dcrat | c04ed10afaf04ec1570c87bce65842bac6ac0634c281f04eacec1797b2bbf4de

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c04ed10afaf04ec1570c87bce65842bac6ac0634c281f04eacec1797b2bbf4de.exe
Size

1.3MB
MD5

ea608816f5df1ebe40e99899b2efefa4
SHA1

4c3ec8c5dd7849d3228889846b124fffa48181af
SHA256

c04ed10afaf04ec1570c87bce65842bac6ac0634c281f04eacec1797b2bbf4de
SHA512

07b26138347d5ab1b5f7c37dd689d0426e5125541632c9690c507827fe0f5aac5d71195ad82a0fdf6e6330dc2383cd3feea333e8bf0d001080ca39acbb9de1b3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3112	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	4976	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	4976	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b7a-10.dat	dcrat
behavioral2/memory/956-13-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1756	powershell.exe
4992	powershell.exe
1340	powershell.exe
372	powershell.exe
2008	powershell.exe
2836	powershell.exe
5004	powershell.exe
2448	powershell.exe
836	powershell.exe
872	powershell.exe
4568	powershell.exe
216	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c04ed10afaf04ec1570c87bce65842bac6ac0634c281f04eacec1797b2bbf4de.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 14 IoCs

pid	Process
956	DllCommonsvc.exe
1368	smss.exe
5060	smss.exe
3120	smss.exe
3972	smss.exe
4720	smss.exe
4172	smss.exe
2216	smss.exe
4064	smss.exe
4236	smss.exe
4284	smss.exe
3620	smss.exe
4308	smss.exe
2452	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
50	raw.githubusercontent.com
52	raw.githubusercontent.com
14	raw.githubusercontent.com
22	raw.githubusercontent.com
36	raw.githubusercontent.com
37	raw.githubusercontent.com
42	raw.githubusercontent.com
53	raw.githubusercontent.com
15	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
49	raw.githubusercontent.com
51	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Boot\Misc\PCAT\services.exe	DllCommonsvc.exe
File created	C:\Windows\IdentityCRL\production\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\IdentityCRL\production\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\Tasks\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\Globalization\Time Zone\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Globalization\Time Zone\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c04ed10afaf04ec1570c87bce65842bac6ac0634c281f04eacec1797b2bbf4de.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	JaffaCakes118_c04ed10afaf04ec1570c87bce65842bac6ac0634c281f04eacec1797b2bbf4de.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1368	schtasks.exe
1844	schtasks.exe
3368	schtasks.exe
3724	schtasks.exe
3580	schtasks.exe
848	schtasks.exe
3352	schtasks.exe
4632	schtasks.exe
2516	schtasks.exe
1852	schtasks.exe
4236	schtasks.exe
2364	schtasks.exe
1052	schtasks.exe
2864	schtasks.exe
2840	schtasks.exe
3084	schtasks.exe
4608	schtasks.exe
316	schtasks.exe
1552	schtasks.exe
3592	schtasks.exe
1988	schtasks.exe
1892	schtasks.exe
384	schtasks.exe
3032	schtasks.exe
3112	schtasks.exe
2412	schtasks.exe
2820	schtasks.exe
2592	schtasks.exe
3844	schtasks.exe
616	schtasks.exe
2812	schtasks.exe
2192	schtasks.exe
408	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
956	DllCommonsvc.exe
956	DllCommonsvc.exe
956	DllCommonsvc.exe
956	DllCommonsvc.exe
956	DllCommonsvc.exe
956	DllCommonsvc.exe
956	DllCommonsvc.exe
956	DllCommonsvc.exe
956	DllCommonsvc.exe
836	powershell.exe
836	powershell.exe
2836	powershell.exe
2836	powershell.exe
1756	powershell.exe
1756	powershell.exe
2008	powershell.exe
2008	powershell.exe
5004	powershell.exe
5004	powershell.exe
2448	powershell.exe
2448	powershell.exe
372	powershell.exe
372	powershell.exe
4992	powershell.exe
4992	powershell.exe
216	powershell.exe
216	powershell.exe
872	powershell.exe
872	powershell.exe
4568	powershell.exe
4568	powershell.exe
1340	powershell.exe
1340	powershell.exe
1340	powershell.exe
2836	powershell.exe
2008	powershell.exe
4992	powershell.exe
5004	powershell.exe
836	powershell.exe
836	powershell.exe
372	powershell.exe
2448	powershell.exe
1756	powershell.exe
872	powershell.exe
216	powershell.exe
4568	powershell.exe
1368	smss.exe
5060	smss.exe
3120	smss.exe
3972	smss.exe
4720	smss.exe
4172	smss.exe
2216	smss.exe
4064	smss.exe
4236	smss.exe
4284	smss.exe
3620	smss.exe
4308	smss.exe
2452	smss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	956	DllCommonsvc.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	372	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	4568	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1368	smss.exe
Token: SeDebugPrivilege	5060	smss.exe
Token: SeDebugPrivilege	3120	smss.exe
Token: SeDebugPrivilege	3972	smss.exe
Token: SeDebugPrivilege	4720	smss.exe
Token: SeDebugPrivilege	4172	smss.exe
Token: SeDebugPrivilege	2216	smss.exe
Token: SeDebugPrivilege	4064	smss.exe
Token: SeDebugPrivilege	4236	smss.exe
Token: SeDebugPrivilege	4284	smss.exe
Token: SeDebugPrivilege	3620	smss.exe
Token: SeDebugPrivilege	4308	smss.exe
Token: SeDebugPrivilege	2452	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1972	3612	JaffaCakes118_c04ed10afaf04ec1570c87bce65842bac6ac0634c281f04eacec1797b2bbf4de.exe	83
PID 3612 wrote to memory of 1972	3612	JaffaCakes118_c04ed10afaf04ec1570c87bce65842bac6ac0634c281f04eacec1797b2bbf4de.exe	83
PID 3612 wrote to memory of 1972	3612	JaffaCakes118_c04ed10afaf04ec1570c87bce65842bac6ac0634c281f04eacec1797b2bbf4de.exe	83
PID 1972 wrote to memory of 1184	1972	WScript.exe	85
PID 1972 wrote to memory of 1184	1972	WScript.exe	85
PID 1972 wrote to memory of 1184	1972	WScript.exe	85
PID 1184 wrote to memory of 956	1184	cmd.exe	87
PID 1184 wrote to memory of 956	1184	cmd.exe	87
PID 956 wrote to memory of 5004	956	DllCommonsvc.exe	123
PID 956 wrote to memory of 5004	956	DllCommonsvc.exe	123
PID 956 wrote to memory of 836	956	DllCommonsvc.exe	124
PID 956 wrote to memory of 836	956	DllCommonsvc.exe	124
PID 956 wrote to memory of 2836	956	DllCommonsvc.exe	125
PID 956 wrote to memory of 2836	956	DllCommonsvc.exe	125
PID 956 wrote to memory of 2008	956	DllCommonsvc.exe	126
PID 956 wrote to memory of 2008	956	DllCommonsvc.exe	126
PID 956 wrote to memory of 372	956	DllCommonsvc.exe	127
PID 956 wrote to memory of 372	956	DllCommonsvc.exe	127
PID 956 wrote to memory of 1340	956	DllCommonsvc.exe	128
PID 956 wrote to memory of 1340	956	DllCommonsvc.exe	128
PID 956 wrote to memory of 2448	956	DllCommonsvc.exe	129
PID 956 wrote to memory of 2448	956	DllCommonsvc.exe	129
PID 956 wrote to memory of 1756	956	DllCommonsvc.exe	130
PID 956 wrote to memory of 1756	956	DllCommonsvc.exe	130
PID 956 wrote to memory of 4992	956	DllCommonsvc.exe	131
PID 956 wrote to memory of 4992	956	DllCommonsvc.exe	131
PID 956 wrote to memory of 216	956	DllCommonsvc.exe	135
PID 956 wrote to memory of 216	956	DllCommonsvc.exe	135
PID 956 wrote to memory of 4568	956	DllCommonsvc.exe	140
PID 956 wrote to memory of 4568	956	DllCommonsvc.exe	140
PID 956 wrote to memory of 872	956	DllCommonsvc.exe	141
PID 956 wrote to memory of 872	956	DllCommonsvc.exe	141
PID 956 wrote to memory of 4016	956	DllCommonsvc.exe	147
PID 956 wrote to memory of 4016	956	DllCommonsvc.exe	147
PID 4016 wrote to memory of 1676	4016	cmd.exe	149
PID 4016 wrote to memory of 1676	4016	cmd.exe	149
PID 4016 wrote to memory of 1368	4016	cmd.exe	156
PID 4016 wrote to memory of 1368	4016	cmd.exe	156
PID 1368 wrote to memory of 4196	1368	smss.exe	160
PID 1368 wrote to memory of 4196	1368	smss.exe	160
PID 4196 wrote to memory of 1628	4196	cmd.exe	162
PID 4196 wrote to memory of 1628	4196	cmd.exe	162
PID 4196 wrote to memory of 5060	4196	cmd.exe	168
PID 4196 wrote to memory of 5060	4196	cmd.exe	168
PID 5060 wrote to memory of 2196	5060	smss.exe	170
PID 5060 wrote to memory of 2196	5060	smss.exe	170
PID 2196 wrote to memory of 4412	2196	cmd.exe	172
PID 2196 wrote to memory of 4412	2196	cmd.exe	172
PID 2196 wrote to memory of 3120	2196	cmd.exe	177
PID 2196 wrote to memory of 3120	2196	cmd.exe	177
PID 3120 wrote to memory of 2292	3120	smss.exe	179
PID 3120 wrote to memory of 2292	3120	smss.exe	179
PID 2292 wrote to memory of 3388	2292	cmd.exe	181
PID 2292 wrote to memory of 3388	2292	cmd.exe	181
PID 2292 wrote to memory of 3972	2292	cmd.exe	183
PID 2292 wrote to memory of 3972	2292	cmd.exe	183
PID 3972 wrote to memory of 4484	3972	smss.exe	185
PID 3972 wrote to memory of 4484	3972	smss.exe	185
PID 4484 wrote to memory of 3680	4484	cmd.exe	187
PID 4484 wrote to memory of 3680	4484	cmd.exe	187
PID 4484 wrote to memory of 4720	4484	cmd.exe	189
PID 4484 wrote to memory of 4720	4484	cmd.exe	189
PID 4720 wrote to memory of 2864	4720	smss.exe	191
PID 4720 wrote to memory of 2864	4720	smss.exe	191

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c04ed10afaf04ec1570c87bce65842bac6ac0634c281f04eacec1797b2bbf4de.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c04ed10afaf04ec1570c87bce65842bac6ac0634c281f04eacec1797b2bbf4de.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\regid.1991-06.com.microsoft\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\reports\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\production\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\Time Zone\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\22pxV8y2CD.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4016
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1676
      - C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1628
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4412
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3388
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3680
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
        15⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3772
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
        17⤵
        
        PID:4664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4156
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"
        19⤵
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4984
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
        21⤵
        
        PID:1080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1572
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        23⤵
        
        PID:4804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:384
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
        25⤵
        
        PID:3236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2528
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
        27⤵
        
        PID:392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:428
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"
        29⤵
        
        PID:2868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4636
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\regid.1991-06.com.microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 8 /tr "'C:\providercommon\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 5 /tr "'C:\providercommon\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\IdentityCRL\production\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\production\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\IdentityCRL\production\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Tasks\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Tasks\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Windows\Globalization\Time Zone\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Globalization\Time Zone\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Globalization\Time Zone\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
120B

MD5
73f34fe916c19a2583073cf1cdb186cb

SHA1
fcf1054aa822ea423e181725ae9ef68d92abb347

SHA256
7343df9c19a951e3aec3eaf90bd4a24ffc712497c618acf94b3c0b4c9d4eb711

SHA512
6b820f949c3b5ce02c30c1e9f39364f7f1726ca02e4fbce9f12fff0c22fe317e9ccdccbc917506860d0cacac120ef6d215d9ef1ddb7fbf5fffc835c8e28c0019

Download Submit
C:\Users\Admin\AppData\Local\Temp\22pxV8y2CD.bat

Filesize
195B

MD5
763cd7dc10335bea705706d8b80b37e7

SHA1
eb91f2de4e600fbbf7154de0a12e3c00a13cf1ef

SHA256
129e4e0c56b0d897bd4ffecf0cd5416a8304df6d2e97dfa3938d05df1aa14a5a

SHA512
d4825847c8ba5f2c3729c008566f1cc95f840ce77194b551cd6bf8271c3fa1a80d3d0d599657646725222ccb7de7f1feaecb7ccfe2f7460db266b4d2e71181b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

Filesize
195B

MD5
d25d99f8f07e0703d258742d90cdc38d

SHA1
0b235a88364be01d0f53995721b509ec68eb9381

SHA256
40ab4015523705484ea0ff8e1887d2b20b8d3c9630bac9e1c8c1912c0dd40465

SHA512
dd47bff4fb7567e37f6e0ee936d36a360d3a7c0009c9dfe3720ca4ee4c6f38b4b47884b492a5ef9780c7284e68bfa45a121066f3882393498d009d63cab4288c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat

Filesize
195B

MD5
3d6a4513af3fe2f05399699daa308f92

SHA1
235b2b00faf6ffb7afde5e622c67532cfac34541

SHA256
c0e52500e382d06d14f0ebb97ea433e822d84bbb33d77c6afe7b830066290d93

SHA512
3689ba29fe461adacdfe34f8c2c3772710c83c1fa0e7e31e17e39e591838d5f894401be51784cd46a7dff1b449a6ca3f41fbb605e9d2e44ab40ca099aad49ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

Filesize
195B

MD5
0080fa5dcec05e0f6e04f05d8ecf1cb0

SHA1
1b9ef7a83099582404ca1f4f8cfa6cf9807dda07

SHA256
f11285e1db443bf3f76b010d10e6965ca19613b1998f4831c218f27fac9d9d17

SHA512
1d218258ed4d4a8cf7c920137095c5dbdfa630d50055887f1b1f175d32acac0e56e6e0d1a6318f4a55ed4e452ccfb32f8e8427b9d466bfbad8a839b5aca97fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

Filesize
195B

MD5
e18adb63871396eb1212f43fceb002ea

SHA1
f9ce1368269218ecd1f8985643e049ca1984eebc

SHA256
0d13c5a44098c673fae36df470cfa0314c29fc392e98b252695ae399d13b2c3d

SHA512
585a36361ad0902a12d5940c02b8033881064224bed5012cfa7bfcea85b242c672e2efbaaeb219e3b6ecf2f38d8a1879eb8f0b1c92daa0dba0d66507810cd38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

Filesize
195B

MD5
b402e8fddad0a2c1a8f13f93d2ac2e2f

SHA1
25f3afea346b82fd77122f73d2a3de6b84b624bf

SHA256
343f76e09b815c1a81b621bdefaa989e466a245591e6a471bef43c7fc39345fe

SHA512
2e01d3c2379f5a35220af288d7f17ed7279aff49499250c5b5497fac9e21cc4a8d77447a250e5e0fe914c817ca57a8442050b32ba61068983015b37f595133c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

Filesize
195B

MD5
930c6d8fb851919e3354b4eead3acb13

SHA1
ab4e75cfcbe16e553f7cc27ebf66ada71b0844e1

SHA256
8ea4ec785489986d4226fceffd284fafead90606cfddf848d011974710fb67d6

SHA512
11b54d179e941755caee3804035aa2ab9311bc2f9b17804fca1fb95750b8f16de556c0dd2e6b377681342d61e60e8a66a21198191131c1d56b662333690a47e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

Filesize
195B

MD5
25a6b3162690deac996e09ac24f147c7

SHA1
6a8fc04a5d300e69eb4ea449703bd1d5527eceb0

SHA256
cbe74b3950d5c1878841478ee66c8e2c13434c3a3671ec21bf87944616dcbb6e

SHA512
70f592246569fde74c5cce624e1cbc7ee997b37076558cb04749e27738a6553140eae14f42622997d86068cdac6fb8d3d59e66a154282f2297c5269daffd1bc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_syemdse1.mdw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat

Filesize
195B

MD5
81d095d477ddc632f45e2cecd9527409

SHA1
e00d2c5d481235f994213367b6c04bce45493646

SHA256
8e930cfc828a6a9c3a3880ac3ec220d1a2dcb4ffec486a18c61dedbcca33dbfd

SHA512
396665e0802698d03145a9113ed5062c3b7955ee1f5b89a6848fefecca3728aa79a4858feeb74f50cf22a558d46c6bfa66669f6340a55c6b6020ca3707c3ef90

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat

Filesize
195B

MD5
05909f6cfe0cbccc53891221941cebf0

SHA1
98d5644735a12d2ecee44ea438605bdeb7281480

SHA256
cc14163230d1abb966874c9062570272eda6d6f9c4d02db28fb887a80bcb28a2

SHA512
cd2081c6c262a5a64951126266ea1c81647e5e7fc9902b2ea6e220ee462ca927c01c898b9bfe199e8d7aa4f2ee42912bf57440f42bdc4e5867e4c62a206d852f

Download Submit
C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat

Filesize
195B

MD5
3743d712a9c692dacbb2e316002b1aa1

SHA1
9cf0fb4d845473af4dfdd7333882a4dd8101a346

SHA256
4ff39ef0d3d6c82e38c8157fd14b52df57d45b243a8f57e0332d5d632358c493

SHA512
446fd70af5e4098b5b832b744455f6a905a52af13baac66fbee48936748f59252519148b7c7e2b88c6ef5a9cacafb336067ded66c1d9b38e64516a1505fdd91f

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat

Filesize
195B

MD5
098f6cfa335974a7b44887678c615d41

SHA1
373fe4e12a29e8230fc22713682d6332c620cc8e

SHA256
c7796f4b359b02db5e1d1ab27d3930f7044a97f897aaf389b5cc5fd1265dd6de

SHA512
82860344552b98e6a13b46f659c2143309498f27b04dbbba5712d99f3b00df3c0c8f224775c3dc1256840bc85b792867d7133b7ce495a1cb8e38b871857b976b

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat

Filesize
195B

MD5
178bca793c26f4d24ee9dccb79c47202

SHA1
2b8c21791521a16065da360af03ff396cebd83e7

SHA256
2f800cb3a3e1d341769ea13ff46df799f36ce4e19ae9994efa03938cc2a9f6aa

SHA512
f70f0495be3192df6933b8d0f1b1bc9bf5f65ef2cd06498e95c8afeca6c991340a726fd5407bd698b7e01421e26dde9c41ad8188605a7e1f34406b5f40580a42

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/836-49-0x0000011AECEC0000-0x0000011AECEE2000-memory.dmp

Filesize
136KB

Download
memory/956-13-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/956-14-0x0000000003090000-0x00000000030A2000-memory.dmp

Filesize
72KB

Download
memory/956-15-0x00000000030C0000-0x00000000030CC000-memory.dmp

Filesize
48KB

Download
memory/956-16-0x00000000030A0000-0x00000000030AC000-memory.dmp

Filesize
48KB

Download
memory/956-17-0x00000000030D0000-0x00000000030DC000-memory.dmp

Filesize
48KB

Download
memory/956-12-0x00007FFCCEC83000-0x00007FFCCEC85000-memory.dmp

Filesize
8KB

Download
memory/1368-188-0x000000001D840000-0x000000001D8E1000-memory.dmp

Filesize
644KB

Download
memory/1368-189-0x000000001D8F0000-0x000000001DA99000-memory.dmp

Filesize
1.7MB

Download
memory/2216-233-0x00000000015F0000-0x0000000001602000-memory.dmp

Filesize
72KB

Download
memory/2452-270-0x000000001ADF0000-0x000000001AE02000-memory.dmp

Filesize
72KB

Download
memory/3120-204-0x000000001D440000-0x000000001D4E1000-memory.dmp

Filesize
644KB

Download
memory/3120-205-0x000000001D4F0000-0x000000001D699000-memory.dmp

Filesize
1.7MB

Download
memory/3972-214-0x000000001D1F0000-0x000000001D399000-memory.dmp

Filesize
1.7MB

Download
memory/3972-213-0x000000001D140000-0x000000001D1E1000-memory.dmp

Filesize
644KB

Download
memory/3972-208-0x000000001AFF0000-0x000000001B002000-memory.dmp

Filesize
72KB

Download
memory/4172-231-0x000000001D6F0000-0x000000001D899000-memory.dmp

Filesize
1.7MB

Download
memory/4172-230-0x000000001D640000-0x000000001D6E1000-memory.dmp

Filesize
644KB

Download
memory/4720-222-0x000000001D2F0000-0x000000001D499000-memory.dmp

Filesize
1.7MB

Download
memory/4720-221-0x000000001D240000-0x000000001D2E1000-memory.dmp

Filesize
644KB

Download
memory/5060-193-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download