dcrat | d44a094a9c2b7dde82f41ebc94ef9f52467655ba91b0ffa63e19e53462729612

Analysis

max time kernel
144s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d44a094a9c2b7dde82f41ebc94ef9f52467655ba91b0ffa63e19e53462729612.exe
Size

1.3MB
MD5

3bcb4478ff2b25353fbd98c290849933
SHA1

a2f5c958ff539a468613194f52a38996faeea220
SHA256

d44a094a9c2b7dde82f41ebc94ef9f52467655ba91b0ffa63e19e53462729612
SHA512

4b712b49862c911597c2f8248ea18541eadf908e8270e96a91e43c6ec1bf9a1619ce76f04b3b644dfe5f01dc5637b63a831e87b348e6851b9750ae283ea6b240
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2928	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016ca2-10.dat	dcrat
behavioral1/memory/2752-13-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/1712-50-0x0000000000C30000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/1692-178-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/2412-239-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/2216-299-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/2732-359-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/2672-419-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/828-479-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/2436-539-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/1248-658-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2828-718-0x0000000000A10000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/108-779-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
580	powershell.exe
568	powershell.exe
928	powershell.exe
1544	powershell.exe
2456	powershell.exe
1512	powershell.exe
2416	powershell.exe
2412	powershell.exe
1116	powershell.exe
2316	powershell.exe
2380	powershell.exe
2244	powershell.exe
2784	powershell.exe
2284	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2752	DllCommonsvc.exe
1712	DllCommonsvc.exe
1692	DllCommonsvc.exe
2412	DllCommonsvc.exe
2216	DllCommonsvc.exe
2732	DllCommonsvc.exe
2672	DllCommonsvc.exe
828	DllCommonsvc.exe
2436	DllCommonsvc.exe
1604	DllCommonsvc.exe
1248	DllCommonsvc.exe
2828	DllCommonsvc.exe
108	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2700	cmd.exe
2700	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\es-ES\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d44a094a9c2b7dde82f41ebc94ef9f52467655ba91b0ffa63e19e53462729612.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2680	schtasks.exe
2856	schtasks.exe
2080	schtasks.exe
608	schtasks.exe
2100	schtasks.exe
1652	schtasks.exe
2720	schtasks.exe
2628	schtasks.exe
348	schtasks.exe
1580	schtasks.exe
716	schtasks.exe
1708	schtasks.exe
1852	schtasks.exe
1664	schtasks.exe
2704	schtasks.exe
600	schtasks.exe
628	schtasks.exe
2848	schtasks.exe
2976	schtasks.exe
632	schtasks.exe
2840	schtasks.exe
1612	schtasks.exe
2980	schtasks.exe
1980	schtasks.exe
1508	schtasks.exe
2260	schtasks.exe
2108	schtasks.exe
2052	schtasks.exe
1380	schtasks.exe
1028	schtasks.exe
692	schtasks.exe
1248	schtasks.exe
1100	schtasks.exe
1692	schtasks.exe
2372	schtasks.exe
3004	schtasks.exe
2876	schtasks.exe
548	schtasks.exe
2384	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
928	powershell.exe
1116	powershell.exe
2316	powershell.exe
2284	powershell.exe
1544	powershell.exe
2784	powershell.exe
2456	powershell.exe
580	powershell.exe
2412	powershell.exe
2416	powershell.exe
2380	powershell.exe
2244	powershell.exe
1512	powershell.exe
1712	DllCommonsvc.exe
568	powershell.exe
1692	DllCommonsvc.exe
2412	DllCommonsvc.exe
2216	DllCommonsvc.exe
2732	DllCommonsvc.exe
2672	DllCommonsvc.exe
828	DllCommonsvc.exe
2436	DllCommonsvc.exe
1604	DllCommonsvc.exe
1248	DllCommonsvc.exe
2828	DllCommonsvc.exe
108	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	1712	DllCommonsvc.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1692	DllCommonsvc.exe
Token: SeDebugPrivilege	2412	DllCommonsvc.exe
Token: SeDebugPrivilege	2216	DllCommonsvc.exe
Token: SeDebugPrivilege	2732	DllCommonsvc.exe
Token: SeDebugPrivilege	2672	DllCommonsvc.exe
Token: SeDebugPrivilege	828	DllCommonsvc.exe
Token: SeDebugPrivilege	2436	DllCommonsvc.exe
Token: SeDebugPrivilege	1604	DllCommonsvc.exe
Token: SeDebugPrivilege	1248	DllCommonsvc.exe
Token: SeDebugPrivilege	2828	DllCommonsvc.exe
Token: SeDebugPrivilege	108	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2576	2156	JaffaCakes118_d44a094a9c2b7dde82f41ebc94ef9f52467655ba91b0ffa63e19e53462729612.exe	30
PID 2156 wrote to memory of 2576	2156	JaffaCakes118_d44a094a9c2b7dde82f41ebc94ef9f52467655ba91b0ffa63e19e53462729612.exe	30
PID 2156 wrote to memory of 2576	2156	JaffaCakes118_d44a094a9c2b7dde82f41ebc94ef9f52467655ba91b0ffa63e19e53462729612.exe	30
PID 2156 wrote to memory of 2576	2156	JaffaCakes118_d44a094a9c2b7dde82f41ebc94ef9f52467655ba91b0ffa63e19e53462729612.exe	30
PID 2576 wrote to memory of 2700	2576	WScript.exe	31
PID 2576 wrote to memory of 2700	2576	WScript.exe	31
PID 2576 wrote to memory of 2700	2576	WScript.exe	31
PID 2576 wrote to memory of 2700	2576	WScript.exe	31
PID 2700 wrote to memory of 2752	2700	cmd.exe	33
PID 2700 wrote to memory of 2752	2700	cmd.exe	33
PID 2700 wrote to memory of 2752	2700	cmd.exe	33
PID 2700 wrote to memory of 2752	2700	cmd.exe	33
PID 2752 wrote to memory of 928	2752	DllCommonsvc.exe	74
PID 2752 wrote to memory of 928	2752	DllCommonsvc.exe	74
PID 2752 wrote to memory of 928	2752	DllCommonsvc.exe	74
PID 2752 wrote to memory of 1116	2752	DllCommonsvc.exe	75
PID 2752 wrote to memory of 1116	2752	DllCommonsvc.exe	75
PID 2752 wrote to memory of 1116	2752	DllCommonsvc.exe	75
PID 2752 wrote to memory of 2316	2752	DllCommonsvc.exe	76
PID 2752 wrote to memory of 2316	2752	DllCommonsvc.exe	76
PID 2752 wrote to memory of 2316	2752	DllCommonsvc.exe	76
PID 2752 wrote to memory of 1544	2752	DllCommonsvc.exe	78
PID 2752 wrote to memory of 1544	2752	DllCommonsvc.exe	78
PID 2752 wrote to memory of 1544	2752	DllCommonsvc.exe	78
PID 2752 wrote to memory of 2784	2752	DllCommonsvc.exe	79
PID 2752 wrote to memory of 2784	2752	DllCommonsvc.exe	79
PID 2752 wrote to memory of 2784	2752	DllCommonsvc.exe	79
PID 2752 wrote to memory of 2244	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 2244	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 2244	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 2412	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 2412	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 2412	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 2284	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 2284	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 2284	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 1512	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 1512	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 1512	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 2416	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 2416	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 2416	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 568	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 568	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 568	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 2456	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 2456	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 2456	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 580	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 580	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 580	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 2380	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2380	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2380	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 1712	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 1712	2752	DllCommonsvc.exe	102
PID 2752 wrote to memory of 1712	2752	DllCommonsvc.exe	102
PID 1712 wrote to memory of 2856	1712	DllCommonsvc.exe	103
PID 1712 wrote to memory of 2856	1712	DllCommonsvc.exe	103
PID 1712 wrote to memory of 2856	1712	DllCommonsvc.exe	103
PID 2856 wrote to memory of 348	2856	cmd.exe	105
PID 2856 wrote to memory of 348	2856	cmd.exe	105
PID 2856 wrote to memory of 348	2856	cmd.exe	105
PID 2856 wrote to memory of 1692	2856	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d44a094a9c2b7dde82f41ebc94ef9f52467655ba91b0ffa63e19e53462729612.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d44a094a9c2b7dde82f41ebc94ef9f52467655ba91b0ffa63e19e53462729612.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2700
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:348
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        8⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1552
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
        10⤵
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2380
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"
        12⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2960
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        14⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2272
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat"
        16⤵
        
        PID:2352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:552
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
        18⤵
        
        PID:1148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2260
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat"
        20⤵
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2416
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
        22⤵
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2264
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
        24⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1872
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"
        26⤵
        
        PID:1820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:556
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft\MSDN\8.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ae13ff24b4fb15fad2549d1e1ab2bc3

SHA1
1a67d7113bc2aed463a77874a6128317f6ca114e

SHA256
a6d2b225ccd44d34d0c9d02cdc43573f0bd2a9c482cc6e5c27c02a3ac24b3565

SHA512
f404681ff44ec59e213ff2879c054cc550d24f4cfb6be91782af8c1981982dd2ab037c8b215775e6102dc698dc52d6092593ba3b69b623c4a05c47551ec69500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e78227c15ff6df28c8344af51d360d87

SHA1
ffa97d3ba4187c9f801031c89cef4a9866c0010a

SHA256
69fc6ca4f2207e72e8e4a4c139d1efba43a6404419ea7106697ba80814bc943e

SHA512
d19809de3d03b2f4a3d33a64bd462a92c74bef8f21862ed2805c2bdb8ac5bf32ca8f68a4e797d147089f0d37dfeace63436c2c08286c7fe5023aa4941316f7aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd3d376b5d34753bf8656584b3483fce

SHA1
1ac3a6d3b117fd0827e53598968e768d94ebf22f

SHA256
c06b87aa4a3850fc3edabc1062b06dfdf1bcdc6efc44876d701e6b65835075a0

SHA512
22ef1e817827039282d8bf2919bce69d195e321d22d9a188880b50bb46be14425d5fcdd85b4b878cd9a0f7e7eb345210ae903bbcf96ae5b233277821cfc11833

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efdf7b7a165cc110c552f2cdff60b99a

SHA1
02e30814d3a10fb95bac76ae66950e11168c1e1d

SHA256
ea70e06329e8cd03180e7a9a1d9f712197b078a38f6b9ff8a4d70e110f05e0fc

SHA512
b05c96193ccf97e2021e25029dc4043a6e1d2d2a3be1327e1e485fcf12ef7f294ae403dfc56c253b81635ebc32b66922597117ae331fdf7e24938aea21e7dd9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddee5dea00fb78928e1c3feec783d936

SHA1
695d806d4f082af564aee5761dbd15bb9a83db09

SHA256
b01cb7b0e6ae9241b3aec474a3471c581805e1e2cd6abb3a0cc1dcd2d360e5eb

SHA512
729b7b5d06b8fca6a3c938d9082a0182f18ace56fa6a3a9cae2b30e73bb2d179f24c14344b18d0a32140cfc7c55a74dc17ed0f17e8eac01284d65f7673905c27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72d12bb7213d8f93d0d6c46473f16948

SHA1
2305849d9db7421ded5c1a4dbd5f958fc54d1f01

SHA256
294a268ad777f0d068b65f46455485dd7595f4aabb29f73d21aea1b7770c7d93

SHA512
0042bf29da1baae6454332825684ad214276ac7723563d10285384c9f998aa7f663626bd6680cc629318cdff079770e93db0d68445c7f4378e2fa5fa8b0de3b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3de932e63ca4df0dc6d5c618fe5fcfbe

SHA1
64fb16637dbde2ab114adc73a12d5fc92a614535

SHA256
166a401bbc86353ab3fa8dfe47ab5eb630b8edbd86b3895f300d6f75c310799a

SHA512
730824ab4a3136e02db96b6b19a34a606b9b63be6d90c629b635a82d054d4b35d091055a11995bdf172d56d4bb5cd7e8ed284169089efe254642f680b575afea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
342e515742760c2552b16f987c9157c7

SHA1
808032a0f3c334ae7a4c80578ac50b25bc4c9fd6

SHA256
37280eab262ef574f1e746aeb19a493fe3165bdbb5320b8d9431398a4ab27488

SHA512
b947817e27f8ce9f954781137c4c195da311d646cbc8c8f4bae199c03d4443bcf93c3e6e05ed32731ec7fe46277dcd899c64f5cc1cd5dd1b60ba324de3bea869

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
902658c4073c32f4eb827e266e9fbfe0

SHA1
24356c4ead637df3d04deb6ef16647875949c079

SHA256
dbe48f945a761a2b5a2ce8b4b05f029f8f7fcc90c311299325da0d61f73faa43

SHA512
21edfcf21cba237a7ddfe140eae1d6da1278fab6953850c3a4822b21c97b0bca130c808e97e430c02018bf12cbffc37b6083a76f870a8cd70e9c91ee322f60d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
318cefea6db9bde4af1a89243a5ab50f

SHA1
3b1e8d338232a5db0afc65b83dbaa82a4c8db903

SHA256
486cc4776794d2eb3ba2962a4b12527fbc9019505f1946296b53c859eb6828d0

SHA512
d5bd73748559215358d950d5d0e9c148d500ddf681f9fec2380f39b2fc01d63f3d2505455785977d9135cb14878105bf8f841d5d93e09f50f8d7027188f8837d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

Filesize
230B

MD5
ec8a050623ae6ffca8c42aed9a1f9686

SHA1
4a1a050cf4d2d8e319c13885ec26733838452d23

SHA256
1b4da61d548e6b8376c111371e16a8ee057916f9d33fd9404571c0c8c8c411bc

SHA512
66e45453027747ac35b800387c4731f70453242b534b69db1b017217e8d57366fd84cc4400d9aeaaea75d15b19b48d3f8d5e54aa6d4085f9dcac01f09dffddd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

Filesize
230B

MD5
9cd9dbd5860a3bea50bccd8de238497c

SHA1
cc6f8abe2496eb991367b9b2b1bf75663b7afc85

SHA256
656ff425665bc815904077558d6831a961bf39f7fdf23ebecf5003f3630cfa06

SHA512
5b0373b7429e634c7bda0baa46bcc16e591a88d5355aecaa4c60a2a9a9817cec92a3d5207437784f040fb2e47a997ada14703acb367c875dc6d265482a2f7f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
230B

MD5
523b3157c3cf75e5cd8901bea22858c7

SHA1
4354e58522d6ee72ebc2b1a24dd33aff74e6c101

SHA256
692982476c427dcb212f64cb9906dbb58991a65ac27be272ba12246b8bd19c91

SHA512
228d9fda465fc19d40444963a944be26add62b221094672944fbed9ef568ec636b541f92c7b0e5cd8b273d22b645dc16d14cecf999d922e6ba6930d5cebf3b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCD11.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

Filesize
230B

MD5
d6f8da1a10e39f99b98b7e43a9129e9a

SHA1
2a58588af04ddd300cacca93b74ca149374c55ed

SHA256
c2ffa1ccfa46f1649ec9022b57c883f95a90735dbfe23343aaa58cb26f9af830

SHA512
dbdf5c41b34ccdf7056a697eee0a33c97e7e79ef26bee26410dd40fcebb75374493e5706de10b752947c15dde929b7f3f8c7fe14e8f01216d7fa53475e03a0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
230B

MD5
a5ba5426c5733d64709279e774c14aa9

SHA1
001e7e6df028556d7f28734fe8bcc758d16a37bc

SHA256
9a7149dafe4d0fc8429a4cb8e69f09806fdc0a8cb89af05507598e8b72c5c5e7

SHA512
bbc5392908fe74af59da7581ff3eb7461443e4a2332b7cfdca1d3c466e1d022e56db4c8168d1fa1ef6808ab1926ad613681c3e09005ddf509b33c1af13eb56e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat

Filesize
230B

MD5
91a37d693fea90388e3a6c2b523db38c

SHA1
f491234d1e0260b93c63e23d767950ac12fb8349

SHA256
c4c022caaef2668d96a1cbb830dfad320571cd82de3378ead4baef51f9e0bcd8

SHA512
f0467f75ca0dae0ed0830c18432419b9c3af30eef88b7b0b2ffc6260193faba01f0397f58434b0cda2e0c548f26df9d34d1ddd21b9bd2f10157e3dbdf531e820

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat

Filesize
230B

MD5
e881b785d7467a20ea6636f94496b82a

SHA1
e4098eed0c5c82c5dbee3f2495d9bf35994a4cc0

SHA256
a02cb8b67fdee0b6d6610a0a4465bb8467b9811e0f8cc40e8556a0b872281b94

SHA512
50b2fcdb4831697851ee23e5b39852c75242e3ba8406cb7441dfe9dc32bcdff1386d8be94a72aefd8a4f813fd3de0a864f5dfe84cd47428364d999ceff1a3477

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCD43.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V68XQM6FdC.bat

Filesize
230B

MD5
f1260c707e4fe6624ad2329cb9290763

SHA1
2ab53c0977434693f1c41f4eb8e1942a359db1ad

SHA256
b373a444061d6ff1eea70e08afd1b8e7aca6ddd7fa1f47d96f744872474229e9

SHA512
6ef3f7d711fd461375bb5ee7c91c6b285cd0a3b9ea3719001283ff4c6decf1bf9a1ded14da8b753063246705d50b1d96325b5c31b386e65a6d50acc3cca8f2d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

Filesize
230B

MD5
fba033d766a6521fd7439c72a19a1f57

SHA1
4212d1c5b8b2b8fc89f12117118b8f4fec449d57

SHA256
61775df0b0e1d1ed5e492078a7f9aec95dd249b8bf56ca475ed7ae9290b3acc9

SHA512
3df671798076041c0e91aff07567baf110ad7546ab35ebb427f6750d8afa829f8c116436f3bce15b99bdf2d601f764b9d2a8da352232a0d770d3a64b75a5bfb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat

Filesize
230B

MD5
4a74aea7a0531a12b8cbed6b990e1a0f

SHA1
b14b87f26537292aae31d4d5efa9789773244585

SHA256
191bccc20ee4dd4df7b878f24a24d9c1676439cc4f175dded1455b03ed13037d

SHA512
fa63e4c72f278b88f13f521936e149f60fcdb02c7c44de4ee65f5d0fc8a50d6ed38b5efd069fee073f60d7ee167b6dc2d40e201a26d7bf235f33b5fde558ee2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat

Filesize
230B

MD5
b9c520e24364882b22ce145c9de14bb0

SHA1
2bb2767d60bb01aa36823ece7c89f87643ac3c0d

SHA256
8116278b9a4a2d60e01868e2452eda7c1a5ef6b870241b06b50d9bff24bfd87b

SHA512
b3894b07f203902cc6500a91e1d6cff29f6f998a0017265907804fec969d55a42747a0711dd05dcf062901c30c94db908dd97ce3efb6f24a52c01eefc58988c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
625e475b47e96b9f6a094b932686f5f1

SHA1
909606bbb4c0be7db26398155a8df897e8f6a267

SHA256
22acf7bb3a8bf4f8a8e3a39d020e86653ed777b3001ea14c7f5248f1760492e8

SHA512
5b73915d0e7f57bd1371fdbb866eb6be6879d601468dda904b73170fce09027d45379d71f755662e269c780ddeed90534551a4597da89e0e83c614659be00c21

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/108-779-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/828-479-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/928-76-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/928-77-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/1248-658-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/1692-179-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1692-178-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/1712-115-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1712-50-0x0000000000C30000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/2216-299-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/2412-239-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/2436-539-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2672-419-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2732-359-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2752-15-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2752-17-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2752-16-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/2752-14-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/2752-13-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/2828-718-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download
memory/2828-719-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download