dcrat | ec7b9f631ebf4c70ed7399d6d91efd09395e5de4490c6530f3ae53287a0abe6c

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ec7b9f631ebf4c70ed7399d6d91efd09395e5de4490c6530f3ae53287a0abe6c.exe
Size

1.3MB
MD5

b3f7440c67beb19abf2e9579e0478b5a
SHA1

505e8af58739465185edbb8e7867508a697aa48d
SHA256

ec7b9f631ebf4c70ed7399d6d91efd09395e5de4490c6530f3ae53287a0abe6c
SHA512

72740374c180c53d12c09f6a0999b7d283c6ebf6c1802619e45ea2a3c1b892d30a0be38737e244cc60328a9d757f445e95830aafb497709b07345716bf7958f7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4028	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4864	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3696	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3952	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	548	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	548	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c87-10.dat	dcrat
behavioral2/memory/5028-13-0x0000000000B30000-0x0000000000C40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1736	powershell.exe
916	powershell.exe
4516	powershell.exe
3156	powershell.exe
2584	powershell.exe
216	powershell.exe
4444	powershell.exe
348	powershell.exe
376	powershell.exe
3288	powershell.exe
4916	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_ec7b9f631ebf4c70ed7399d6d91efd09395e5de4490c6530f3ae53287a0abe6c.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	sihost.exe

Executes dropped EXE 15 IoCs

pid	Process
5028	DllCommonsvc.exe
1348	sihost.exe
1632	sihost.exe
428	sihost.exe
1232	sihost.exe
2756	sihost.exe
3200	sihost.exe
2704	sihost.exe
3804	sihost.exe
3172	sihost.exe
3076	sihost.exe
4020	sihost.exe
4588	sihost.exe
3040	sihost.exe
3472	sihost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
44	raw.githubusercontent.com
52	raw.githubusercontent.com
43	raw.githubusercontent.com
23	raw.githubusercontent.com
37	raw.githubusercontent.com
54	raw.githubusercontent.com
16	raw.githubusercontent.com
38	raw.githubusercontent.com
53	raw.githubusercontent.com
15	raw.githubusercontent.com
40	raw.githubusercontent.com
47	raw.githubusercontent.com
51	raw.githubusercontent.com
39	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\66fc9ff0ee96c2	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\StartMenuExperienceHost.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\55b276f4edf653	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ec7b9f631ebf4c70ed7399d6d91efd09395e5de4490c6530f3ae53287a0abe6c.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	JaffaCakes118_ec7b9f631ebf4c70ed7399d6d91efd09395e5de4490c6530f3ae53287a0abe6c.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	sihost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4864	schtasks.exe
4388	schtasks.exe
3696	schtasks.exe
1492	schtasks.exe
1960	schtasks.exe
936	schtasks.exe
2536	schtasks.exe
3732	schtasks.exe
1408	schtasks.exe
4132	schtasks.exe
1612	schtasks.exe
1028	schtasks.exe
3056	schtasks.exe
1748	schtasks.exe
2756	schtasks.exe
3764	schtasks.exe
4076	schtasks.exe
2860	schtasks.exe
3744	schtasks.exe
1616	schtasks.exe
2984	schtasks.exe
1364	schtasks.exe
628	schtasks.exe
4028	schtasks.exe
2468	schtasks.exe
4560	schtasks.exe
1764	schtasks.exe
3952	schtasks.exe
3592	schtasks.exe
436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 53 IoCs

pid	Process
5028	DllCommonsvc.exe
5028	DllCommonsvc.exe
5028	DllCommonsvc.exe
5028	DllCommonsvc.exe
5028	DllCommonsvc.exe
5028	DllCommonsvc.exe
4916	powershell.exe
4916	powershell.exe
376	powershell.exe
376	powershell.exe
3288	powershell.exe
3288	powershell.exe
4444	powershell.exe
4444	powershell.exe
216	powershell.exe
216	powershell.exe
4516	powershell.exe
4516	powershell.exe
348	powershell.exe
348	powershell.exe
916	powershell.exe
916	powershell.exe
3288	powershell.exe
3156	powershell.exe
3156	powershell.exe
1736	powershell.exe
1736	powershell.exe
916	powershell.exe
2584	powershell.exe
2584	powershell.exe
216	powershell.exe
4916	powershell.exe
376	powershell.exe
3156	powershell.exe
1736	powershell.exe
4516	powershell.exe
4444	powershell.exe
348	powershell.exe
2584	powershell.exe
1348	sihost.exe
1632	sihost.exe
428	sihost.exe
1232	sihost.exe
2756	sihost.exe
3200	sihost.exe
2704	sihost.exe
3804	sihost.exe
3172	sihost.exe
3076	sihost.exe
4020	sihost.exe
4588	sihost.exe
3040	sihost.exe
3472	sihost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	DllCommonsvc.exe
Token: SeDebugPrivilege	4916	powershell.exe
Token: SeDebugPrivilege	3288	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeDebugPrivilege	4516	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1348	sihost.exe
Token: SeDebugPrivilege	1632	sihost.exe
Token: SeDebugPrivilege	428	sihost.exe
Token: SeDebugPrivilege	1232	sihost.exe
Token: SeDebugPrivilege	2756	sihost.exe
Token: SeDebugPrivilege	3200	sihost.exe
Token: SeDebugPrivilege	2704	sihost.exe
Token: SeDebugPrivilege	3804	sihost.exe
Token: SeDebugPrivilege	3172	sihost.exe
Token: SeDebugPrivilege	3076	sihost.exe
Token: SeDebugPrivilege	4020	sihost.exe
Token: SeDebugPrivilege	4588	sihost.exe
Token: SeDebugPrivilege	3040	sihost.exe
Token: SeDebugPrivilege	3472	sihost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2744	2068	JaffaCakes118_ec7b9f631ebf4c70ed7399d6d91efd09395e5de4490c6530f3ae53287a0abe6c.exe	83
PID 2068 wrote to memory of 2744	2068	JaffaCakes118_ec7b9f631ebf4c70ed7399d6d91efd09395e5de4490c6530f3ae53287a0abe6c.exe	83
PID 2068 wrote to memory of 2744	2068	JaffaCakes118_ec7b9f631ebf4c70ed7399d6d91efd09395e5de4490c6530f3ae53287a0abe6c.exe	83
PID 2744 wrote to memory of 3888	2744	WScript.exe	85
PID 2744 wrote to memory of 3888	2744	WScript.exe	85
PID 2744 wrote to memory of 3888	2744	WScript.exe	85
PID 3888 wrote to memory of 5028	3888	cmd.exe	87
PID 3888 wrote to memory of 5028	3888	cmd.exe	87
PID 5028 wrote to memory of 2584	5028	DllCommonsvc.exe	120
PID 5028 wrote to memory of 2584	5028	DllCommonsvc.exe	120
PID 5028 wrote to memory of 4916	5028	DllCommonsvc.exe	121
PID 5028 wrote to memory of 4916	5028	DllCommonsvc.exe	121
PID 5028 wrote to memory of 216	5028	DllCommonsvc.exe	122
PID 5028 wrote to memory of 216	5028	DllCommonsvc.exe	122
PID 5028 wrote to memory of 3288	5028	DllCommonsvc.exe	123
PID 5028 wrote to memory of 3288	5028	DllCommonsvc.exe	123
PID 5028 wrote to memory of 3156	5028	DllCommonsvc.exe	124
PID 5028 wrote to memory of 3156	5028	DllCommonsvc.exe	124
PID 5028 wrote to memory of 4516	5028	DllCommonsvc.exe	125
PID 5028 wrote to memory of 4516	5028	DllCommonsvc.exe	125
PID 5028 wrote to memory of 376	5028	DllCommonsvc.exe	127
PID 5028 wrote to memory of 376	5028	DllCommonsvc.exe	127
PID 5028 wrote to memory of 4444	5028	DllCommonsvc.exe	128
PID 5028 wrote to memory of 4444	5028	DllCommonsvc.exe	128
PID 5028 wrote to memory of 916	5028	DllCommonsvc.exe	129
PID 5028 wrote to memory of 916	5028	DllCommonsvc.exe	129
PID 5028 wrote to memory of 1736	5028	DllCommonsvc.exe	130
PID 5028 wrote to memory of 1736	5028	DllCommonsvc.exe	130
PID 5028 wrote to memory of 348	5028	DllCommonsvc.exe	131
PID 5028 wrote to memory of 348	5028	DllCommonsvc.exe	131
PID 5028 wrote to memory of 1196	5028	DllCommonsvc.exe	141
PID 5028 wrote to memory of 1196	5028	DllCommonsvc.exe	141
PID 1196 wrote to memory of 3436	1196	cmd.exe	144
PID 1196 wrote to memory of 3436	1196	cmd.exe	144
PID 1196 wrote to memory of 1348	1196	cmd.exe	150
PID 1196 wrote to memory of 1348	1196	cmd.exe	150
PID 1348 wrote to memory of 1880	1348	sihost.exe	158
PID 1348 wrote to memory of 1880	1348	sihost.exe	158
PID 1880 wrote to memory of 2024	1880	cmd.exe	160
PID 1880 wrote to memory of 2024	1880	cmd.exe	160
PID 1880 wrote to memory of 1632	1880	cmd.exe	162
PID 1880 wrote to memory of 1632	1880	cmd.exe	162
PID 1632 wrote to memory of 4576	1632	sihost.exe	165
PID 1632 wrote to memory of 4576	1632	sihost.exe	165
PID 4576 wrote to memory of 4748	4576	cmd.exe	167
PID 4576 wrote to memory of 4748	4576	cmd.exe	167
PID 4576 wrote to memory of 428	4576	cmd.exe	170
PID 4576 wrote to memory of 428	4576	cmd.exe	170
PID 428 wrote to memory of 3984	428	sihost.exe	172
PID 428 wrote to memory of 3984	428	sihost.exe	172
PID 3984 wrote to memory of 3392	3984	cmd.exe	174
PID 3984 wrote to memory of 3392	3984	cmd.exe	174
PID 3984 wrote to memory of 1232	3984	cmd.exe	176
PID 3984 wrote to memory of 1232	3984	cmd.exe	176
PID 1232 wrote to memory of 3076	1232	sihost.exe	178
PID 1232 wrote to memory of 3076	1232	sihost.exe	178
PID 3076 wrote to memory of 1196	3076	cmd.exe	180
PID 3076 wrote to memory of 1196	3076	cmd.exe	180
PID 3076 wrote to memory of 2756	3076	cmd.exe	182
PID 3076 wrote to memory of 2756	3076	cmd.exe	182
PID 2756 wrote to memory of 2416	2756	sihost.exe	184
PID 2756 wrote to memory of 2416	2756	sihost.exe	184
PID 2416 wrote to memory of 2304	2416	cmd.exe	186
PID 2416 wrote to memory of 2304	2416	cmd.exe	186

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec7b9f631ebf4c70ed7399d6d91efd09395e5de4490c6530f3ae53287a0abe6c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ec7b9f631ebf4c70ed7399d6d91efd09395e5de4490c6530f3ae53287a0abe6c.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3888
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjenHU70UM.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1196
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3436
      - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2024
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4748
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3392
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1196
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2304
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
        17⤵
        
        PID:4276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3136
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        19⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:816
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"
        21⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2688
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        23⤵
        
        PID:4308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2448
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        25⤵
        
        PID:3512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:668
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"
        27⤵
        
        PID:3692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3928
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat"
        29⤵
        
        PID:1816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4712
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat"
        31⤵
        
        PID:4576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:5004
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe"
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 6 /tr "'C:\providercommon\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 11 /tr "'C:\providercommon\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Windows\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Music\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Admin\Music\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Music\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Downloads\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sihost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat

Filesize
244B

MD5
3dd10b11f4fade7d7cdf804b9cd601d4

SHA1
df63e3a19b6e156e22ed7ead0fa6137522da2548

SHA256
8be77914e5af344d89dea08152700ff4ccba1f977a39a3a3c378ed01c31cc237

SHA512
0b56313e354ba2ccfa8707d64b1848be5da099f1df34d025da7988528e5124a5ca213ff833d545e2f5ccb293ec6b205af065d0d55fef0bf04fe6dde5ba51c3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat

Filesize
244B

MD5
d345fe6b9c377d85c1e8d7fa069005bf

SHA1
c21d992ab612758cf373cf3dc1c23a8c199a5d50

SHA256
5faf12d49a344d84ca02e16bcfcc74b95503cf4f52a9462a83968d405e7ee893

SHA512
1077465216d56fc8364b19fd524a41f1779ed10673697b96f011bf43ad103d9eab81c0307a683ecbc6b53ca423f102c241919c8bcb3eb2d7e2d8ab6c3cbe5490

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VGBOjzZtA.bat

Filesize
244B

MD5
980ff379eab5ddd2f9c4f055810bd4ec

SHA1
29b7120956d422aa26d021e4eda0137598ca1781

SHA256
03d9837f5e049f4284ef92eeaf6ed3fff3177753e3090e5ed603ec8aff42df52

SHA512
e44f6fa317806de4cec7d6ea815a2086d3d88fccd1bc72d9b1b26c1110a7ff7e878a391e6c45f5046e10f032821ab3d22a90b6a33a01b8e24b81a818c112b32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
244B

MD5
46dda88e1c418bd1ae061535b34b1a0f

SHA1
c11c4a59262f6cee20ae2d1a8e6d862677050116

SHA256
3547cf37f53d384e771776c11575f6503e718450ffbb1463b81960063b4456f2

SHA512
83c7aa367d830c8cbb15d820e20be2f55b167397788b73c0c60b7b38578143fc9f13623b9f498b146ee59d373251a41498cb2d62bec2406625ba10a7b99bd420

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
244B

MD5
c595ad69a29c14194c689ab05f7881f6

SHA1
7242873cee22d967bf4abc3c91524ee3aef858b8

SHA256
116711e2f000002e490bf752d8024499a40438fd116965419cb9e5f07809303d

SHA512
4083499db8a3130341dae30c89a9d81d6dc6e930c13edd576bec3d11d17a9a3f2eec77836616f31161aebd52be7599b43274caf8b8734e37fb1a1b551a36d742

Download Submit
C:\Users\Admin\AppData\Local\Temp\FjenHU70UM.bat

Filesize
244B

MD5
c640572cf9a05092429759bcf0e2deb7

SHA1
871ea196c1243152f4f247378a20c6ffb00c455d

SHA256
0a9d559cdfaa10101466da07e609b79d7b47c9e134aba44c6f740128a482eab5

SHA512
25b034565e3039a9225b60fffb02f341e36a35fc8f0e9325f48cdaab711422ff36bdf91f1117b1e66f0b695aa86f0a71a665efcaaedf282084f1b958bc7ff5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat

Filesize
244B

MD5
8dcc6258db7f4f116fec4d81fb9b7ad4

SHA1
693989504d97f4a101709e73d85c6af46cb035e9

SHA256
d639cd1fda4f1cb6122c6c73d047682a4d0e96a48785485bba9476735baea8ae

SHA512
580755d388d0cdf2be4beffd6891bc84994381f443116bca0bb5adbf27f64f16e53f9d0e04eab3f3bd0ebf2cc8aaea8f1e554fc923930805386b2d3405e7e265

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat

Filesize
244B

MD5
982126d8be6a7a49b6f89a90bfdf8687

SHA1
da394568c3f2a7c86ec2dc5069a98d30239ed098

SHA256
afef6e75149171d5fb17cc697276929064dea942339da11979bcb0b99d6c021c

SHA512
29a1686b70e77f5a53222fd9d094e54043b7ebcf955dea36f4564b3f8d6bcd5d6dfebd5caba93dcb3832681c32790982d84362d6c5ace9aeed6d4e6e07b935d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat

Filesize
244B

MD5
af04ccaa09a3c0f7ee901066a68f2a31

SHA1
7063d9ae015d16d0fedcd180692e419e8573209d

SHA256
4f475b1a19a2bfadf8c94c43a109d1f1f06b54103ce33d53370212cbf0b84e9d

SHA512
1dc72b42d8f6aa4d3d1d7fe11217ddf160f9de23923a4bfc24ba49136103e2cb9b4ac53caa226b7ca03ede3c338563fde639973bf8d7e4182922932fa1627ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
244B

MD5
3517a60a9a63442ebb4cbc540c606d70

SHA1
3722a1c098ea7099dde60f41b47443900f84b28b

SHA256
d022e39845c0ec9c4f1a58fc0a5a7108b9f3b5289735d890a509dd75b681b15d

SHA512
9cbe499e4c08a9b18396e6279170d0a11aee09a6c2c6b9418a520f0a35011ddf7d93714522e36f175927597476a40ff96b51d0f90e7f06446f55ea6fa31f5cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_22fnl105.c0r.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
244B

MD5
d24fccf1205f8c92582a9d0b53bf2e84

SHA1
d81681b0dccb3f29092a18cd1174702b889ad4d9

SHA256
8e4b22c5790a3d4074b7f0ca9f5adb50b8ca4759e9cd64b1633de5509bf19fb6

SHA512
caa3b0181a2be798e886c0b68549861898d31c454e392f758c7fa12f82e9c89dc4868e7f11f1fa361e0f0f11bc7679b5163c550d3b573f5377ed3827a9ecd3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQXsfud8LV.bat

Filesize
244B

MD5
203b2b2efd0748b3e2df4ea205bace54

SHA1
045e8accfb737f2a7060990248959c91028b44f6

SHA256
ed1574a664e1e36da907636e78499b6bd0af5e49f35bbe43344dafeac8d22015

SHA512
299645096dbd67243cb9260d01be4b7d5f89ac3ec729cda04cb39f506789c45fe48208ea1c30e94f42f0c6ea774ecc39c34768a047140e771c36494f32568121

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat

Filesize
244B

MD5
b9410830661aee43c2354eeb19c2d88d

SHA1
143e4f9ce064152fd6e12cf8b017bb38db09b539

SHA256
9c0ff3c5b0cfdf401481e056787852e00e7bf7452ad3244eb8117f51ab3542c1

SHA512
8330f146968c8bd6320c64d0c66aa5f902b77ca38effa2c125f13b5b3efe60924368b1fd16d47f33dc40df1c1868cd23f42b1de4170284c0d2eedefdf73db7e3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/428-186-0x00000000028F0000-0x0000000002902000-memory.dmp

Filesize
72KB

Download
memory/1348-175-0x000000001B030000-0x000000001B0D1000-memory.dmp

Filesize
644KB

Download
memory/1632-184-0x000000001C900000-0x000000001C9A1000-memory.dmp

Filesize
644KB

Download
memory/3076-230-0x00000000029F0000-0x0000000002A02000-memory.dmp

Filesize
72KB

Download
memory/3288-44-0x000002369A7B0000-0x000002369A7D2000-memory.dmp

Filesize
136KB

Download
memory/3804-217-0x00000000027F0000-0x0000000002802000-memory.dmp

Filesize
72KB

Download
memory/4588-243-0x000000001B4E0000-0x000000001B4F2000-memory.dmp

Filesize
72KB

Download
memory/5028-15-0x0000000002D20000-0x0000000002D2C000-memory.dmp

Filesize
48KB

Download
memory/5028-12-0x00007FF8E7E93000-0x00007FF8E7E95000-memory.dmp

Filesize
8KB

Download
memory/5028-13-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/5028-14-0x0000000001500000-0x0000000001512000-memory.dmp

Filesize
72KB

Download
memory/5028-16-0x0000000001510000-0x000000000151C000-memory.dmp

Filesize
48KB

Download
memory/5028-17-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download