2304	OSPPSVC.exe
2564	OSPPSVC.exe
2528	OSPPSVC.exe
2960	OSPPSVC.exe
2164	OSPPSVC.exe
1984	OSPPSVC.exe
1704	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	DllCommonsvc.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	592	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2792	OSPPSVC.exe
Token: SeDebugPrivilege	584	OSPPSVC.exe
Token: SeDebugPrivilege	1004	OSPPSVC.exe
Token: SeDebugPrivilege	2304	OSPPSVC.exe
Token: SeDebugPrivilege	2564	OSPPSVC.exe
Token: SeDebugPrivilege	2528	OSPPSVC.exe
Token: SeDebugPrivilege	2960	OSPPSVC.exe
Token: SeDebugPrivilege	2164	OSPPSVC.exe
Token: SeDebugPrivilege	1984	OSPPSVC.exe
Token: SeDebugPrivilege	1704	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2160	2568	JaffaCakes118_2c4c913749e8f093ee3ab40178a0fd668889419009f28691509054e929c831d3.exe	30
PID 2568 wrote to memory of 2160	2568	JaffaCakes118_2c4c913749e8f093ee3ab40178a0fd668889419009f28691509054e929c831d3.exe	30
PID 2568 wrote to memory of 2160	2568	JaffaCakes118_2c4c913749e8f093ee3ab40178a0fd668889419009f28691509054e929c831d3.exe	30
PID 2568 wrote to memory of 2160	2568	JaffaCakes118_2c4c913749e8f093ee3ab40178a0fd668889419009f28691509054e929c831d3.exe	30
PID 2160 wrote to memory of 2900	2160	WScript.exe	31
PID 2160 wrote to memory of 2900	2160	WScript.exe	31
PID 2160 wrote to memory of 2900	2160	WScript.exe	31
PID 2160 wrote to memory of 2900	2160	WScript.exe	31
PID 2900 wrote to memory of 2304	2900	cmd.exe	33
PID 2900 wrote to memory of 2304	2900	cmd.exe	33
PID 2900 wrote to memory of 2304	2900	cmd.exe	33
PID 2900 wrote to memory of 2304	2900	cmd.exe	33
PID 2304 wrote to memory of 2208	2304	DllCommonsvc.exe	83
PID 2304 wrote to memory of 2208	2304	DllCommonsvc.exe	83
PID 2304 wrote to memory of 2208	2304	DllCommonsvc.exe	83
PID 2304 wrote to memory of 2528	2304	DllCommonsvc.exe	84
PID 2304 wrote to memory of 2528	2304	DllCommonsvc.exe	84
PID 2304 wrote to memory of 2528	2304	DllCommonsvc.exe	84
PID 2304 wrote to memory of 592	2304	DllCommonsvc.exe	85
PID 2304 wrote to memory of 592	2304	DllCommonsvc.exe	85
PID 2304 wrote to memory of 592	2304	DllCommonsvc.exe	85
PID 2304 wrote to memory of 2536	2304	DllCommonsvc.exe	86
PID 2304 wrote to memory of 2536	2304	DllCommonsvc.exe	86
PID 2304 wrote to memory of 2536	2304	DllCommonsvc.exe	86
PID 2304 wrote to memory of 1860	2304	DllCommonsvc.exe	87
PID 2304 wrote to memory of 1860	2304	DllCommonsvc.exe	87
PID 2304 wrote to memory of 1860	2304	DllCommonsvc.exe	87
PID 2304 wrote to memory of 2504	2304	DllCommonsvc.exe	88
PID 2304 wrote to memory of 2504	2304	DllCommonsvc.exe	88
PID 2304 wrote to memory of 2504	2304	DllCommonsvc.exe	88
PID 2304 wrote to memory of 2064	2304	DllCommonsvc.exe	89
PID 2304 wrote to memory of 2064	2304	DllCommonsvc.exe	89
PID 2304 wrote to memory of 2064	2304	DllCommonsvc.exe	89
PID 2304 wrote to memory of 2016	2304	DllCommonsvc.exe	90
PID 2304 wrote to memory of 2016	2304	DllCommonsvc.exe	90
PID 2304 wrote to memory of 2016	2304	DllCommonsvc.exe	90
PID 2304 wrote to memory of 1556	2304	DllCommonsvc.exe	91
PID 2304 wrote to memory of 1556	2304	DllCommonsvc.exe	91
PID 2304 wrote to memory of 1556	2304	DllCommonsvc.exe	91
PID 2304 wrote to memory of 2020	2304	DllCommonsvc.exe	92
PID 2304 wrote to memory of 2020	2304	DllCommonsvc.exe	92
PID 2304 wrote to memory of 2020	2304	DllCommonsvc.exe	92
PID 2304 wrote to memory of 2396	2304	DllCommonsvc.exe	93
PID 2304 wrote to memory of 2396	2304	DllCommonsvc.exe	93
PID 2304 wrote to memory of 2396	2304	DllCommonsvc.exe	93
PID 2304 wrote to memory of 1584	2304	DllCommonsvc.exe	94
PID 2304 wrote to memory of 1584	2304	DllCommonsvc.exe	94
PID 2304 wrote to memory of 1584	2304	DllCommonsvc.exe	94
PID 2304 wrote to memory of 2056	2304	DllCommonsvc.exe	95
PID 2304 wrote to memory of 2056	2304	DllCommonsvc.exe	95
PID 2304 wrote to memory of 2056	2304	DllCommonsvc.exe	95
PID 2304 wrote to memory of 2524	2304	DllCommonsvc.exe	96
PID 2304 wrote to memory of 2524	2304	DllCommonsvc.exe	96
PID 2304 wrote to memory of 2524	2304	DllCommonsvc.exe	96
PID 2304 wrote to memory of 1864	2304	DllCommonsvc.exe	97
PID 2304 wrote to memory of 1864	2304	DllCommonsvc.exe	97
PID 2304 wrote to memory of 1864	2304	DllCommonsvc.exe	97
PID 2304 wrote to memory of 2076	2304	DllCommonsvc.exe	98
PID 2304 wrote to memory of 2076	2304	DllCommonsvc.exe	98
PID 2304 wrote to memory of 2076	2304	DllCommonsvc.exe	98
PID 2304 wrote to memory of 2336	2304	DllCommonsvc.exe	99
PID 2304 wrote to memory of 2336	2304	DllCommonsvc.exe	99
PID 2304 wrote to memory of 2336	2304	DllCommonsvc.exe	99
PID 2304 wrote to memory of 2792	2304	DllCommonsvc.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c4c913749e8f093ee3ab40178a0fd668889419009f28691509054e929c831d3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c4c913749e8f093ee3ab40178a0fd668889419009f28691509054e929c831d3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\de-DE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\Branding\ShellBrd\OSPPSVC.exe
        
        "C:\Windows\Branding\ShellBrd\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
        6⤵
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3024
        
        C:\Windows\Branding\ShellBrd\OSPPSVC.exe
        
        "C:\Windows\Branding\ShellBrd\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
        8⤵
        
        PID:1276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2880
        
        C:\Windows\Branding\ShellBrd\OSPPSVC.exe
        
        "C:\Windows\Branding\ShellBrd\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
        10⤵
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:960
        
        C:\Windows\Branding\ShellBrd\OSPPSVC.exe
        
        "C:\Windows\Branding\ShellBrd\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
        12⤵
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2748
        
        C:\Windows\Branding\ShellBrd\OSPPSVC.exe
        
        "C:\Windows\Branding\ShellBrd\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
        14⤵
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2892
        
        C:\Windows\Branding\ShellBrd\OSPPSVC.exe
        
        "C:\Windows\Branding\ShellBrd\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
        16⤵
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2684
        
        C:\Windows\Branding\ShellBrd\OSPPSVC.exe
        
        "C:\Windows\Branding\ShellBrd\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat"
        18⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1976
        
        C:\Windows\Branding\ShellBrd\OSPPSVC.exe
        
        "C:\Windows\Branding\ShellBrd\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        20⤵
        
        PID:2016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:904
        
        C:\Windows\Branding\ShellBrd\OSPPSVC.exe
        
        "C:\Windows\Branding\ShellBrd\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        22⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2360
        
        C:\Windows\Branding\ShellBrd\OSPPSVC.exe
        
        "C:\Windows\Branding\ShellBrd\OSPPSVC.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\de-DE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\Branding\ShellBrd\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\Branding\ShellBrd\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1526ac78c7c277f454ca27169743099d

SHA1
3a5282d9bee814663ed126c43892df62a86b494d

SHA256
d44ff190f107775048e058a2291649fbd1b5a50b82d46fcdd223acac8cbc49b3

SHA512
cbd07a2493cbfe5d7acace6b8ee4807b3ec690c2d3841c9ed1e3e012e0aac83b085b27f06b0690a93f15e5e03598d6050acd5d7449bdc24149be2c82a9bc2834

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53616a6dfb68700d213f2d9d06c7ea2d

SHA1
9c005a58566e26861e0b2717e83fd77dffde5a3a

SHA256
c419a7c1848859affaa7dcb8ee8f103cdff259afff1da7cde5bcdba7c9a584b6

SHA512
5c3e1d48dd5d6ade97a5d41d96f22a8df3dd5c5c0547a333887830c0305ecb7785f0ab038dea72b8c2c2848bf5ef7a6f83da1aa322366de8f19daf0273fd591e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4f209f8d3c3bfc82fd4988d7c26dfb8

SHA1
9e1bb2513151810b55da4b8b81e03072e26fee32

SHA256
b96950b859165db86638f72a3f382ff2d3e889a26d0d84af37c48f8beb57449f

SHA512
e7b33ed4b8a03912af712da03668644ba94c2c53a178008d443f07f8908fc9a5308f0391db0bdc9c551f4ea1f261830248656c2fad9678c1ee1ef2d04d31a257

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5e751987a92dc14298021f9fda5b9d8

SHA1
77d06b34ea7376bc3125e92e62a81961b5f594f4

SHA256
fbfad97ff0ff77865c8428d6c8df20d6b84dfaa82195d25bc65bb5a6180f3951

SHA512
cdc88495d22b703ee81fbac19653d2a276685a6040c9af0f57fa12fe07d20c4eab84969bb815593c760f9a4dd8e0f79103268e48d015873636b26f38a51a0386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87199422a5fa37c2221cd6ecceea4b4e

SHA1
50f89d3a6816e4f48033519d99ce63e32dc22ebc

SHA256
3a69e247c75ddfab36dc4abf08161353c568a99f9e59232d5d9b7f56a541b28a

SHA512
2db229af59aa3b243fc668c777e1a28a3664f21a17233a1e980c9ae61ba4a02db5b7d29782b63c06dc9fefe0e77d3428a47a609528cf7e81d4799cf6243581d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98f87177c4b2dba76c9a9809ea7583e8

SHA1
6e519d434257bf4fa62b222b250b2c997512e6ca

SHA256
b94370db19801a0552dd0429b7328914105d9fac14150997051143df3a8e703b

SHA512
4fc3ab424f761187537de22dd4dccefcdae09fb2cfbe0df14a5df92238961c2bc8f42aa6602f7af4933a646886e73128884eace80bf16d3135ea19d8fb490658

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e85cf643055b905daf6873442fc0ef65

SHA1
87c6c451ad17a641179c272ba4eb425e237fc6fa

SHA256
aace5857bdeae73367dc09e906753bef2f251ef99eb3165816fcbab8dfeae4d4

SHA512
92a82ccb7cb5275bf739894b2a2f053e1dcef32cd40e4c4cbea16b51cc742326230932a15a859da2db8ac72bbab5e5c2785ae1f5b56edfa7a9d5a0aa3b231a4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6aaec77ba658868ffbad5d7e2f5ceccc

SHA1
58ec4b4ae7cc56306d2219c43294b07621ade1e0

SHA256
1059e8991986e10ea94212f4eaaa92e727fa44296905169af0898808d62c0b5c

SHA512
2d083448315fa6ab14824942f57e1748355bd6a6670c4375140e8e5d68a37e8379d5da1c965c23211c48984bbab63a5e579053df8ba1eddddc1dc98e1503567f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

Filesize
205B

MD5
eac7d7b89272f8a083a4b108198dba4f

SHA1
5940cb2c4b0916aff142919ccbf2eb5ef92f285e

SHA256
8821c54ad712b29e9fd05d9693ed95c13463513b50f4d9b27758309a498a7577

SHA512
22dd6784237ff3500d871797f9af4096a5cb641c8b5b23982f4f1d229160c34f00d5a890da8228ceb317480aa10aee949c93245dd14ecd3fab3b61c4188a0a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
205B

MD5
c0a080551bdf3af3db1fda02ba303fb4

SHA1
08cd6f444e33f614c6405ae057f7d68520531796

SHA256
366708fc042c0b3c949cd9212a6ae323ad510c57dd2a0379ff7744ee0c1efa18

SHA512
f15141931514bdc5ec4b84242e2a8ae8b322ffd01eaea59f99b68dfe22bc9118d807592d8d3f7e0baa8922f1dc061df861b77d6adcdff0bd8d0f3ef186965238

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat

Filesize
205B

MD5
ad302e06fb5be04d97dc72fd9788cece

SHA1
dcbbfeb79347a2862d8b503800a3635b65505b5e

SHA256
91406654b6b358c5643bc7f5ddc8d329dcf76aa3f762d84c40c4865da828b3db

SHA512
84ee3f037e3d50e694a12874a4b86b2187fe0008156eb74201ca9fb0cbc9985058bdecc97091efac00f7476dfee6bee580f8135b5fbdf870be80cee86eb8d007

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF24D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF26F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat

Filesize
205B

MD5
09f51c8413a13cc3f6df4b436af27cef

SHA1
5b7a19739c8ad3a88c170450eaaafe18e46cf238

SHA256
d2200886ce3c60510c0c55cc77cd4c8e812785ead572d4da3515669383db195c

SHA512
dfc449ddc7b9ac03fb7b8e84ecb1e0f897bdcfb0158f9cd13a4fc5046d0e4fde45c181ba4ee34e7445d1146ce3f95d487c928c817acf5f75e00849639f6f46b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

Filesize
205B

MD5
dd484d993c9fab1459c850cfef3d0192

SHA1
8b9b4403563227ff2749f4a4b311075a90ffef0b

SHA256
1b78bff9cbbca14da8c49aaf74ae25a86b967f10365fd738bfa6652e0fad176e

SHA512
857403e4b0ddf14a54fb91614913f1421bea0508e49a4a86bab98c0084c503c2fabca590b20ee089745c06b4542526864d3939a481dfe0d44c81c0976915ee2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
205B

MD5
58f26aaa71a4182c4737d9e2db3b6093

SHA1
015d4c393e3d2bcf9d0ae14a40b1e6c199482383

SHA256
399457b263355037c6b59ec4ab2f3a3851c515a900c19b5563916c3ad3ef0b81

SHA512
7d77a3f6b09dc161f0c64316a3d40ce20d32c52bdb643bd4c9e54de7ffea6f7390137a1c9eab33b0f48f752bd82618fd1ef774cd3dba860034e9fa0298a39797

Download Submit
C:\Users\Admin\AppData\Local\Temp\lAZRwHYzWc.bat

Filesize
205B

MD5
3f2f35fa51419bf8c5a82246da3711ce

SHA1
b3e11b6919e44db7c04faf1a13945075410b8092

SHA256
f4ebeca8b3357ea4ffb2327ee05aab32684432f602226a598dcbddca3515d4bb

SHA512
ce021a248a5d2ab33183c8ee62d4234074f46096fe0e809965ce27bc13d566854898d52b5e1f7af689523184f272b9da6423d44d563131ebfdf5709ebc4ddeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
205B

MD5
53dbc41977193f03a494d14920f1fad6

SHA1
32ec55c30d97e43c3c6b4a7efdca12683d3ff366

SHA256
4e5acad78cb5a3f40734acc54793fdb65dacc1d7553ba5bd7baa8df3f0c6ce02

SHA512
45c161b33039238699921e2ff10ff9e8014c8331c224a327c2c73820fbd26765a737606e97b286438e9f76f3cb01a72715bc919781ab715f59f3362f29caaed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
205B

MD5
7a91f3d5a98e037808cd8be4186e80b6

SHA1
5882b0514fe1a9efe566af26b69758ce85d8995d

SHA256
781f6df7e2d87731a9ba03b15560661a632542677934098cf741ed8b0687f9f7

SHA512
50385363264d02e6464f810916899fdaaa42d4cbdf37d41ef0765a7b3a21560d83b71feeaed87afd8861a27029941da7199d349e510e843956363bd48fa8a66d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1bdecd825402869ddcff46ffd58d624c

SHA1
015c13993c5a66b86daa0e4c2fa0b4059a97ecf2

SHA256
2197bfcaea40991f2e9b194016284eaec5a2ad39cb3602e3078684939cf9cd7f

SHA512
822e932923b5865c818ba31dc4a08eb34b33597f4966ba48a4364cbe983c77536c78380a16cac92fc54a509433ff4e1f02c811161ed994ab022a278997bfcbe2

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/584-195-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/584-194-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/1004-255-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2164-554-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/2304-16-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2304-13-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2304-15-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2304-316-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2304-14-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2304-17-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2304-315-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/2536-67-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2536-68-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2792-56-0x0000000000890000-0x00000000009A0000-memory.dmp

Filesize
1.1MB

Download
memory/2960-494-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download