dcrat | 84484bcfc9ca9bc392a3356f48fce449d274b361cbde4f5c174e232ad1dd8637

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_84484bcfc9ca9bc392a3356f48fce449d274b361cbde4f5c174e232ad1dd8637.exe
Size

1.3MB
MD5

4448a79abfa79adcdb7c7f0d80f81ead
SHA1

9b4657ed79341b6d9a7d41ed02ef017c17b8ffe6
SHA256

84484bcfc9ca9bc392a3356f48fce449d274b361cbde4f5c174e232ad1dd8637
SHA512

590fae0f70ca8e779623fb9905ed964aa60a3f8e4f825cfe1730402a86d46259021d5e102053c46637e7e47588ab16a720ec3a9ded1aed77fd24e235b77e2ac2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2468	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2468	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c23-9.dat	dcrat
behavioral1/memory/1376-13-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/1600-116-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/956-212-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/324-273-0x0000000000A80000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/1828-333-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/2100-393-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat
behavioral1/memory/2180-453-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/1216-513-0x0000000000940000-0x0000000000A50000-memory.dmp	dcrat
behavioral1/memory/608-573-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1768-633-0x0000000000AC0000-0x0000000000BD0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2944	powershell.exe
2224	powershell.exe
976	powershell.exe
2044	powershell.exe
1084	powershell.exe
1356	powershell.exe
960	powershell.exe
2756	powershell.exe
948	powershell.exe
1460	powershell.exe
2900	powershell.exe
3024	powershell.exe
1364	powershell.exe
1656	powershell.exe
1704	powershell.exe
2460	powershell.exe
1184	powershell.exe
1388	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1376	DllCommonsvc.exe
1536	DllCommonsvc.exe
1600	WmiPrvSE.exe
956	WmiPrvSE.exe
324	WmiPrvSE.exe
1828	WmiPrvSE.exe
2100	WmiPrvSE.exe
2180	WmiPrvSE.exe
1216	WmiPrvSE.exe
608	WmiPrvSE.exe
1768	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	cmd.exe
2140	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\dwm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_84484bcfc9ca9bc392a3356f48fce449d274b361cbde4f5c174e232ad1dd8637.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1972	schtasks.exe
1752	schtasks.exe
2640	schtasks.exe
2396	schtasks.exe
1016	schtasks.exe
2192	schtasks.exe
2960	schtasks.exe
2656	schtasks.exe
2752	schtasks.exe
2076	schtasks.exe
2184	schtasks.exe
2736	schtasks.exe
1668	schtasks.exe
1364	schtasks.exe
1252	schtasks.exe
2072	schtasks.exe
1644	schtasks.exe
1572	schtasks.exe
2976	schtasks.exe
2652	schtasks.exe
2472	schtasks.exe
1104	schtasks.exe
828	schtasks.exe
2200	schtasks.exe
2408	schtasks.exe
2956	schtasks.exe
1796	schtasks.exe
2100	schtasks.exe
2632	schtasks.exe
948	schtasks.exe
3008	schtasks.exe
2496	schtasks.exe
2652	schtasks.exe
2680	schtasks.exe
2996	schtasks.exe
2088	schtasks.exe
1328	schtasks.exe
2788	schtasks.exe
2808	schtasks.exe
2796	schtasks.exe
2156	schtasks.exe
2220	schtasks.exe
2288	schtasks.exe
2772	schtasks.exe
2952	schtasks.exe
1196	schtasks.exe
756	schtasks.exe
2976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1376	DllCommonsvc.exe
1184	powershell.exe
1704	powershell.exe
2944	powershell.exe
976	powershell.exe
2044	powershell.exe
960	powershell.exe
1460	powershell.exe
1084	powershell.exe
1356	powershell.exe
2460	powershell.exe
1656	powershell.exe
1536	DllCommonsvc.exe
1388	powershell.exe
2224	powershell.exe
2900	powershell.exe
2756	powershell.exe
1364	powershell.exe
3024	powershell.exe
948	powershell.exe
1600	WmiPrvSE.exe
956	WmiPrvSE.exe
324	WmiPrvSE.exe
1828	WmiPrvSE.exe
2100	WmiPrvSE.exe
2180	WmiPrvSE.exe
1216	WmiPrvSE.exe
608	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1376	DllCommonsvc.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1536	DllCommonsvc.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1600	WmiPrvSE.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	956	WmiPrvSE.exe
Token: SeDebugPrivilege	324	WmiPrvSE.exe
Token: SeDebugPrivilege	1828	WmiPrvSE.exe
Token: SeDebugPrivilege	2100	WmiPrvSE.exe
Token: SeDebugPrivilege	2180	WmiPrvSE.exe
Token: SeDebugPrivilege	1216	WmiPrvSE.exe
Token: SeDebugPrivilege	608	WmiPrvSE.exe
Token: SeDebugPrivilege	1768	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 2564	2580	JaffaCakes118_84484bcfc9ca9bc392a3356f48fce449d274b361cbde4f5c174e232ad1dd8637.exe	30
PID 2580 wrote to memory of 2564	2580	JaffaCakes118_84484bcfc9ca9bc392a3356f48fce449d274b361cbde4f5c174e232ad1dd8637.exe	30
PID 2580 wrote to memory of 2564	2580	JaffaCakes118_84484bcfc9ca9bc392a3356f48fce449d274b361cbde4f5c174e232ad1dd8637.exe	30
PID 2580 wrote to memory of 2564	2580	JaffaCakes118_84484bcfc9ca9bc392a3356f48fce449d274b361cbde4f5c174e232ad1dd8637.exe	30
PID 2564 wrote to memory of 2140	2564	WScript.exe	32
PID 2564 wrote to memory of 2140	2564	WScript.exe	32
PID 2564 wrote to memory of 2140	2564	WScript.exe	32
PID 2564 wrote to memory of 2140	2564	WScript.exe	32
PID 2140 wrote to memory of 1376	2140	cmd.exe	34
PID 2140 wrote to memory of 1376	2140	cmd.exe	34
PID 2140 wrote to memory of 1376	2140	cmd.exe	34
PID 2140 wrote to memory of 1376	2140	cmd.exe	34
PID 1376 wrote to memory of 976	1376	DllCommonsvc.exe	66
PID 1376 wrote to memory of 976	1376	DllCommonsvc.exe	66
PID 1376 wrote to memory of 976	1376	DllCommonsvc.exe	66
PID 1376 wrote to memory of 1184	1376	DllCommonsvc.exe	67
PID 1376 wrote to memory of 1184	1376	DllCommonsvc.exe	67
PID 1376 wrote to memory of 1184	1376	DllCommonsvc.exe	67
PID 1376 wrote to memory of 960	1376	DllCommonsvc.exe	68
PID 1376 wrote to memory of 960	1376	DllCommonsvc.exe	68
PID 1376 wrote to memory of 960	1376	DllCommonsvc.exe	68
PID 1376 wrote to memory of 1356	1376	DllCommonsvc.exe	70
PID 1376 wrote to memory of 1356	1376	DllCommonsvc.exe	70
PID 1376 wrote to memory of 1356	1376	DllCommonsvc.exe	70
PID 1376 wrote to memory of 1084	1376	DllCommonsvc.exe	71
PID 1376 wrote to memory of 1084	1376	DllCommonsvc.exe	71
PID 1376 wrote to memory of 1084	1376	DllCommonsvc.exe	71
PID 1376 wrote to memory of 2944	1376	DllCommonsvc.exe	72
PID 1376 wrote to memory of 2944	1376	DllCommonsvc.exe	72
PID 1376 wrote to memory of 2944	1376	DllCommonsvc.exe	72
PID 1376 wrote to memory of 2460	1376	DllCommonsvc.exe	74
PID 1376 wrote to memory of 2460	1376	DllCommonsvc.exe	74
PID 1376 wrote to memory of 2460	1376	DllCommonsvc.exe	74
PID 1376 wrote to memory of 2044	1376	DllCommonsvc.exe	75
PID 1376 wrote to memory of 2044	1376	DllCommonsvc.exe	75
PID 1376 wrote to memory of 2044	1376	DllCommonsvc.exe	75
PID 1376 wrote to memory of 1704	1376	DllCommonsvc.exe	76
PID 1376 wrote to memory of 1704	1376	DllCommonsvc.exe	76
PID 1376 wrote to memory of 1704	1376	DllCommonsvc.exe	76
PID 1376 wrote to memory of 1460	1376	DllCommonsvc.exe	77
PID 1376 wrote to memory of 1460	1376	DllCommonsvc.exe	77
PID 1376 wrote to memory of 1460	1376	DllCommonsvc.exe	77
PID 1376 wrote to memory of 1656	1376	DllCommonsvc.exe	78
PID 1376 wrote to memory of 1656	1376	DllCommonsvc.exe	78
PID 1376 wrote to memory of 1656	1376	DllCommonsvc.exe	78
PID 1376 wrote to memory of 1536	1376	DllCommonsvc.exe	83
PID 1376 wrote to memory of 1536	1376	DllCommonsvc.exe	83
PID 1376 wrote to memory of 1536	1376	DllCommonsvc.exe	83
PID 1536 wrote to memory of 2756	1536	DllCommonsvc.exe	107
PID 1536 wrote to memory of 2756	1536	DllCommonsvc.exe	107
PID 1536 wrote to memory of 2756	1536	DllCommonsvc.exe	107
PID 1536 wrote to memory of 2900	1536	DllCommonsvc.exe	108
PID 1536 wrote to memory of 2900	1536	DllCommonsvc.exe	108
PID 1536 wrote to memory of 2900	1536	DllCommonsvc.exe	108
PID 1536 wrote to memory of 3024	1536	DllCommonsvc.exe	109
PID 1536 wrote to memory of 3024	1536	DllCommonsvc.exe	109
PID 1536 wrote to memory of 3024	1536	DllCommonsvc.exe	109
PID 1536 wrote to memory of 948	1536	DllCommonsvc.exe	111
PID 1536 wrote to memory of 948	1536	DllCommonsvc.exe	111
PID 1536 wrote to memory of 948	1536	DllCommonsvc.exe	111
PID 1536 wrote to memory of 2224	1536	DllCommonsvc.exe	112
PID 1536 wrote to memory of 2224	1536	DllCommonsvc.exe	112
PID 1536 wrote to memory of 2224	1536	DllCommonsvc.exe	112
PID 1536 wrote to memory of 1388	1536	DllCommonsvc.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84484bcfc9ca9bc392a3356f48fce449d274b361cbde4f5c174e232ad1dd8637.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84484bcfc9ca9bc392a3356f48fce449d274b361cbde4f5c174e232ad1dd8637.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
      - C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"
        7⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1472
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"
        9⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2500
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        11⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1204
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"
        13⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2084
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
        15⤵
        
        PID:1064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2724
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat"
        17⤵
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2708
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat"
        19⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2856
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
        21⤵
        
        PID:1292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1168
        
        C:\providercommon\WmiPrvSE.exe
        
        "C:\providercommon\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jdk1.7.0_80\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\Wallpaper\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\Crashpad\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\Services\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\Services\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Microsoft Shared\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\Microsoft Shared\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9b5f3c0fdc7f4d1b9d4536795e0d0da

SHA1
c7baa58b308763c88f2e39acea6c46ae14a8beab

SHA256
c92244cda8a73a431752e2aaae18c5d5e3ae3de87b7fd5061b2bb200b7fec18f

SHA512
3b5094d4ffee056c0443e4c5cc3c49da9181d5ba4d838a73b521d632dc7470526430015b3ca3743e600f3236c9061c4e44c013dddc1642f206bfe01b17ef8b3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e6571bcc9e18e4365b4fbf047a6da2e

SHA1
e90769f45e1709ebf84db05775e1d0b1ac275a1b

SHA256
de7175deb06c230a8e8850f3f99ac5ef426acb51f5933df4520a3203ac7067ae

SHA512
2a4fc058082d495791ea6913c735fc0ae312cb4bc558bd42b680e1abaa3c144b8e1d0a6f1ede119e33fb4403c7c2115b04f8c21be198f88602cba8352cee0e49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa812da6421f60e1ca0f495215050b66

SHA1
6bbb1b649320ec6f786e8676c0346a7a1daf4952

SHA256
bdcec40a5ddbe179b09d77a4fb89f1fac89c20f6ceeb631a98ea9e623dad7426

SHA512
fb4503cdd5f826e457c047740009ef14753941e0eebbbbe7a6e96cb7f6bbdc939b43f143b4c8540655878482b87a65f18360f24759f314078657516fc2fad6e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2eb50dc6b939dc0fec4bacdb6ce0d27f

SHA1
31b7e39848d6706c01399b2afa5f296a476fd1cd

SHA256
1ceb74208bf98657be0e40bfe5868fd1199d33538bd01d745fbfa32523f2aa98

SHA512
7f7424535b4614e0766247030cd5bbbc652ab58784975756bd2093e170e9a1083e94ee37954a355e2b6a611b320ff701542725b952d31fe69d947bb5875cd3bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef83f5c934ff9f2184299d6bd38b984e

SHA1
c916c3e4d7a4e5acd320b04039f7e70deb738008

SHA256
f12e4edc41a9d784964f39d7a5416cb222040e1b1f8f8b6b30236b59b2c7a5b2

SHA512
95082a665b88d39b2831d07564c663d103940b18585e6f956c05ff5018441933f8d90e63ed3e0eb73d9b75953cfc47887bbf248b8c978ef9cd1d1d9802bb3ed9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a576080557caac108b28d0191120b68

SHA1
c65c6336b6c5918551885a375a3c255854918542

SHA256
877805b932cc93812adda45f5c7d4aef41873fdd50e6d821e87c17595706661e

SHA512
520f9fddbbe157e1bb0f2a172fab28bd3c58bcfc1174428d3bc82c5a899867db94c1feea8d610265ea227cda9cd70080f69a8916d118ef4112188ebf57136705

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2411145918f35e0c382e485df180161

SHA1
6ad48d8958fc42a5379074bd0fa3e92d3e01afd0

SHA256
9a581f7c48a9cf412b924c1d1256648e4824654d6d09a50c6e992e471f20c880

SHA512
0857905f2ccd75b928fa3f28593e19eec65563c96ff0d85b3dc33b6e134bfd31e43a4920f88fa1ed7af7ac8d0c95aebaa4c2281aebc75d8007ccee62989476f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat

Filesize
195B

MD5
432ea60f8e93da3b03886e17e5312867

SHA1
5ba1ca6d45765948dc6585b98875a49ea8b25b1d

SHA256
81f9564c5340b810eabca2ba3e385a69a99aa3d56b329bef3dae82d6193cd4d0

SHA512
cca9c6c1962ee0c145568495543e042f56ebbd60154f0c448bc9c85f9f8b1934cd70f0df85e2c0e7cc74fb9b35f9154f416465090dffa7350522223385f24750

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat

Filesize
195B

MD5
e5b7e29afda4e8831cb07c8690e71d87

SHA1
09e7dbd39954486552029a5a75a1929bd949421e

SHA256
eef6b510f9e566c1404fb7b131a2b5d64a18ba5ac2234298967fdef57b786ec7

SHA512
0a180b241d950a862ab22ff7ad7170157f9820678b1caecc23c4878ea26d7becf87ec1bd1a3d7c6ba827b7bb7e1570d0b0e958ebbf8bb270975c3018fa6fa711

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab389F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat

Filesize
195B

MD5
d229e6ff2e23024494aed7563e90dc1f

SHA1
29a84caa8225c4f1e0b6f945c6eceb9374a9ab5e

SHA256
1650cd51d172204d5779f545e104cbd34fb3d48e2ebc29285f8c8258147a5ba1

SHA512
a78490292b9b6ed456877ccc37070f35a7927a1f1f7a5ad0a9ea71e6436b5497edb54dde2b3eec6f5fa80e1e452da4ff6d1491de8abbb4420da8d474b73ef056

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar38F0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VAhDAdBh8f.bat

Filesize
195B

MD5
448f4c25efa65ca941724724ee45eb93

SHA1
53b7282faddaf599cc791018257a40ce8109d22c

SHA256
a1c0d2225cfc60d8df9ceec2a2a729259703b62a43860dc8b0af8d143c121e76

SHA512
6cd1c2fd39826dd4804c0faea9068327eba642905eb53c05cbbea8be93d2635ece85da6ffe158d2636ef7d96f1e91a45d9f74bfc05022cd5973a2cea23c631b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

Filesize
195B

MD5
c755f33123a00179f2161819d1bce631

SHA1
698dccefcf2a56405d7724ff8eded474c366330c

SHA256
d31112af6e29dccd17be74c8a6efdcb38114c4f03a6f384ac6a3d39e62a07b5d

SHA512
71e66c163a9d92a676284175fc83b35343848ffbcb95bd59152290bc3007b1ecda376567a2ad71bcdd8679e5052c52cac6d3059dd0a13c2401501663594be39c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gWC6ojzqIZ.bat

Filesize
195B

MD5
b1cdce63b0afd0c8e0879ba9c9abda6e

SHA1
12bbee14a6b3f17dfe9d9584adc76025c5c39f98

SHA256
fa94f8c38863832db5b648e47d6b9a04859c49054bb61dbd000d59ecd4f7927f

SHA512
b46cd6075005300db30b80810e1c341132e2f4c65493da1987be2b8e1e48d267210bdaa4f705387b7ee7b6c376654fbb8ca8df0b6d47a310d5ee2b6caf9460db

Download Submit
C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat

Filesize
195B

MD5
4fc0303c98b63f21cdd0e338f5ce98ac

SHA1
31493372e9cd94c4f99e39609a5ab7016b8f51f4

SHA256
7d629a0466f1cd8323c6c3f278a858214a74e550af8e7223bd88929925b743df

SHA512
9926b4fc6e9a2efb8ac03208e1c131ab0587a07d91a70c0c78685dace9f155b416b8cdacd400f0952fbc1e2df5496a64205e426a0e067545b386597eed3d8af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
195B

MD5
c52d3a6620d9b09db5157d3c698512cd

SHA1
72df851f686938d8edab886cf3bc9af8a0ddb352

SHA256
702c781a4a987481fd79d1fe008c96f1fb5393ecb2a81d1f85630580608a3bf8

SHA512
4a64f543bd0cdaf83e75dad1cb25ddaf79e2ecb5333cdc58c747a407775ba3571904296e76204308e40bf7e93a5b14c6ebbbb9373b7f9e442287cc6edc83dc34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1Y4VAEGZZOWHKP8ERX3U.temp

Filesize
7KB

MD5
b4bac4036781b3c6640ec1739350fe86

SHA1
1f3f577eb58e2eed47a4205c261b26e4f5d72a04

SHA256
de39c49df489c115197bd0d6f97babf565bc6da8b84fe3ca94ab6e9cdfd57ef0

SHA512
f2aceabd0637a74016397038bf49b5e60a62402da556ed3f7e0ba57da03bfdd5405a3cdbe219fe493ece319ce1ef56f864272e6593377b167683dd4cc5ccd3cc

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/324-273-0x0000000000A80000-0x0000000000B90000-memory.dmp

Filesize
1.1MB

Download
memory/608-573-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/956-212-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/956-213-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/976-81-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download
memory/1184-94-0x0000000002760000-0x0000000002768000-memory.dmp

Filesize
32KB

Download
memory/1216-513-0x0000000000940000-0x0000000000A50000-memory.dmp

Filesize
1.1MB

Download
memory/1376-13-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/1376-14-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/1376-15-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/1376-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1376-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/1388-126-0x000000001B200000-0x000000001B4E2000-memory.dmp

Filesize
2.9MB

Download
memory/1536-95-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1600-116-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/1600-153-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1768-633-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

Filesize
1.1MB

Download
memory/1828-333-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download
memory/2100-393-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/2180-453-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/2224-138-0x00000000024D0000-0x00000000024D8000-memory.dmp

Filesize
32KB

Download