dcrat | e75891411ccf4ec5eb68128079867e4184a1f4160cbe2d7afc27882b0b73893f

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e75891411ccf4ec5eb68128079867e4184a1f4160cbe2d7afc27882b0b73893f.exe
Size

1.3MB
MD5

29633dee598317fa8ad49fb6239e9405
SHA1

3e39aeab8ac499feef1d13b7afcfdd0642bf38ef
SHA256

e75891411ccf4ec5eb68128079867e4184a1f4160cbe2d7afc27882b0b73893f
SHA512

b2fb2a52aa6865a03faac102860e0ad420ff39faac471cf0a1ecfb119c87c2696cd6db0a8cedbbf6c230d0b66d843f0b0cbbf94fb09e41520b9d8ea7d292b3eb
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2780	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193b8-12.dat	dcrat
behavioral1/memory/2488-13-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/2896-154-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/676-273-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/784-333-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2052-393-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/1784-453-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/1080-513-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/972-573-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe
1212	powershell.exe
2236	powershell.exe
812	powershell.exe
1784	powershell.exe
1136	powershell.exe
2352	powershell.exe
2828	powershell.exe
2772	powershell.exe
2120	powershell.exe
1804	powershell.exe
2280	powershell.exe
2748	powershell.exe
2552	powershell.exe
2856	powershell.exe
2064	powershell.exe
2228	powershell.exe
264	powershell.exe
1816	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2488	DllCommonsvc.exe
2896	sppsvc.exe
3068	sppsvc.exe
676	sppsvc.exe
784	sppsvc.exe
2052	sppsvc.exe
1784	sppsvc.exe
1080	sppsvc.exe
972	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	cmd.exe
2896	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\taskhost.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\Pictures\smss.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Pictures\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\SchCache\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e75891411ccf4ec5eb68128079867e4184a1f4160cbe2d7afc27882b0b73893f.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3052	schtasks.exe
1676	schtasks.exe
1684	schtasks.exe
2492	schtasks.exe
1828	schtasks.exe
2580	schtasks.exe
2360	schtasks.exe
2300	schtasks.exe
1128	schtasks.exe
3060	schtasks.exe
2512	schtasks.exe
1932	schtasks.exe
2908	schtasks.exe
2576	schtasks.exe
2244	schtasks.exe
2348	schtasks.exe
1748	schtasks.exe
2016	schtasks.exe
580	schtasks.exe
1884	schtasks.exe
1252	schtasks.exe
2996	schtasks.exe
2288	schtasks.exe
1516	schtasks.exe
2416	schtasks.exe
2508	schtasks.exe
1576	schtasks.exe
2188	schtasks.exe
2472	schtasks.exe
1636	schtasks.exe
2540	schtasks.exe
472	schtasks.exe
2312	schtasks.exe
1668	schtasks.exe
588	schtasks.exe
692	schtasks.exe
2892	schtasks.exe
2140	schtasks.exe
1708	schtasks.exe
1320	schtasks.exe
1712	schtasks.exe
1832	schtasks.exe
2704	schtasks.exe
2064	schtasks.exe
1164	schtasks.exe
764	schtasks.exe
832	schtasks.exe
1740	schtasks.exe
524	schtasks.exe
2024	schtasks.exe
2728	schtasks.exe
2376	schtasks.exe
1652	schtasks.exe
2676	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs

pid	Process
2896	sppsvc.exe
3068	sppsvc.exe
676	sppsvc.exe
784	sppsvc.exe
2052	sppsvc.exe
1784	sppsvc.exe
1080	sppsvc.exe
972	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2488	DllCommonsvc.exe
2228	powershell.exe
1136	powershell.exe
264	powershell.exe
2064	powershell.exe
3048	powershell.exe
2856	powershell.exe
2280	powershell.exe
1212	powershell.exe
2236	powershell.exe
1816	powershell.exe
812	powershell.exe
2552	powershell.exe
1804	powershell.exe
2748	powershell.exe
1784	powershell.exe
2352	powershell.exe
2120	powershell.exe
2772	powershell.exe
2828	powershell.exe
2896	sppsvc.exe
3068	sppsvc.exe
676	sppsvc.exe
784	sppsvc.exe
2052	sppsvc.exe
1784	sppsvc.exe
1080	sppsvc.exe
972	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2488	DllCommonsvc.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2896	sppsvc.exe
Token: SeDebugPrivilege	3068	sppsvc.exe
Token: SeDebugPrivilege	676	sppsvc.exe
Token: SeDebugPrivilege	784	sppsvc.exe
Token: SeDebugPrivilege	2052	sppsvc.exe
Token: SeDebugPrivilege	1784	sppsvc.exe
Token: SeDebugPrivilege	1080	sppsvc.exe
Token: SeDebugPrivilege	972	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 3032	2268	JaffaCakes118_e75891411ccf4ec5eb68128079867e4184a1f4160cbe2d7afc27882b0b73893f.exe	30
PID 2268 wrote to memory of 3032	2268	JaffaCakes118_e75891411ccf4ec5eb68128079867e4184a1f4160cbe2d7afc27882b0b73893f.exe	30
PID 2268 wrote to memory of 3032	2268	JaffaCakes118_e75891411ccf4ec5eb68128079867e4184a1f4160cbe2d7afc27882b0b73893f.exe	30
PID 2268 wrote to memory of 3032	2268	JaffaCakes118_e75891411ccf4ec5eb68128079867e4184a1f4160cbe2d7afc27882b0b73893f.exe	30
PID 3032 wrote to memory of 2896	3032	WScript.exe	31
PID 3032 wrote to memory of 2896	3032	WScript.exe	31
PID 3032 wrote to memory of 2896	3032	WScript.exe	31
PID 3032 wrote to memory of 2896	3032	WScript.exe	31
PID 2896 wrote to memory of 2488	2896	cmd.exe	33
PID 2896 wrote to memory of 2488	2896	cmd.exe	33
PID 2896 wrote to memory of 2488	2896	cmd.exe	33
PID 2896 wrote to memory of 2488	2896	cmd.exe	33
PID 2488 wrote to memory of 2228	2488	DllCommonsvc.exe	89
PID 2488 wrote to memory of 2228	2488	DllCommonsvc.exe	89
PID 2488 wrote to memory of 2228	2488	DllCommonsvc.exe	89
PID 2488 wrote to memory of 2828	2488	DllCommonsvc.exe	90
PID 2488 wrote to memory of 2828	2488	DllCommonsvc.exe	90
PID 2488 wrote to memory of 2828	2488	DllCommonsvc.exe	90
PID 2488 wrote to memory of 3048	2488	DllCommonsvc.exe	91
PID 2488 wrote to memory of 3048	2488	DllCommonsvc.exe	91
PID 2488 wrote to memory of 3048	2488	DllCommonsvc.exe	91
PID 2488 wrote to memory of 2772	2488	DllCommonsvc.exe	92
PID 2488 wrote to memory of 2772	2488	DllCommonsvc.exe	92
PID 2488 wrote to memory of 2772	2488	DllCommonsvc.exe	92
PID 2488 wrote to memory of 2120	2488	DllCommonsvc.exe	93
PID 2488 wrote to memory of 2120	2488	DllCommonsvc.exe	93
PID 2488 wrote to memory of 2120	2488	DllCommonsvc.exe	93
PID 2488 wrote to memory of 1784	2488	DllCommonsvc.exe	94
PID 2488 wrote to memory of 1784	2488	DllCommonsvc.exe	94
PID 2488 wrote to memory of 1784	2488	DllCommonsvc.exe	94
PID 2488 wrote to memory of 812	2488	DllCommonsvc.exe	95
PID 2488 wrote to memory of 812	2488	DllCommonsvc.exe	95
PID 2488 wrote to memory of 812	2488	DllCommonsvc.exe	95
PID 2488 wrote to memory of 2748	2488	DllCommonsvc.exe	96
PID 2488 wrote to memory of 2748	2488	DllCommonsvc.exe	96
PID 2488 wrote to memory of 2748	2488	DllCommonsvc.exe	96
PID 2488 wrote to memory of 1804	2488	DllCommonsvc.exe	98
PID 2488 wrote to memory of 1804	2488	DllCommonsvc.exe	98
PID 2488 wrote to memory of 1804	2488	DllCommonsvc.exe	98
PID 2488 wrote to memory of 1212	2488	DllCommonsvc.exe	100
PID 2488 wrote to memory of 1212	2488	DllCommonsvc.exe	100
PID 2488 wrote to memory of 1212	2488	DllCommonsvc.exe	100
PID 2488 wrote to memory of 2552	2488	DllCommonsvc.exe	101
PID 2488 wrote to memory of 2552	2488	DllCommonsvc.exe	101
PID 2488 wrote to memory of 2552	2488	DllCommonsvc.exe	101
PID 2488 wrote to memory of 264	2488	DllCommonsvc.exe	102
PID 2488 wrote to memory of 264	2488	DllCommonsvc.exe	102
PID 2488 wrote to memory of 264	2488	DllCommonsvc.exe	102
PID 2488 wrote to memory of 1136	2488	DllCommonsvc.exe	103
PID 2488 wrote to memory of 1136	2488	DllCommonsvc.exe	103
PID 2488 wrote to memory of 1136	2488	DllCommonsvc.exe	103
PID 2488 wrote to memory of 2856	2488	DllCommonsvc.exe	104
PID 2488 wrote to memory of 2856	2488	DllCommonsvc.exe	104
PID 2488 wrote to memory of 2856	2488	DllCommonsvc.exe	104
PID 2488 wrote to memory of 2352	2488	DllCommonsvc.exe	105
PID 2488 wrote to memory of 2352	2488	DllCommonsvc.exe	105
PID 2488 wrote to memory of 2352	2488	DllCommonsvc.exe	105
PID 2488 wrote to memory of 2064	2488	DllCommonsvc.exe	106
PID 2488 wrote to memory of 2064	2488	DllCommonsvc.exe	106
PID 2488 wrote to memory of 2064	2488	DllCommonsvc.exe	106
PID 2488 wrote to memory of 2280	2488	DllCommonsvc.exe	107
PID 2488 wrote to memory of 2280	2488	DllCommonsvc.exe	107
PID 2488 wrote to memory of 2280	2488	DllCommonsvc.exe	107
PID 2488 wrote to memory of 2236	2488	DllCommonsvc.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e75891411ccf4ec5eb68128079867e4184a1f4160cbe2d7afc27882b0b73893f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e75891411ccf4ec5eb68128079867e4184a1f4160cbe2d7afc27882b0b73893f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Pictures\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NGHapxv4IE.bat"
        5⤵
        
        PID:1828
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2416
      - C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
        7⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3052
        
        C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
        9⤵
        
        PID:1220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2668
        
        C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
        11⤵
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2988
        
        C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        13⤵
        
        PID:672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2296
        
        C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        15⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2484
        
        C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
        17⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1460
        
        C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat"
        19⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2228
        
        C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Pictures\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\CrashReports\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\Default\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7641d21c8d041ff0ce01902cdacdd271

SHA1
3cf78efa95279387cc84f849f46dd11b7972c225

SHA256
30f60efbad6e10a16d7c94e4188b55cd4756840017e44d56086497bbcf4b8cc8

SHA512
d6a1f4b0ea8794056ed63dfc8c70d632c2ed4d491e3073337b44038db9f29a85c8f0fa288122a836825da3f6d80d2fa17d073845e9283b36f4ffdef1a1919c60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6eb588a68837348ff3dee514b785e5ca

SHA1
804d251f1325cbc164efeaac4be06c70f3211759

SHA256
4c1741d9b38317a2ba5f0494c6f1d929c642ae8e7f26925c3a58306a93afbcdf

SHA512
018a11b7f3d30d3155328683acdd1e5c95b345a69ca3ceafa730de4d961dfb56cb9be54a6aa8d8b3e728b9e97bb61efdd638253b5715026174d649b77fbdf3db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb541edfb6f1d030403dfa8983037217

SHA1
5441da7032f69d499d1975dc910a9f9b53780c66

SHA256
41ed30f33c03645f96750a20751daa261f15e1f4550a2e1e2d62e20163232082

SHA512
9297d9722b31bb8a93332fa033537147f0408e65ce3474d74d4f1ed322fa139987f389efa8541fdd7b0d5e9fdc785ccb0ef8c2d172d57bf023c5a80e52f8d37c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b7d83a9ad7f4a6e8a28e2bf6f3aed8b

SHA1
9982164981db95118bf3ebfa5cab9349ced2ac72

SHA256
1a3bc9456a6d77b253109ad19131231c060c42e615e652b017e05df7bb6a85d6

SHA512
45da801ba643cf59585759a1c66b0adae4f5dac6e1caa9d7f845439c6e05e9978a1d15e70baf8bc2a196ca68a64cffbdc7d5179088d37ad0f064febaf7a8fa7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bffa2e0eb48d301113c64dcdc173db72

SHA1
26ba99b6c995ebdb8c5befaf62a634de23baabf2

SHA256
1155783474ab3bca976b554853bdd34ea65a7407815a8aad915d86d080785b11

SHA512
cc52180b220e2cd680343dafa909896689f30555713e3e481c9eedf8be9c3cdb1c8f10658c0c4c4ad0dcd602bcf73db3f6acda5fe930d5a6903eb552c683e042

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5713cf6aa55a42131e7d9ba4c0abc41a

SHA1
8c3dc4f64c12dcfa30fc3e7d6a783324927a17ce

SHA256
d27a7dfbd53af5c2ab767fbe713ed43af7e5debacba0cbdf1ceb09a6f943e574

SHA512
81bd5b45df69a6123159e0bc166e1ca865764474c8718478799b52ff69ca420c78163d464062020323a3c1c1be1b7997fd78943fc76afc9d2fabe17796c910a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
223B

MD5
40493ea7641665d936b4c6bfbaeda442

SHA1
a09b04799f561f39573905ccba9a848a353275b6

SHA256
e90544b721683ee0343995d3d0b743c1428ba29a29afe30d3ccdb1acc797ee27

SHA512
6159598898f2bc1eb6cced21675c890605cf33cffbb60c216728b763bc2b150ffc28cd91f2577af3473a2e74dadb67db2ea81db257a76e3c78f5917451e94e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

Filesize
223B

MD5
695e2c4107c1e59307341627ca9bee97

SHA1
da9e2077620d245b5b9f691a4df23e34522e6a4a

SHA256
8be4f90aa60db1a27a5571802603f667b460307bd951ecdd8774e61aa2e647cf

SHA512
4708a4baea711a05fbdc4faf51fb4dcbc7a57f599eec0449b7cc1808f5b1e0d3e42c53b21797aab3cea5f4c92b5f3b779dde95d253252184d5f534dfd35e1e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab560.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NGHapxv4IE.bat

Filesize
223B

MD5
04cc0f7b5e6e6d5338a06e62801b812a

SHA1
f443eb6e10fc22a2478ed1653cc720b7be9e5e3d

SHA256
519a6959038759c688e7d903c7bcd2a47faa37e3fc1aa83135731ddcaedf59cf

SHA512
6e9af6cc5d7fb2528eab53ae89b07f0654b545552b8162f0e82cfd1d852d170264a915ca9dd1ee21148e37dfd4e0ff7d794b4ddd31ca3d161ceff80a71222e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5EF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

Filesize
223B

MD5
b7c54b4854e6dcb7399d6786aca451b4

SHA1
2d48b50db24ed6683a09e7e05e521f00e2e9f981

SHA256
c033c775997f586a91a00b2a5b320fa70d8bb47fb0285dde337dc9098ca03cd4

SHA512
6662e2e09c11e34f1e328ff44d067672977a24c1f9b6d0e3a2c1354d50d089654198171ba35ea1e302c7f1556d49848efacc3a4bee74954171c6d8fbf1f3fef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat

Filesize
223B

MD5
0d6a3e753a8e233477780fa7325c9f2c

SHA1
a854cac785f1c4aaaff12ecf5136500a646475c3

SHA256
f7b4e7d0c54d23c50f5fc6f54a7ecab70d01d8a958cbccfb43cc10d8d754474f

SHA512
ac4b0ed9dcd0e95229e5ffc50e230b4f7e3f936b496356a37ea290141b50b62144f7a58b489c3f7e4e1e5487d9f36e005b32d7d23beb545a4f93669cabb2c175

Download Submit
C:\Users\Admin\AppData\Local\Temp\iqKdioc4MG.bat

Filesize
223B

MD5
96b88d2c4e95ed9e9bf07d340a3ff9bb

SHA1
a40e2d3d50c7164e2163e098b6d1c80ffbb4a5e5

SHA256
15278af81fcbf6e273bea45030ff86e88e27fd741467317dccfb8cf644fc585a

SHA512
416f51bb2eac4473f24e9a98227611be6bbb1dab9ff9fa72823d67880ee8b06b7ee112fd6fe0cb1c3e12c887c0d3f5e6d74f67844f9b57d734f718c68a1dc7a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
223B

MD5
7afb078c05441e662b79e60b7e0b014b

SHA1
d6fb713e5326dae11f86d4dde96cd224347ad89d

SHA256
3135a09a7111109d9ef3620c32e53fa369b7d0cd96a4ec595d2d3ca5690d4f26

SHA512
7ad42653a7b19b6f10a4efd0475382939f4524e1e5481c2505d4330771df6200e97e1dbe7287e25cc528a83e57b326468d6b8530356f9b51772478ae9082989d

Download Submit
C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

Filesize
223B

MD5
73fd8ac09c0bd64c484bbdb734200c6f

SHA1
80fe430c38ce57b91fbe62252729429b09bfc465

SHA256
b7a01c76d4a105010b370cdacae670530ca75ad4835ccdb4240027d58460de43

SHA512
162cd6ddf439a5468e88eb8633312586e13f6fb985267895320663be5104a56dc942cb876153ec63f6c3d979d2496205d025016a0fe37dedc4226002448cd67a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b18e6c5e6a14f0e77283d2d447aaa982

SHA1
6d1da6801c2d7e8507ea6a6487ec16c8b5d1cecb

SHA256
d947a40c20ab4fd3ccc8e71c8dc955bc528c01b8ac629fe6a277c39741583439

SHA512
2558b61ec934f0ab394c56b25ca9088b67871db257d0ad6a653cf6b55a79fe0fba587320fcd5f6d7d0b7c20ebe0e477adc3c32999ced1338cfab38662447025b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/676-273-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/784-333-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/972-573-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/1080-513-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/1784-453-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/2052-393-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2228-62-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/2228-64-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2488-15-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2488-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2488-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2488-13-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2488-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2896-155-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2896-154-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download