dcrat | e819921752c17b0e34060c1184b250b003a83332eec2d7fbe3c2ff9641d769ea

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e819921752c17b0e34060c1184b250b003a83332eec2d7fbe3c2ff9641d769ea.exe
Size

1.3MB
MD5

4f8e6ac7f24fbef5858b3aa5e0229a8a
SHA1

496fba9f097ca13d8e5ad831796639157ab5fd58
SHA256

e819921752c17b0e34060c1184b250b003a83332eec2d7fbe3c2ff9641d769ea
SHA512

741a6f9750c620518a08985e08e6181ca558e7eb92d2e6252a1a0e919d81dc023dee233d43db16bf80f2b1f75e1befe5ee5d085dc9ef3fed9454e88fffadacae
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2584	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001932d-12.dat	dcrat
behavioral1/memory/2616-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/memory/2924-103-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/2640-201-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/2324-261-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/2080-321-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/1604-382-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/1548-443-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/2336-504-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/1460-564-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/2464-685-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2728	powershell.exe
1880	powershell.exe
2148	powershell.exe
2068	powershell.exe
2264	powershell.exe
2188	powershell.exe
2112	powershell.exe
2376	powershell.exe
1364	powershell.exe
1480	powershell.exe
1492	powershell.exe
1484	powershell.exe
2132	powershell.exe
2672	powershell.exe
3060	powershell.exe
2232	powershell.exe
2384	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2616	DllCommonsvc.exe
2924	dllhost.exe
2640	dllhost.exe
2324	dllhost.exe
2080	dllhost.exe
1604	dllhost.exe
1548	dllhost.exe
2336	dllhost.exe
1460	dllhost.exe
2332	dllhost.exe
2464	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	cmd.exe
2392	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
34	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\it-IT\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Reference Assemblies\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\de-DE\lsass.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e819921752c17b0e34060c1184b250b003a83332eec2d7fbe3c2ff9641d769ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2300	schtasks.exe
3056	schtasks.exe
332	schtasks.exe
1544	schtasks.exe
2092	schtasks.exe
2484	schtasks.exe
2252	schtasks.exe
988	schtasks.exe
1724	schtasks.exe
2436	schtasks.exe
2064	schtasks.exe
1496	schtasks.exe
576	schtasks.exe
1192	schtasks.exe
2192	schtasks.exe
1756	schtasks.exe
2104	schtasks.exe
2632	schtasks.exe
1580	schtasks.exe
2924	schtasks.exe
1576	schtasks.exe
2664	schtasks.exe
2428	schtasks.exe
1980	schtasks.exe
1792	schtasks.exe
1868	schtasks.exe
448	schtasks.exe
924	schtasks.exe
1016	schtasks.exe
3024	schtasks.exe
296	schtasks.exe
1300	schtasks.exe
1648	schtasks.exe
2016	schtasks.exe
2928	schtasks.exe
2288	schtasks.exe
2832	schtasks.exe
2680	schtasks.exe
2168	schtasks.exe
2344	schtasks.exe
2128	schtasks.exe
1984	schtasks.exe
1932	schtasks.exe
1168	schtasks.exe
2912	schtasks.exe
1696	schtasks.exe
544	schtasks.exe
2404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2616	DllCommonsvc.exe
2616	DllCommonsvc.exe
2616	DllCommonsvc.exe
2616	DllCommonsvc.exe
2616	DllCommonsvc.exe
2616	DllCommonsvc.exe
2616	DllCommonsvc.exe
2068	powershell.exe
2112	powershell.exe
2188	powershell.exe
1480	powershell.exe
2728	powershell.exe
2264	powershell.exe
2148	powershell.exe
3060	powershell.exe
2232	powershell.exe
2376	powershell.exe
2384	powershell.exe
1364	powershell.exe
1484	powershell.exe
1880	powershell.exe
2672	powershell.exe
2132	powershell.exe
1492	powershell.exe
2924	dllhost.exe
2640	dllhost.exe
2324	dllhost.exe
2080	dllhost.exe
1604	dllhost.exe
1548	dllhost.exe
2336	dllhost.exe
1460	dllhost.exe
2332	dllhost.exe
2464	dllhost.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	DllCommonsvc.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	2924	dllhost.exe
Token: SeDebugPrivilege	2640	dllhost.exe
Token: SeDebugPrivilege	2324	dllhost.exe
Token: SeDebugPrivilege	2080	dllhost.exe
Token: SeDebugPrivilege	1604	dllhost.exe
Token: SeDebugPrivilege	1548	dllhost.exe
Token: SeDebugPrivilege	2336	dllhost.exe
Token: SeDebugPrivilege	1460	dllhost.exe
Token: SeDebugPrivilege	2332	dllhost.exe
Token: SeDebugPrivilege	2464	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2688	2188	JaffaCakes118_e819921752c17b0e34060c1184b250b003a83332eec2d7fbe3c2ff9641d769ea.exe	30
PID 2188 wrote to memory of 2688	2188	JaffaCakes118_e819921752c17b0e34060c1184b250b003a83332eec2d7fbe3c2ff9641d769ea.exe	30
PID 2188 wrote to memory of 2688	2188	JaffaCakes118_e819921752c17b0e34060c1184b250b003a83332eec2d7fbe3c2ff9641d769ea.exe	30
PID 2188 wrote to memory of 2688	2188	JaffaCakes118_e819921752c17b0e34060c1184b250b003a83332eec2d7fbe3c2ff9641d769ea.exe	30
PID 2688 wrote to memory of 2392	2688	WScript.exe	31
PID 2688 wrote to memory of 2392	2688	WScript.exe	31
PID 2688 wrote to memory of 2392	2688	WScript.exe	31
PID 2688 wrote to memory of 2392	2688	WScript.exe	31
PID 2392 wrote to memory of 2616	2392	cmd.exe	33
PID 2392 wrote to memory of 2616	2392	cmd.exe	33
PID 2392 wrote to memory of 2616	2392	cmd.exe	33
PID 2392 wrote to memory of 2616	2392	cmd.exe	33
PID 2616 wrote to memory of 2112	2616	DllCommonsvc.exe	83
PID 2616 wrote to memory of 2112	2616	DllCommonsvc.exe	83
PID 2616 wrote to memory of 2112	2616	DllCommonsvc.exe	83
PID 2616 wrote to memory of 2148	2616	DllCommonsvc.exe	84
PID 2616 wrote to memory of 2148	2616	DllCommonsvc.exe	84
PID 2616 wrote to memory of 2148	2616	DllCommonsvc.exe	84
PID 2616 wrote to memory of 2068	2616	DllCommonsvc.exe	85
PID 2616 wrote to memory of 2068	2616	DllCommonsvc.exe	85
PID 2616 wrote to memory of 2068	2616	DllCommonsvc.exe	85
PID 2616 wrote to memory of 2232	2616	DllCommonsvc.exe	86
PID 2616 wrote to memory of 2232	2616	DllCommonsvc.exe	86
PID 2616 wrote to memory of 2232	2616	DllCommonsvc.exe	86
PID 2616 wrote to memory of 2384	2616	DllCommonsvc.exe	87
PID 2616 wrote to memory of 2384	2616	DllCommonsvc.exe	87
PID 2616 wrote to memory of 2384	2616	DllCommonsvc.exe	87
PID 2616 wrote to memory of 2376	2616	DllCommonsvc.exe	88
PID 2616 wrote to memory of 2376	2616	DllCommonsvc.exe	88
PID 2616 wrote to memory of 2376	2616	DllCommonsvc.exe	88
PID 2616 wrote to memory of 1480	2616	DllCommonsvc.exe	89
PID 2616 wrote to memory of 1480	2616	DllCommonsvc.exe	89
PID 2616 wrote to memory of 1480	2616	DllCommonsvc.exe	89
PID 2616 wrote to memory of 1492	2616	DllCommonsvc.exe	90
PID 2616 wrote to memory of 1492	2616	DllCommonsvc.exe	90
PID 2616 wrote to memory of 1492	2616	DllCommonsvc.exe	90
PID 2616 wrote to memory of 1484	2616	DllCommonsvc.exe	91
PID 2616 wrote to memory of 1484	2616	DllCommonsvc.exe	91
PID 2616 wrote to memory of 1484	2616	DllCommonsvc.exe	91
PID 2616 wrote to memory of 2132	2616	DllCommonsvc.exe	92
PID 2616 wrote to memory of 2132	2616	DllCommonsvc.exe	92
PID 2616 wrote to memory of 2132	2616	DllCommonsvc.exe	92
PID 2616 wrote to memory of 2728	2616	DllCommonsvc.exe	93
PID 2616 wrote to memory of 2728	2616	DllCommonsvc.exe	93
PID 2616 wrote to memory of 2728	2616	DllCommonsvc.exe	93
PID 2616 wrote to memory of 2672	2616	DllCommonsvc.exe	94
PID 2616 wrote to memory of 2672	2616	DllCommonsvc.exe	94
PID 2616 wrote to memory of 2672	2616	DllCommonsvc.exe	94
PID 2616 wrote to memory of 2264	2616	DllCommonsvc.exe	95
PID 2616 wrote to memory of 2264	2616	DllCommonsvc.exe	95
PID 2616 wrote to memory of 2264	2616	DllCommonsvc.exe	95
PID 2616 wrote to memory of 1880	2616	DllCommonsvc.exe	96
PID 2616 wrote to memory of 1880	2616	DllCommonsvc.exe	96
PID 2616 wrote to memory of 1880	2616	DllCommonsvc.exe	96
PID 2616 wrote to memory of 2188	2616	DllCommonsvc.exe	97
PID 2616 wrote to memory of 2188	2616	DllCommonsvc.exe	97
PID 2616 wrote to memory of 2188	2616	DllCommonsvc.exe	97
PID 2616 wrote to memory of 3060	2616	DllCommonsvc.exe	98
PID 2616 wrote to memory of 3060	2616	DllCommonsvc.exe	98
PID 2616 wrote to memory of 3060	2616	DllCommonsvc.exe	98
PID 2616 wrote to memory of 1364	2616	DllCommonsvc.exe	99
PID 2616 wrote to memory of 1364	2616	DllCommonsvc.exe	99
PID 2616 wrote to memory of 1364	2616	DllCommonsvc.exe	99
PID 2616 wrote to memory of 2924	2616	DllCommonsvc.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e819921752c17b0e34060c1184b250b003a83332eec2d7fbe3c2ff9641d769ea.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e819921752c17b0e34060c1184b250b003a83332eec2d7fbe3c2ff9641d769ea.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\it-IT\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\de-DE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
    - - C:\Program Files\Reference Assemblies\dllhost.exe
        
        "C:\Program Files\Reference Assemblies\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
        6⤵
        
        PID:1244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:876
        
        C:\Program Files\Reference Assemblies\dllhost.exe
        
        "C:\Program Files\Reference Assemblies\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        8⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2248
        
        C:\Program Files\Reference Assemblies\dllhost.exe
        
        "C:\Program Files\Reference Assemblies\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
        10⤵
        
        PID:448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1588
        
        C:\Program Files\Reference Assemblies\dllhost.exe
        
        "C:\Program Files\Reference Assemblies\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat"
        12⤵
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:876
        
        C:\Program Files\Reference Assemblies\dllhost.exe
        
        "C:\Program Files\Reference Assemblies\dllhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"
        14⤵
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1796
        
        C:\Program Files\Reference Assemblies\dllhost.exe
        
        "C:\Program Files\Reference Assemblies\dllhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
        16⤵
        
        PID:1920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1492
        
        C:\Program Files\Reference Assemblies\dllhost.exe
        
        "C:\Program Files\Reference Assemblies\dllhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
        18⤵
        
        PID:1580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2312
        
        C:\Program Files\Reference Assemblies\dllhost.exe
        
        "C:\Program Files\Reference Assemblies\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        20⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1652
        
        C:\Program Files\Reference Assemblies\dllhost.exe
        
        "C:\Program Files\Reference Assemblies\dllhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat"
        22⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2832
        
        C:\Program Files\Reference Assemblies\dllhost.exe
        
        "C:\Program Files\Reference Assemblies\dllhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
        24⤵
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\it-IT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Office14\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8653c967764ce200f61fab896858be82

SHA1
96e293ec322e6d1e928f8beea9a230edbe15ebb4

SHA256
a7ab3b9e20e4b912c0e7b8f418b8aff3eb77951d5f9b13d33c7f83f3381355b1

SHA512
8943a0f1b3107051562ffa5433713f44f8c45d1ad39f2515bf4b52102472f7b1af5804ec5025b72b8828dd1965afeb96f3bd4fb6796b802e9042ea7fb998025a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73c03c959753b62f2e7209dfd7c22b8c

SHA1
a2ebbe8cdb25a6b17e3f9b5d1907105269766212

SHA256
f8b6c7124a06d3abb9b58e7daea5433dbd61df149e79616ac3589d0f6465b857

SHA512
35e377aaa864a45ccfc065d0022e6f48575dc5d38f11212760efc5477699c78fbdda029e3e9e4aefe62bbd4695f9febb7f48a29557b736edc2b8517e7a5e8bfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd46eef0ce679ef3adddd228e9b7d956

SHA1
91ee43a5056325c642ce6ae97fc0132664d1c58d

SHA256
a77816c62aa91524a00d06af7bfd8594829a8596ebc7b52c9f355e57caf84f4c

SHA512
7351693c5953c9f242b941a7465d1641cba241a05affc3bd2dda4a4c1a4fa7f24d778f9f1eae367b5cdb7497f2bb52eb31b959b85c2a7744544966c4071cb95d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc05e8d77675db454c34b2d02048b941

SHA1
b50dda3cef88376c68d5f02c4ad86f4d25b05148

SHA256
c5064e33be6ea531c1ad93240b8596f0b1b274faa33a6a94c42abb605b9fa28e

SHA512
089c85bc30c77ae968bcb8838c57046784cfb6072cdbcb13b6da1310959500570415650d89d3a0692176c852cb4d8f08842af7c5e3b0e0895b21203a54e14bbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc26d20a15dacaecca6f21f740460644

SHA1
67bd83119362631217ac7a8f6c0b96d1e318f384

SHA256
ec8d8bd3e41308fbacaf755b7ea5e584ba77d8ed9bed82fb7b718af254c31e1a

SHA512
64880684aac46747a9b473169c4297cc1261c26c15a09b78ea0abde05397640758648b0eee0aa5d403458e69ccba78aba2e3b3b42fff5d7aaa5d2b5ef2b4e9e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
946aebf2326c910211ca91b118217884

SHA1
57955380bca7edb53c5b7c2976faa06f3ca1bafc

SHA256
cee88d4192fee3bdd43f6814cff4052cacd9228b89442231345eeb7737b32232

SHA512
d6052ab1302905c5bfa94be0ea50303e790c46e222af5bf389fe06efbab62a20dc1362d0f58208a2ab6dac71edc4c3eb58a3df65504cbb4c5f5fbf3e2e951cd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7fd51d9a11de4c0de725ecc96fa0f80

SHA1
038f554fa7b9a26c5013efe04c0d9f28f194f52f

SHA256
201a460265aee9268c39a4fc2c9db0286e63c72522e74419089c02574116ce98

SHA512
0f4caca364e782e032bd0aee6798d2a3cde9127b0373c52b6f327898f22dec3888561ff7da0447390dcb497041dc98e876ac6f4e2b003d0e95e60bb2cdc1ee57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce52b5c7dae046ca4808b00d37e8170e

SHA1
424c39fa5533e8ab6be3e0279dad8babc57030fe

SHA256
05233a8fd54ab614924f217d1976e1bc357790174c64bba08172adb9b427a46e

SHA512
e18b9b7349186458a9258201eed90ce3246f43b00375bfc5180198c992b84eb09f8dda734df72fff66b2e199a0a8f21f549207c0e1fe7db96e8550e24afcc7bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ee527f4ab997a2e284ba3df61710266

SHA1
1126cf6491586dcb366fa39f036c909eb2a73ea5

SHA256
4dab95e814385c264fde3e9f3e389bc165132c79290accd6fac7e072c5fd2cee

SHA512
7d5e1ea0de481a8b8d8cd426b3f7da1f561a98efd50e281eb6d500ba453a4117a4b00812edace77eb538297f58a538239d5ba8aa57078ba6b575827df57c888a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

Filesize
214B

MD5
e5498147cf903d0d19fb919eacfaa4db

SHA1
532f36ae8ba724270a55c78308c0426d03329522

SHA256
2a498f49fa9a8d835c97edaf1ae8f7aac4a685b54507e054397f7d5dfdc60060

SHA512
311f9e6fc325c13f03025b053dbe0d13efe5249bdd111c0a112fd14f8c7397296c076161fb00abc4a83a57448c07d16ffadefbe622243c0614ca38b38fb3b38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
214B

MD5
6ac08e00f6de07d2658d92c4677549ee

SHA1
7a6411b38cecbddad8f84d8f845aa42d6041da77

SHA256
f920fcd7ff77332d0ed15fa6a2f4d015f740ff0864c15b13ed77d255a5487127

SHA512
10658fe156432803fd9d5459195f68b5d17bf7aea716365a1f081cd68aada120840aa3bae996227ec7beba5a3cf1e473d2f886a5135bed576d21881478fe3a35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab60D7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

Filesize
214B

MD5
3e938f49223f6b246c2353d48b4bb4a8

SHA1
3ca7b291f1283a636255abb8a2ee5984d2115a02

SHA256
a21180d3d28719f2e182b04ed9816f7d37ad394e0f0cf0f183ada6518a9e0f09

SHA512
02a2bac885c75013027d97d89cb3fd5d4e398bf788a2773173c25944f1da7d30ad3cdd07368d263320a87c859f013c17f70abe172c43822db494e46898cd1e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat

Filesize
214B

MD5
0bbbfd4e5cce3661007532b03d645fda

SHA1
7f1fa36c9a3d7bf53db11bbf4806478831a5b310

SHA256
416139a2a3e9b73953393f879b4a6ef77637e05c054ad778815e9f6edd6ea511

SHA512
1a737a27d92697792a1c62ee19688e159b45e0fe2781f611d70130c0e94e0771650d9cf1d1a5b58ec672adb83ea2bc8817266e99135de29dd2dfc239ff16bc29

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

Filesize
214B

MD5
7434cc70f5273ab894fbb266fb224357

SHA1
ba95cdffbf048a4c104a72d4d88ad5308fb12e25

SHA256
efbcd466faf293d50f24d276f7cd6dd428f2bf5986161f7df2d7998d7210a95e

SHA512
f0ef6c880ea30412c38d1c2441b901be5eb5f48e22e3ee8809d80779712b2df63508bca9b1eaa97d095ead88bdfe3f7a615a3fa7122744417f428eb3899e613f

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

Filesize
214B

MD5
61ccc0f4341d0a162a8593c9e62337ad

SHA1
159a63b7fc885bd9e1bbc26874e367ef41683825

SHA256
62ee5cf8a4e25335f985080e2ad86551984f66ac4f08e92375b89b26f68f7617

SHA512
b3d6098ea595eba94f95d1df4cdea84ad9a8399f5daa0967df40778e25a63a636e72ec3398c53fe66754a8aebd21503534e7bebe401659c173d5fcd8823f2d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat

Filesize
214B

MD5
3922630abfd49cae27be9f52b2095166

SHA1
61f90b8c30ef0fcd2f8af47662355a50130a3210

SHA256
61dcf3f482d713fae0bf102c19a0bc9d23adecb3b8850dbe7694ca068f7610ce

SHA512
27ce0ab6e63f963acef014b30da3c10d901804e11d9e63989a852242750e2e54bc99e2b39f40d47289b9d734d0ef9a491c2050ced657d2c42a2c35c96c4e6618

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar60EA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat

Filesize
214B

MD5
5177f541dbbcc6a3526455a7b2a1f1ab

SHA1
3fb0b9aa1aa255b338c2ed966867229ff287a5f7

SHA256
ff9b6dfa124b57b3462f33203cf41540dca5886c55148f83e314885a83518f89

SHA512
ab24b5fc9f8c39dcc1f523807982b12a7e7be3f0ce7aebf50d46c68e44030389c5241d2cc953fa4116d8888a6abe617e7ed287ca5a65e0bf953042fc912d6510

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
214B

MD5
08718ff9330db11f52196bfc1d58a6ea

SHA1
2bc025645a45d65bcb5c84b9abf8a530d8403b60

SHA256
1f69880680dabbfd85b66b13438104b9e34e282da76c4318824345e1566f4a7d

SHA512
d2476503bdcee65e63048cfda4212b752eb50557628c1c785a72895cd2135946d4d64c0fdf3eb4be3e5554999864493f036d300bb345b30a2eb12f6b7cf9f3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat

Filesize
214B

MD5
6fc5c65db8daeb4e7ba6acfc65fed1c8

SHA1
da1e91af63b5dd100c9d8a40914f76160ab6591e

SHA256
89e657f42d8d9135d9fb89b581eb00d72c5397f301ec3529963f10e5c73b7e55

SHA512
bf3e656af1e10c27a68ec3271eac931d312cff93d6d3fb8eedb91e90dae447dc6936ec478058d618eaede946e9d49346a2a2a73ff23903f9bbc296bbe9605a50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
63c42a04242a48d4fe111ed11ecf5e80

SHA1
413f2bb7f660b50b1bbcf2206d17653a52385ea0

SHA256
82eb5ba84d65dc81282f89308214d66e70cbe6562332b50d14410ace19cae739

SHA512
a509aec23a39ccf0c850864fb85c4114e7af2f79ef27bd6d30b505eb05292e0690b7ae10701665af5ecae98250503ac9d77853923149c70877d2db1c4626383d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1460-564-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/1460-565-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1548-443-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/1548-444-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1604-382-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/1604-383-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2068-61-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2080-322-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2080-321-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2264-81-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2324-261-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2332-625-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2336-504-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2464-685-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2616-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2616-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2616-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2616-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2616-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/2640-201-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/2924-103-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download