dcrat | 9337595c6d78686d78651073ee5eca6dbfa0a390d96384cb5f8cc8eec15c1f2b

Analysis

max time kernel
142s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9337595c6d78686d78651073ee5eca6dbfa0a390d96384cb5f8cc8eec15c1f2b.exe
Size

1.3MB
MD5

c81d41335d9bff2511b8c0722126b1ba
SHA1

199500ca9a822ed6ef7539ca29208790c6a2a1f3
SHA256

9337595c6d78686d78651073ee5eca6dbfa0a390d96384cb5f8cc8eec15c1f2b
SHA512

1a428bbef6de7ef68a5e57c25fb394d31a0b0b4cc9e8f474b75bf5348f7edbf07228e8d251d671d2f310198deae214025e77ab78c90b5776afe6c0feb6d08140
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2876	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000192f0-12.dat	dcrat
behavioral1/memory/2220-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat
behavioral1/memory/1036-126-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/1536-185-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/2912-246-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/memory/1436-307-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2684-368-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/328-428-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/2200-488-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/2356-548-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/1692-608-0x0000000000940000-0x0000000000A50000-memory.dmp	dcrat
behavioral1/memory/2996-668-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1296	powershell.exe
1928	powershell.exe
540	powershell.exe
2236	powershell.exe
2900	powershell.exe
868	powershell.exe
1636	powershell.exe
272	powershell.exe
2308	powershell.exe
2256	powershell.exe
2952	powershell.exe
2428	powershell.exe
820	powershell.exe
1476	powershell.exe
1564	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2220	DllCommonsvc.exe
1036	conhost.exe
1536	conhost.exe
2912	conhost.exe
1436	conhost.exe
2684	conhost.exe
328	conhost.exe
2200	conhost.exe
2356	conhost.exe
1692	conhost.exe
2996	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1256	cmd.exe
1256	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\en-US\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\en-US\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\101b941d020240	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\servicing\GC64\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..vider-dll.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b0f89e5b898f4f95\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\sppsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9337595c6d78686d78651073ee5eca6dbfa0a390d96384cb5f8cc8eec15c1f2b.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
932	schtasks.exe
2456	schtasks.exe
2100	schtasks.exe
2980	schtasks.exe
1804	schtasks.exe
2972	schtasks.exe
2616	schtasks.exe
1136	schtasks.exe
2452	schtasks.exe
1648	schtasks.exe
2760	schtasks.exe
2276	schtasks.exe
2372	schtasks.exe
852	schtasks.exe
1976	schtasks.exe
1092	schtasks.exe
2596	schtasks.exe
288	schtasks.exe
1084	schtasks.exe
936	schtasks.exe
2904	schtasks.exe
2988	schtasks.exe
1872	schtasks.exe
2808	schtasks.exe
2040	schtasks.exe
1860	schtasks.exe
1776	schtasks.exe
2936	schtasks.exe
1868	schtasks.exe
2156	schtasks.exe
1972	schtasks.exe
576	schtasks.exe
1916	schtasks.exe
1640	schtasks.exe
1664	schtasks.exe
2964	schtasks.exe
1644	schtasks.exe
2948	schtasks.exe
2920	schtasks.exe
2216	schtasks.exe
660	schtasks.exe
2664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2220	DllCommonsvc.exe
2220	DllCommonsvc.exe
2220	DllCommonsvc.exe
2220	DllCommonsvc.exe
2220	DllCommonsvc.exe
868	powershell.exe
1296	powershell.exe
1476	powershell.exe
820	powershell.exe
2428	powershell.exe
2900	powershell.exe
1564	powershell.exe
2256	powershell.exe
1928	powershell.exe
540	powershell.exe
2236	powershell.exe
2952	powershell.exe
272	powershell.exe
1636	powershell.exe
2308	powershell.exe
1036	conhost.exe
1536	conhost.exe
2912	conhost.exe
1436	conhost.exe
2684	conhost.exe
328	conhost.exe
2200	conhost.exe
2356	conhost.exe
1692	conhost.exe
2996	conhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2220	DllCommonsvc.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1036	conhost.exe
Token: SeDebugPrivilege	1536	conhost.exe
Token: SeDebugPrivilege	2912	conhost.exe
Token: SeDebugPrivilege	1436	conhost.exe
Token: SeDebugPrivilege	2684	conhost.exe
Token: SeDebugPrivilege	328	conhost.exe
Token: SeDebugPrivilege	2200	conhost.exe
Token: SeDebugPrivilege	2356	conhost.exe
Token: SeDebugPrivilege	1692	conhost.exe
Token: SeDebugPrivilege	2996	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2412	2504	JaffaCakes118_9337595c6d78686d78651073ee5eca6dbfa0a390d96384cb5f8cc8eec15c1f2b.exe	30
PID 2504 wrote to memory of 2412	2504	JaffaCakes118_9337595c6d78686d78651073ee5eca6dbfa0a390d96384cb5f8cc8eec15c1f2b.exe	30
PID 2504 wrote to memory of 2412	2504	JaffaCakes118_9337595c6d78686d78651073ee5eca6dbfa0a390d96384cb5f8cc8eec15c1f2b.exe	30
PID 2504 wrote to memory of 2412	2504	JaffaCakes118_9337595c6d78686d78651073ee5eca6dbfa0a390d96384cb5f8cc8eec15c1f2b.exe	30
PID 2412 wrote to memory of 1256	2412	WScript.exe	31
PID 2412 wrote to memory of 1256	2412	WScript.exe	31
PID 2412 wrote to memory of 1256	2412	WScript.exe	31
PID 2412 wrote to memory of 1256	2412	WScript.exe	31
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 1256 wrote to memory of 2220	1256	cmd.exe	33
PID 2220 wrote to memory of 2256	2220	DllCommonsvc.exe	77
PID 2220 wrote to memory of 2256	2220	DllCommonsvc.exe	77
PID 2220 wrote to memory of 2256	2220	DllCommonsvc.exe	77
PID 2220 wrote to memory of 2952	2220	DllCommonsvc.exe	78
PID 2220 wrote to memory of 2952	2220	DllCommonsvc.exe	78
PID 2220 wrote to memory of 2952	2220	DllCommonsvc.exe	78
PID 2220 wrote to memory of 2428	2220	DllCommonsvc.exe	79
PID 2220 wrote to memory of 2428	2220	DllCommonsvc.exe	79
PID 2220 wrote to memory of 2428	2220	DllCommonsvc.exe	79
PID 2220 wrote to memory of 1296	2220	DllCommonsvc.exe	80
PID 2220 wrote to memory of 1296	2220	DllCommonsvc.exe	80
PID 2220 wrote to memory of 1296	2220	DllCommonsvc.exe	80
PID 2220 wrote to memory of 1928	2220	DllCommonsvc.exe	81
PID 2220 wrote to memory of 1928	2220	DllCommonsvc.exe	81
PID 2220 wrote to memory of 1928	2220	DllCommonsvc.exe	81
PID 2220 wrote to memory of 2236	2220	DllCommonsvc.exe	82
PID 2220 wrote to memory of 2236	2220	DllCommonsvc.exe	82
PID 2220 wrote to memory of 2236	2220	DllCommonsvc.exe	82
PID 2220 wrote to memory of 820	2220	DllCommonsvc.exe	83
PID 2220 wrote to memory of 820	2220	DllCommonsvc.exe	83
PID 2220 wrote to memory of 820	2220	DllCommonsvc.exe	83
PID 2220 wrote to memory of 1476	2220	DllCommonsvc.exe	84
PID 2220 wrote to memory of 1476	2220	DllCommonsvc.exe	84
PID 2220 wrote to memory of 1476	2220	DllCommonsvc.exe	84
PID 2220 wrote to memory of 2900	2220	DllCommonsvc.exe	85
PID 2220 wrote to memory of 2900	2220	DllCommonsvc.exe	85
PID 2220 wrote to memory of 2900	2220	DllCommonsvc.exe	85
PID 2220 wrote to memory of 1636	2220	DllCommonsvc.exe	86
PID 2220 wrote to memory of 1636	2220	DllCommonsvc.exe	86
PID 2220 wrote to memory of 1636	2220	DllCommonsvc.exe	86
PID 2220 wrote to memory of 1564	2220	DllCommonsvc.exe	87
PID 2220 wrote to memory of 1564	2220	DllCommonsvc.exe	87
PID 2220 wrote to memory of 1564	2220	DllCommonsvc.exe	87
PID 2220 wrote to memory of 272	2220	DllCommonsvc.exe	88
PID 2220 wrote to memory of 272	2220	DllCommonsvc.exe	88
PID 2220 wrote to memory of 272	2220	DllCommonsvc.exe	88
PID 2220 wrote to memory of 540	2220	DllCommonsvc.exe	89
PID 2220 wrote to memory of 540	2220	DllCommonsvc.exe	89
PID 2220 wrote to memory of 540	2220	DllCommonsvc.exe	89
PID 2220 wrote to memory of 2308	2220	DllCommonsvc.exe	90
PID 2220 wrote to memory of 2308	2220	DllCommonsvc.exe	90
PID 2220 wrote to memory of 2308	2220	DllCommonsvc.exe	90
PID 2220 wrote to memory of 868	2220	DllCommonsvc.exe	91
PID 2220 wrote to memory of 868	2220	DllCommonsvc.exe	91
PID 2220 wrote to memory of 868	2220	DllCommonsvc.exe	91
PID 2220 wrote to memory of 2828	2220	DllCommonsvc.exe	107
PID 2220 wrote to memory of 2828	2220	DllCommonsvc.exe	107
PID 2220 wrote to memory of 2828	2220	DllCommonsvc.exe	107
PID 2828 wrote to memory of 1868	2828	cmd.exe	109
PID 2828 wrote to memory of 1868	2828	cmd.exe	109
PID 2828 wrote to memory of 1868	2828	cmd.exe	109
PID 2828 wrote to memory of 1036	2828	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9337595c6d78686d78651073ee5eca6dbfa0a390d96384cb5f8cc8eec15c1f2b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9337595c6d78686d78651073ee5eca6dbfa0a390d96384cb5f8cc8eec15c1f2b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1256
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\en-US\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zingaQRu5t.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1868
      - C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
        7⤵
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1952
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"
        9⤵
        
        PID:328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1992
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        11⤵
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1748
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        13⤵
        
        PID:2724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3056
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        15⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2772
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
        17⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1188
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"
        19⤵
        
        PID:2540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2808
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
        21⤵
        
        PID:1476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1488
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        23⤵
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:880
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Cursors\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Pictures\Sample Pictures\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Updater6\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Updater6\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
687a6e245795024869db17ff1800c3df

SHA1
756c2a634b2784411878e60a7442a6125ec064c1

SHA256
aa887d8c37f54f832a2bc822a6c07e078e73558c3bb9e32d4aad5ce3aa6e1840

SHA512
afa803812cf3643bf709c25d449a0c530b8d7e825a77871c81e93146c6151fda7bd3d5484faccf7a3b4e2615d853c7a3f4526109992eb15f9f21f6a36d3aba75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd2a6433fd21e378a441a9c0233e2312

SHA1
067f0f12ff453c8f42386173b23c86544ce58281

SHA256
99a520454c99019c9174e4e524bce8bdb83c36036cee57499d02762b6281b8a2

SHA512
4b951e0a639e35cb23c6f0318bb3b6b8850b81c07094a77246f63248775aec64405ba374a69413cb86e1b0763255d9d6b975e64f757fbcb3122449f0a2be24ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cf3a979123244af4e77d264d3614e2c

SHA1
2cf064ecda764f14de961993ff40d0ac61ee4d5f

SHA256
7d0e1a65fe94cdcc35a286fb6ee70ae19463497d1c8b2e92e01d36f8af60ee95

SHA512
92d1931ed76ece649a3d65b29b1f9407164c1ebcdbbce612d6f4f567f0b76d406f69f1c2dd1986ef217bc90490bb6bc0f44ac0d67e8ce749bfdad8773be2b08b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b42747bef1ffca7940fae8f35590e28a

SHA1
3fdd3ae6c0dbf642af366337f4ace1d088402840

SHA256
d5b3b12da9c91d92e4437df0ee27b11031f6441842210d024013c32740048ab1

SHA512
1ee2ec081404f618dfcafd55f3727dc2d0f2b61188670bfe846940cea101b9e502899fb5ae6c9bd7e911db72fc707b9ed2cdc75987c5220346fd7c9050cb26e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aed1684057fa3dd7d030e071f0ef10f4

SHA1
5ad064749e3c04e8c986b181058fa4b0871fa180

SHA256
a8460e28240c982d032bae062c12f49e368abe2c832c4517363a792b2ab5aabc

SHA512
d4991da6aed6b594d1ce9ac173381d094b2e05a754ed406c2849f9a200ea0ebc6f3124e12351890b4e80b27b73f0ec9c1c29f8401df6d828f290ce59565a0c85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75ca9c60d2d428a63a56e55ac71ff737

SHA1
b34e7b22bc61d4223c72963c839d8cb763896b87

SHA256
6a6f1d7b34c6c36413c0b424b0a06963fb48d0899d415690c7d1efe4fdf66644

SHA512
fd54c42f231b3448ece40e23f602a413e9a9a37f7c276ca6e02e28a336ccd83f15e4d851b0108e88079df42c98703916f0cf8b7970bdceb51b51340b3e61a29d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2812b169804e1f46e6b61bce0f7c04c

SHA1
d26e43664ef8374c2c58e332c5d2bc9287394d7f

SHA256
36b284336d33b15bfb293373a48e64d74dd456fdd4d7dae069a1410eaaf68b08

SHA512
7035163e1a95ac5838b2b559a73df5bc4f43e797b5d36df21b04626cb33bda3eea98787a893373e13a93bc313af0b3cba2eee47c15f7639bb662b16c723614ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46b79741233fbadf75b4883842d7d2b2

SHA1
f1319d2b51bdef09116f15f3adbfb880de1dac24

SHA256
a09a991f8886817589d155f3aca286ebae846a93a455b188df1c952f9ec26acf

SHA512
f1859584deffe5f6ed71bfc733b7e6dd568d3a76b52a9ebd50d42a761d2bd0e2fc5557be188c0380d7944cf5ae932e31c041821a5b0a6ee14e1960d01e14422a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
194B

MD5
97b77177cfcac2e28c095577d2913550

SHA1
512b19613608a22557d4b7dfa809f2a5a5a5c048

SHA256
1f2b5b25db8db2128662693efef8ad34cbdcaf8d6efe36b67452c33d28cd9156

SHA512
261fc9180953695a8231a0ae5e7a8876912e63a49d651b5370d771d2a1a33b67f6c00e92fdf1b8a2a5b946894a24219ee8928b4983a040783b22a386b9ee3a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

Filesize
194B

MD5
85cd03a0911f398891cdd4b27d3ce2ac

SHA1
8e342946cb07109b804b9465f1640a537a44d8f1

SHA256
0e45c644f36ebb6231aded62e4a96722119371483ad9c9c3b0d54b720da98f25

SHA512
adebb7e14c45d40011517aa95532d19753c2d8e629f90e70ff17e6e88236958fee55049e9bee953ef5843a3f5d68f5755dbe5a6ee3f418fb574e6d7337e4e6a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF894.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat

Filesize
194B

MD5
350d173f198ab0649e29f7fe8ec93173

SHA1
7cb0b07fb4315e9e4c31c42234ff5b8bee8cfa75

SHA256
b3fd66c64223cdd022941c8b39dde586bea084846bdefeb2e4f1628f30116eaf

SHA512
e30eed5460ac1f19f667fc5c0e037733d594a9cc3aede7702b4b0d3ca97dc177f6f6b0ca5c9d1a9dbf260e99abfe64891591a4904445d430405d04f73c6017c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

Filesize
194B

MD5
7464f612d4f737302c4012a04660c06f

SHA1
40263f6c932c91d2a6ef23e7a68cc312e422ee50

SHA256
12b04425b164241ce57a5fc5b6fc20c84463954a4cb95516d4c96adcc02bbb1e

SHA512
7eb65d9155240ad4fdb9a3dab45125d61b8fc4c9c136f102f86f67f8e0f121dd548ebdaaf81317781b7d047e5153ef91164d345383763bd0cc380647d95ba8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF8A6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
194B

MD5
1131f96a32fe02965ad453a0d77111a8

SHA1
ea42b01dcd066620d158067b1af74e1af7027d4a

SHA256
d58cac34b4a72700beb9926c9365f90fb47f0e29fe84c4a42b3e8db174e9a624

SHA512
c60447211eee2b56f4916238f4b203dd2a63079728a312f9e2b451f716060b418c2cc3fae80b82a4f2a150a7d32fd662262dbca618aaf71cc3432b10639851bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
194B

MD5
7a2469ca251674581fda8dfec305d80f

SHA1
bca28e3bd03b75949dad28c59db6690aaf5f5a99

SHA256
8344eb66c2810bbf261637e46652d0e653fc4642146e174b31aa7f2e4087bc12

SHA512
8d291711e2078835935cec2d58a48e193ca3b627c87a6eb28028abdfc2b2485e6f3bbdc9425f3922fcfd8fec4fef5de32c2b1622627514f453cd4cd0e6e1ef4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

Filesize
194B

MD5
8a440d139da78cc70611b5e1ca49c1d3

SHA1
60ee4948138e0f123b06cafba74ed2d1378514ab

SHA256
046687e6191d06575a182216bd2212b86477b0cfcf56a5ff5539a9ee3b2b57ca

SHA512
8c748f5a44bc1520a4085ecf580bf41db5ea1a2b701ee97fcd2b2c79b20fa460a1ab9fe6894c904422194c4f8fbc489411aa3b3257f24fa52d2743e4ba127e3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat

Filesize
194B

MD5
7c8c3f67bc991ccdd2ab5c3e176cc1aa

SHA1
c195a094f358f9ff19a129f6e1825892d5dc87f0

SHA256
e199c3fefd990b953e900daec2ba09ce5dcd37fc6480908af19c4b7515e4079a

SHA512
1e6cf3869729f631416237e1b382056970149cd66bdc4dba20f68e5774f3852a76985fadbd8f0d7b85d3fa95042fa5b2ec070378ac76571ad11987842d0be018

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat

Filesize
194B

MD5
9b2d11eeb9e3884f9328288489d968fc

SHA1
9ab79cb7fb5d4685d9c0497619078f32c9c38a83

SHA256
d9804c483b367ab6a7f22341f4f107bbe387d8ff9ef683f75593c8d6808b6fbe

SHA512
99d4a363503aadd5dd580b2fdac7c115a049917dc23315af14ca6fed592a7e70cc97fc5be51b834ea5d67608ef98cf3dee2ed1799416c417a7d62abf2d20ab4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zingaQRu5t.bat

Filesize
194B

MD5
62584eeece4daf3b0ece1711562e3f8e

SHA1
51ee2fde41ebe3eabcd755a3961238798ea0d30a

SHA256
9b17283f18db8c8cc42fe22ec8f598c519180ca7d5d7ebc92ee5df838ce52dd2

SHA512
fec4191cba06439c78a9ad199da4b0cf2111fde9d25736a83a5d02310141683e09defc99d48ab3f847d238f0980d70c96b7527e33268eb06ce1e53a8a8c3b97b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
04709d75d2b65bb44764ddd617a33e2a

SHA1
f0be5873d11b21beee26a212b175d99343fc7310

SHA256
769913151908b8e91052269d2bdf6dc96bb05dc8b3694b3d3d73e820e6f11c37

SHA512
c0bf06d633c55b8948a44b6efe7f5fb48842ea928e5fda87703d1f1450b50b051e2220a534aa2e829c16da95741824c9b24691d1fa99874e245c0413ed8b616f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/328-428-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/868-92-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1036-126-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/1296-80-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1436-307-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/1436-308-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1536-186-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1536-185-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1692-608-0x0000000000940000-0x0000000000A50000-memory.dmp

Filesize
1.1MB

Download
memory/2200-488-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/2220-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2220-16-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2220-15-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2220-14-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2356-548-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2684-368-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/2912-246-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/2912-247-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2996-668-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/2996-669-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download