dcrat | 589e9a180cf0298086cb20205043271c7eba213c8adb8c72a6d08f7721fcb143

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_589e9a180cf0298086cb20205043271c7eba213c8adb8c72a6d08f7721fcb143.exe
Size

1.3MB
MD5

d7da820d606011872170173938427d4e
SHA1

2b6fc629a5ebbd0e04d98eab8346f15cbde93f48
SHA256

589e9a180cf0298086cb20205043271c7eba213c8adb8c72a6d08f7721fcb143
SHA512

0ef21b80cfbcb8d14f0fdb3a26c49aa3ce481d48458d51b84904ae64957e097d22d7abf2370374b1111d5411422897b758618fd48cfb228c4eb19b9973ae5c13
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2684	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2684	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d69-9.dat	dcrat
behavioral1/memory/3040-13-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/2656-54-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/572-194-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat
behavioral1/memory/2284-255-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/368-315-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/1148-375-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/580-553-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat
behavioral1/files/0x000500000001a404-671.dat	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1016	powershell.exe
1704	powershell.exe
2600	powershell.exe
896	powershell.exe
1724	powershell.exe
1576	powershell.exe
2356	powershell.exe
2692	powershell.exe
2108	powershell.exe
1604	powershell.exe
2616	powershell.exe
2524	powershell.exe
1104	powershell.exe
1688	powershell.exe
2580	powershell.exe
1708	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3040	DllCommonsvc.exe
2656	csrss.exe
572	csrss.exe
2284	csrss.exe
368	csrss.exe
1148	csrss.exe
2748	csrss.exe
2052	csrss.exe
580	csrss.exe
1600	csrss.exe
1312	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
536	cmd.exe
536	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\security\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\security\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\authman\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\authman\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\Cursors\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_589e9a180cf0298086cb20205043271c7eba213c8adb8c72a6d08f7721fcb143.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2680	schtasks.exe
692	schtasks.exe
2364	schtasks.exe
296	schtasks.exe
264	schtasks.exe
2720	schtasks.exe
2576	schtasks.exe
676	schtasks.exe
2400	schtasks.exe
572	schtasks.exe
2252	schtasks.exe
744	schtasks.exe
1148	schtasks.exe
2724	schtasks.exe
1196	schtasks.exe
2020	schtasks.exe
1988	schtasks.exe
3012	schtasks.exe
1672	schtasks.exe
2116	schtasks.exe
2744	schtasks.exe
1980	schtasks.exe
2568	schtasks.exe
2248	schtasks.exe
1616	schtasks.exe
1036	schtasks.exe
1584	schtasks.exe
580	schtasks.exe
1620	schtasks.exe
3008	schtasks.exe
1904	schtasks.exe
2916	schtasks.exe
396	schtasks.exe
1064	schtasks.exe
1828	schtasks.exe
2700	schtasks.exe
1996	schtasks.exe
612	schtasks.exe
112	schtasks.exe
1380	schtasks.exe
2936	schtasks.exe
1496	schtasks.exe
2000	schtasks.exe
2088	schtasks.exe
640	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3040	DllCommonsvc.exe
3040	DllCommonsvc.exe
3040	DllCommonsvc.exe
896	powershell.exe
1576	powershell.exe
1724	powershell.exe
2356	powershell.exe
2580	powershell.exe
1708	powershell.exe
2524	powershell.exe
1104	powershell.exe
1704	powershell.exe
2616	powershell.exe
2108	powershell.exe
1016	powershell.exe
1688	powershell.exe
2600	powershell.exe
1604	powershell.exe
2692	powershell.exe
2656	csrss.exe
572	csrss.exe
2284	csrss.exe
368	csrss.exe
1148	csrss.exe
2748	csrss.exe
2052	csrss.exe
580	csrss.exe
1600	csrss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3040	DllCommonsvc.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2656	csrss.exe
Token: SeDebugPrivilege	572	csrss.exe
Token: SeDebugPrivilege	2284	csrss.exe
Token: SeDebugPrivilege	368	csrss.exe
Token: SeDebugPrivilege	1148	csrss.exe
Token: SeDebugPrivilege	2748	csrss.exe
Token: SeDebugPrivilege	2052	csrss.exe
Token: SeDebugPrivilege	580	csrss.exe
Token: SeDebugPrivilege	1600	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2620	2200	JaffaCakes118_589e9a180cf0298086cb20205043271c7eba213c8adb8c72a6d08f7721fcb143.exe	30
PID 2200 wrote to memory of 2620	2200	JaffaCakes118_589e9a180cf0298086cb20205043271c7eba213c8adb8c72a6d08f7721fcb143.exe	30
PID 2200 wrote to memory of 2620	2200	JaffaCakes118_589e9a180cf0298086cb20205043271c7eba213c8adb8c72a6d08f7721fcb143.exe	30
PID 2200 wrote to memory of 2620	2200	JaffaCakes118_589e9a180cf0298086cb20205043271c7eba213c8adb8c72a6d08f7721fcb143.exe	30
PID 2620 wrote to memory of 536	2620	WScript.exe	31
PID 2620 wrote to memory of 536	2620	WScript.exe	31
PID 2620 wrote to memory of 536	2620	WScript.exe	31
PID 2620 wrote to memory of 536	2620	WScript.exe	31
PID 536 wrote to memory of 3040	536	cmd.exe	33
PID 536 wrote to memory of 3040	536	cmd.exe	33
PID 536 wrote to memory of 3040	536	cmd.exe	33
PID 536 wrote to memory of 3040	536	cmd.exe	33
PID 3040 wrote to memory of 896	3040	DllCommonsvc.exe	81
PID 3040 wrote to memory of 896	3040	DllCommonsvc.exe	81
PID 3040 wrote to memory of 896	3040	DllCommonsvc.exe	81
PID 3040 wrote to memory of 1724	3040	DllCommonsvc.exe	82
PID 3040 wrote to memory of 1724	3040	DllCommonsvc.exe	82
PID 3040 wrote to memory of 1724	3040	DllCommonsvc.exe	82
PID 3040 wrote to memory of 2356	3040	DllCommonsvc.exe	83
PID 3040 wrote to memory of 2356	3040	DllCommonsvc.exe	83
PID 3040 wrote to memory of 2356	3040	DllCommonsvc.exe	83
PID 3040 wrote to memory of 2524	3040	DllCommonsvc.exe	86
PID 3040 wrote to memory of 2524	3040	DllCommonsvc.exe	86
PID 3040 wrote to memory of 2524	3040	DllCommonsvc.exe	86
PID 3040 wrote to memory of 1016	3040	DllCommonsvc.exe	87
PID 3040 wrote to memory of 1016	3040	DllCommonsvc.exe	87
PID 3040 wrote to memory of 1016	3040	DllCommonsvc.exe	87
PID 3040 wrote to memory of 1576	3040	DllCommonsvc.exe	88
PID 3040 wrote to memory of 1576	3040	DllCommonsvc.exe	88
PID 3040 wrote to memory of 1576	3040	DllCommonsvc.exe	88
PID 3040 wrote to memory of 1604	3040	DllCommonsvc.exe	89
PID 3040 wrote to memory of 1604	3040	DllCommonsvc.exe	89
PID 3040 wrote to memory of 1604	3040	DllCommonsvc.exe	89
PID 3040 wrote to memory of 1704	3040	DllCommonsvc.exe	90
PID 3040 wrote to memory of 1704	3040	DllCommonsvc.exe	90
PID 3040 wrote to memory of 1704	3040	DllCommonsvc.exe	90
PID 3040 wrote to memory of 1688	3040	DllCommonsvc.exe	91
PID 3040 wrote to memory of 1688	3040	DllCommonsvc.exe	91
PID 3040 wrote to memory of 1688	3040	DllCommonsvc.exe	91
PID 3040 wrote to memory of 2616	3040	DllCommonsvc.exe	94
PID 3040 wrote to memory of 2616	3040	DllCommonsvc.exe	94
PID 3040 wrote to memory of 2616	3040	DllCommonsvc.exe	94
PID 3040 wrote to memory of 2580	3040	DllCommonsvc.exe	96
PID 3040 wrote to memory of 2580	3040	DllCommonsvc.exe	96
PID 3040 wrote to memory of 2580	3040	DllCommonsvc.exe	96
PID 3040 wrote to memory of 1104	3040	DllCommonsvc.exe	98
PID 3040 wrote to memory of 1104	3040	DllCommonsvc.exe	98
PID 3040 wrote to memory of 1104	3040	DllCommonsvc.exe	98
PID 3040 wrote to memory of 1708	3040	DllCommonsvc.exe	99
PID 3040 wrote to memory of 1708	3040	DllCommonsvc.exe	99
PID 3040 wrote to memory of 1708	3040	DllCommonsvc.exe	99
PID 3040 wrote to memory of 2108	3040	DllCommonsvc.exe	100
PID 3040 wrote to memory of 2108	3040	DllCommonsvc.exe	100
PID 3040 wrote to memory of 2108	3040	DllCommonsvc.exe	100
PID 3040 wrote to memory of 2600	3040	DllCommonsvc.exe	101
PID 3040 wrote to memory of 2600	3040	DllCommonsvc.exe	101
PID 3040 wrote to memory of 2600	3040	DllCommonsvc.exe	101
PID 3040 wrote to memory of 2692	3040	DllCommonsvc.exe	111
PID 3040 wrote to memory of 2692	3040	DllCommonsvc.exe	111
PID 3040 wrote to memory of 2692	3040	DllCommonsvc.exe	111
PID 3040 wrote to memory of 2656	3040	DllCommonsvc.exe	112
PID 3040 wrote to memory of 2656	3040	DllCommonsvc.exe	112
PID 3040 wrote to memory of 2656	3040	DllCommonsvc.exe	112
PID 2656 wrote to memory of 1828	2656	csrss.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_589e9a180cf0298086cb20205043271c7eba213c8adb8c72a6d08f7721fcb143.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_589e9a180cf0298086cb20205043271c7eba213c8adb8c72a6d08f7721fcb143.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\authman\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        6⤵
        
        PID:1828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2260
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
        8⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2996
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        10⤵
        
        PID:2948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1928
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        12⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1672
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        14⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1560
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        16⤵
        
        PID:1196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:516
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        18⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2892
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
        20⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1892
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"
        22⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:272
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe"
        23⤵
        Executes dropped EXE
        
        PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\authman\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\authman\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Windows\Microsoft.NET\authman\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\Cursors\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Cursors\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\security\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\security\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\security\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
576KB

MD5
feee64d0fca3ef3c0666d8d8ddc86908

SHA1
9fc5e2c363c7d02ac629d455a28ec38cc68a723d

SHA256
aab19cdb03e122e8b813f2210db24d5566cbb842b6de396a43481b91fe9de380

SHA512
6ee2d023f8352f8308ae56c80d4dcc1ae6c09fb99bcb6ad60556380d8ce2840adf90e02fc624b7b22b4e9b350737a534fba056e2d9dfc32b62d524bfbd6f3e07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca49084a542fe617ffa842f71796bf4a

SHA1
5c79562e63eacb170221f2e931d1559efa2f8be7

SHA256
706820d52ccc67ff42eacd739df380e2ab57e70f8ef0a728fb7487332d896b0d

SHA512
c0f2d3ab64ec586c11fe9dac8da302a08374fa11049a00cb9b4f521645b48e7fc17fe42be994a79e268da083d36e7cee9d57841a812f03435e307dbbd376475a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13c76ea17d9175d2a8ec1004373b5906

SHA1
71849f0e8be8534e19aa878ed18b6555404a64c4

SHA256
fb4372284bce9a369140355725fc6f3afcffb4b4e537324292865f95dd6aa507

SHA512
03bd279aa822b1923c7b1b9682d6cbb13572e2d9222ff8c723fd1ec760ee4bccf0a6621a53697d3f7b7322ceaf050ed735bd17deb2f8836c5d3d2d23c0963274

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1243dd70d5afc577e91090aa0ba4eb32

SHA1
dcaf880fb65eaf71a6fd4e1d7e78a1f37c30e04a

SHA256
466555008ac725da52f08c5221080228d2f32f0b6072838a46b9c2f85e7c3050

SHA512
088446f2855618a73e89b8b64b74c86a1763fa542fb45f9ee15587a43ee47ceb853b5638ac94e04b6a5d15278e8bb1fd5af5ed8af06fd7fbb6d3d3a1454515ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3421a6e75f3c59af5ac19c2008c57979

SHA1
dae8617a94221036db0a80bed85411e0f44e8d95

SHA256
783f302fb152b78f1a9184020028acaa37fe3807cc92bce59bcca3a63be417fc

SHA512
b39bc07270e2bd1b761b961cb6546b81af1fb0130c54d8ad368677fa098b3ec4655639b38c073e5d0e256e496f263ef96263d7877408a7e56768351470f3856f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8dedcb5f98fd7ac01185839359b2490

SHA1
6714b458ebb99046b91633102d74ed9ee105e43b

SHA256
9d8826cf04e99e375a5cd49f669566f3c36b1dc7b96446e7ce44fe5c21c1ce76

SHA512
a10bb742ee182534baebdf2cd1c8b0785126f618fde130c850a7cbaf775fb6b8ddc1340757044e9918f94e657b8a1e4d2a4473757fd9da3923bdb69dc5d6f040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c47404deafa88badf9760186ba55a7a2

SHA1
3ad086d038b1d292f9a940c2da769c2d179cfe14

SHA256
12202b24b746eddd6b3cf0cb34a133ac49d1897d44f9bce117e14239fc47a661

SHA512
c7d8b10c4db41998f613da9c7d4a6f7ccfb7333cec816f214031da1e2c4e4721daa969f9decc1bdf8fc5c7f87a1e2a88f90aea724463466e5572ed2becd971e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4a2a11a5b1316d5d533e0657ec24753

SHA1
3e0a293cd694d181aac1056dd36c04cbd8cdca47

SHA256
2ae1f6791da3e8b0014f668bce0bb6bc33a7ec374e770c80f4132f375492d278

SHA512
cdf749307bf5c8eaa0c2de68a077be5b32c0ee5801ff1989b4494edd0b81e0a016624c1f4fd3762e4c22d7c13ecd298d6fc89a11e866cfa0e8a492d02412daf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4813e33529314a2b479cbddf333e7ad0

SHA1
fa9a7f67c347900ae1a12845d5708a32d27aaa19

SHA256
271a9622238fac1e1b81cc23b5cdd377bc4f105e27ed9e61ad92df68073400bc

SHA512
ee075c1ba8bfb1b36ed1ca54ab9aa5776a264d2f7079c3848f11a0af0821914aaa6a5d1821664aac3f2179a118fdbb8c31f45f6191e425308ed976f37d9d9b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
237B

MD5
681f7a84f26db218991997613436510e

SHA1
d8354d891261070ec34c699471c01aeafa7d3ddd

SHA256
b9e2fd8c6ab87ccb5f21a994910d9afed78f4961e9783a0e251891773365a2b3

SHA512
b7ae7bc9b71b2a071503b91ea30dda4047186fd9f4455366857166b788b8c02c92f24c080e47c05a746d902cd6f9dd0d78c6ec93bfba3d99f45ddf0c6491d16d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2129.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat

Filesize
237B

MD5
868891bcfec36f04e735d3e3d9c9472f

SHA1
6322a8fab30fca2f48474b05fca5099b5bec354c

SHA256
7a8cff16dc9167629235775d4ab99d5c19c5fab31ca491aff8298f99677c485c

SHA512
af8fac4e7274acfb7ecaf5fc9655e578833113679111b463bd8aaa78df84afe01f6319efbc1100338f32d75fbd792906e39b0037b74bb26fcbf02c3c7ca687f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
237B

MD5
15f1f1119286f381ac886731ad636eca

SHA1
3fa3aeb6af00923d19f93104540725323a319a5c

SHA256
a4d0a414c9197e24fe7550b7f0be476b23f2970106625cf1de71d460bba456e9

SHA512
271a80c54ff6b95f340e92aea1f540e26960e7f1510ef66c06d2e5bcfb14bf387bab50cd4e16a0bc9dcae81b11087e23c469fdf8dbc97a7c667b71462fd92d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2199.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
237B

MD5
181b9dc5d29171cc2223ccf7ea98c9be

SHA1
6bf119bb59debd933986682baa4d456b02c452aa

SHA256
12d45bc9513df3c0efb9af182e3877fee8d29822be9bd276ddbe4e029f38fec6

SHA512
52fd50fb15a6aa6e923a9c9a59c7e8e4ab1a11c5f1207b2996bc55db83fceb2efe6867a3dfa84d381c76356be3decd054a31fa5bffbc16dcbb2ef991ad9d91d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

Filesize
237B

MD5
43817c0fca958adcd4f950b98b42f985

SHA1
d818e927d4484916458f7fb87e48026786825914

SHA256
bd64bd2c822c5587cad2faec7a2e5399636510e4e8c13f32b88484eecc1ba9a3

SHA512
952a0510b99c02d8b2a940a9f92cfba412750f599785c3f2a6f17601d84006ee97df69af2e9fa6783eda3f2ec9b6b19ad9e470637a4fb8aa59dd8f6a6d45dfec

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
237B

MD5
69585965e77a43fa70d99b0256e73f37

SHA1
fcc5d9ef62205d0c939b9c08f67c08e16810bd6e

SHA256
830b9d6f4f5cc2435a631be6741f4d99d13f66fa163278fc9a2f1502a63ac319

SHA512
aee8177510e28c0ac7b7bd1ced022b16218701d3eef6d30d2cdb2d98619dec901c0c048709762de4e4e98d748695d01e2f8f75be1bd9bdc8199bedbe1eb970e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat

Filesize
237B

MD5
a2ddec4218b71893fc45763d19cc6592

SHA1
ee828305779ae2cd771b3f10aaac9601af9a2b96

SHA256
5328907e0b5b48a9d2bca11c0ba596eec9319020b2832d45b3971776aab485a0

SHA512
6f90b93d3a8fe597d3311840f18896410ffd50a4a4c7e97e47777075ad08b428ec5a57032362e5fa96deb7a2d1c26b8947963879db8104592d50086499cb2c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
237B

MD5
fb13457bfe4938b7db5fbe4ba6de995c

SHA1
ef05af4ec36cfca1ab6534978ac9e9f95a639d92

SHA256
3b2e221eadeeddecd7a90d1c58d5b66b454e790cb60db511ba1f28832eed41ce

SHA512
d3df07de07b70ad75ddf60022f91a027393854c780e95de46047e96fc4bc23985c0e3cbe34416e344551db0c55a5d1363caad9bafdf416d077a60d3e5c66df8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
237B

MD5
7a0894fed5cc9df6fbcc30501ba5e2b5

SHA1
93b8a0e23c18a247d34df1fb1b525dfad22dfc7a

SHA256
97a6b3a49d6a38c6ecf1f5e9338c533e894bfc3734e6ff14b342aff693f17baf

SHA512
4ed601e49c23c379a2fe869a330a7b3949ef1b9be355bf34ecb1790279efa850a33c1477a0e7c56d4321430298bf4785a7540d637a72a5e48967f26c7ec19b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2cb75758e17fe1d41126505ca227d8ea

SHA1
d3bbffb6d57740e21641b6676fdbea42b99dc474

SHA256
9265574ef3a8c61235ab0b163c9f9d259fa8686ad416f1cca840b2d5a28ab75b

SHA512
911b1d5b6c0e28d1f23731ec5b38c5e6f2cf1929677482bbd953f39af48ee3f221afcb87476868c0ecc277ee04310f868458240036130ce28144b5e9c56ea861

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/368-315-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/572-195-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/572-194-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/580-553-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/896-60-0x000000001B330000-0x000000001B612000-memory.dmp

Filesize
2.9MB

Download
memory/896-76-0x00000000025F0000-0x00000000025F8000-memory.dmp

Filesize
32KB

Download
memory/1148-375-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/2284-255-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/2656-54-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/3040-15-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/3040-16-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/3040-14-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/3040-17-0x00000000006D0000-0x00000000006DC000-memory.dmp

Filesize
48KB

Download
memory/3040-13-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download