dcrat | 6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 05:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc.exe
Size

1.3MB
MD5

2ccbec0d52d71b3a44b1bb2b476a04dd
SHA1

119fc4f2fde76f08afc8f4ee62357d4f46c85146
SHA256

6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc
SHA512

8c37e9958fab698a33b5af9ab6b672495376df1147812963de02f848b545baa8051f0fdf4b3f84cedfac873ae99ed3fb1b315928a015c6151c13ed11461605ee
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2620	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2620	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016031-9.dat	dcrat
behavioral1/memory/2396-13-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/2932-129-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat
behavioral1/memory/1264-188-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/864-248-0x0000000000C10000-0x0000000000D20000-memory.dmp	dcrat
behavioral1/memory/2396-309-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/1848-429-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/1464-489-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/memory/2244-549-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2720-609-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2712-728-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
264	powershell.exe
1000	powershell.exe
1664	powershell.exe
1004	powershell.exe
996	powershell.exe
2500	powershell.exe
1856	powershell.exe
872	powershell.exe
2628	powershell.exe
2068	powershell.exe
2000	powershell.exe
2964	powershell.exe
3000	powershell.exe
1692	powershell.exe
1660	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2396	DllCommonsvc.exe
2932	OSPPSVC.exe
1264	OSPPSVC.exe
864	OSPPSVC.exe
2396	OSPPSVC.exe
1300	OSPPSVC.exe
1848	OSPPSVC.exe
1464	OSPPSVC.exe
2244	OSPPSVC.exe
2720	OSPPSVC.exe
328	OSPPSVC.exe
2712	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2956	cmd.exe
2956	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
35	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
4	raw.githubusercontent.com
15	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\7a0fd90576e088	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\browser\features\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\ja-JP\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\CSC\v2.0.6\audiodg.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1668	schtasks.exe
680	schtasks.exe
2204	schtasks.exe
2200	schtasks.exe
1220	schtasks.exe
1924	schtasks.exe
2916	schtasks.exe
2452	schtasks.exe
1696	schtasks.exe
2612	schtasks.exe
1464	schtasks.exe
1596	schtasks.exe
1564	schtasks.exe
2168	schtasks.exe
2016	schtasks.exe
336	schtasks.exe
1756	schtasks.exe
2872	schtasks.exe
2072	schtasks.exe
2520	schtasks.exe
392	schtasks.exe
2896	schtasks.exe
1652	schtasks.exe
1684	schtasks.exe
316	schtasks.exe
1852	schtasks.exe
1732	schtasks.exe
956	schtasks.exe
1700	schtasks.exe
2376	schtasks.exe
532	schtasks.exe
2252	schtasks.exe
2508	schtasks.exe
696	schtasks.exe
3048	schtasks.exe
992	schtasks.exe
2644	schtasks.exe
2112	schtasks.exe
1412	schtasks.exe
236	schtasks.exe
1592	schtasks.exe
768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2396	DllCommonsvc.exe
1004	powershell.exe
1856	powershell.exe
2068	powershell.exe
872	powershell.exe
2964	powershell.exe
2628	powershell.exe
996	powershell.exe
1660	powershell.exe
1692	powershell.exe
264	powershell.exe
2500	powershell.exe
1000	powershell.exe
2000	powershell.exe
1664	powershell.exe
3000	powershell.exe
2932	OSPPSVC.exe
1264	OSPPSVC.exe
864	OSPPSVC.exe
2396	OSPPSVC.exe
1300	OSPPSVC.exe
1848	OSPPSVC.exe
1464	OSPPSVC.exe
2244	OSPPSVC.exe
2720	OSPPSVC.exe
328	OSPPSVC.exe
2712	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2396	DllCommonsvc.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	2932	OSPPSVC.exe
Token: SeDebugPrivilege	1264	OSPPSVC.exe
Token: SeDebugPrivilege	864	OSPPSVC.exe
Token: SeDebugPrivilege	2396	OSPPSVC.exe
Token: SeDebugPrivilege	1300	OSPPSVC.exe
Token: SeDebugPrivilege	1848	OSPPSVC.exe
Token: SeDebugPrivilege	1464	OSPPSVC.exe
Token: SeDebugPrivilege	2244	OSPPSVC.exe
Token: SeDebugPrivilege	2720	OSPPSVC.exe
Token: SeDebugPrivilege	328	OSPPSVC.exe
Token: SeDebugPrivilege	2712	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2700	2684	JaffaCakes118_6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc.exe	31
PID 2684 wrote to memory of 2700	2684	JaffaCakes118_6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc.exe	31
PID 2684 wrote to memory of 2700	2684	JaffaCakes118_6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc.exe	31
PID 2684 wrote to memory of 2700	2684	JaffaCakes118_6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc.exe	31
PID 2700 wrote to memory of 2956	2700	WScript.exe	32
PID 2700 wrote to memory of 2956	2700	WScript.exe	32
PID 2700 wrote to memory of 2956	2700	WScript.exe	32
PID 2700 wrote to memory of 2956	2700	WScript.exe	32
PID 2956 wrote to memory of 2396	2956	cmd.exe	34
PID 2956 wrote to memory of 2396	2956	cmd.exe	34
PID 2956 wrote to memory of 2396	2956	cmd.exe	34
PID 2956 wrote to memory of 2396	2956	cmd.exe	34
PID 2396 wrote to memory of 1856	2396	DllCommonsvc.exe	78
PID 2396 wrote to memory of 1856	2396	DllCommonsvc.exe	78
PID 2396 wrote to memory of 1856	2396	DllCommonsvc.exe	78
PID 2396 wrote to memory of 2068	2396	DllCommonsvc.exe	79
PID 2396 wrote to memory of 2068	2396	DllCommonsvc.exe	79
PID 2396 wrote to memory of 2068	2396	DllCommonsvc.exe	79
PID 2396 wrote to memory of 1660	2396	DllCommonsvc.exe	80
PID 2396 wrote to memory of 1660	2396	DllCommonsvc.exe	80
PID 2396 wrote to memory of 1660	2396	DllCommonsvc.exe	80
PID 2396 wrote to memory of 1692	2396	DllCommonsvc.exe	81
PID 2396 wrote to memory of 1692	2396	DllCommonsvc.exe	81
PID 2396 wrote to memory of 1692	2396	DllCommonsvc.exe	81
PID 2396 wrote to memory of 2500	2396	DllCommonsvc.exe	82
PID 2396 wrote to memory of 2500	2396	DllCommonsvc.exe	82
PID 2396 wrote to memory of 2500	2396	DllCommonsvc.exe	82
PID 2396 wrote to memory of 3000	2396	DllCommonsvc.exe	83
PID 2396 wrote to memory of 3000	2396	DllCommonsvc.exe	83
PID 2396 wrote to memory of 3000	2396	DllCommonsvc.exe	83
PID 2396 wrote to memory of 1004	2396	DllCommonsvc.exe	84
PID 2396 wrote to memory of 1004	2396	DllCommonsvc.exe	84
PID 2396 wrote to memory of 1004	2396	DllCommonsvc.exe	84
PID 2396 wrote to memory of 1664	2396	DllCommonsvc.exe	85
PID 2396 wrote to memory of 1664	2396	DllCommonsvc.exe	85
PID 2396 wrote to memory of 1664	2396	DllCommonsvc.exe	85
PID 2396 wrote to memory of 996	2396	DllCommonsvc.exe	86
PID 2396 wrote to memory of 996	2396	DllCommonsvc.exe	86
PID 2396 wrote to memory of 996	2396	DllCommonsvc.exe	86
PID 2396 wrote to memory of 2628	2396	DllCommonsvc.exe	87
PID 2396 wrote to memory of 2628	2396	DllCommonsvc.exe	87
PID 2396 wrote to memory of 2628	2396	DllCommonsvc.exe	87
PID 2396 wrote to memory of 1000	2396	DllCommonsvc.exe	88
PID 2396 wrote to memory of 1000	2396	DllCommonsvc.exe	88
PID 2396 wrote to memory of 1000	2396	DllCommonsvc.exe	88
PID 2396 wrote to memory of 872	2396	DllCommonsvc.exe	89
PID 2396 wrote to memory of 872	2396	DllCommonsvc.exe	89
PID 2396 wrote to memory of 872	2396	DllCommonsvc.exe	89
PID 2396 wrote to memory of 2964	2396	DllCommonsvc.exe	90
PID 2396 wrote to memory of 2964	2396	DllCommonsvc.exe	90
PID 2396 wrote to memory of 2964	2396	DllCommonsvc.exe	90
PID 2396 wrote to memory of 264	2396	DllCommonsvc.exe	91
PID 2396 wrote to memory of 264	2396	DllCommonsvc.exe	91
PID 2396 wrote to memory of 264	2396	DllCommonsvc.exe	91
PID 2396 wrote to memory of 2000	2396	DllCommonsvc.exe	92
PID 2396 wrote to memory of 2000	2396	DllCommonsvc.exe	92
PID 2396 wrote to memory of 2000	2396	DllCommonsvc.exe	92
PID 2396 wrote to memory of 2696	2396	DllCommonsvc.exe	101
PID 2396 wrote to memory of 2696	2396	DllCommonsvc.exe	101
PID 2396 wrote to memory of 2696	2396	DllCommonsvc.exe	101
PID 2696 wrote to memory of 2584	2696	cmd.exe	110
PID 2696 wrote to memory of 2584	2696	cmd.exe	110
PID 2696 wrote to memory of 2584	2696	cmd.exe	110
PID 2696 wrote to memory of 2932	2696	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e453d3ba868825da6a8c05c4bf45eea5f65169952411ce7a5dca47ffea505dc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\browser\features\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1kGixCDpk.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2584
      - C:\Windows\ja-JP\OSPPSVC.exe
        
        "C:\Windows\ja-JP\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
        7⤵
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2188
        
        C:\Windows\ja-JP\OSPPSVC.exe
        
        "C:\Windows\ja-JP\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"
        9⤵
        
        PID:892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2536
        
        C:\Windows\ja-JP\OSPPSVC.exe
        
        "C:\Windows\ja-JP\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
        11⤵
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2436
        
        C:\Windows\ja-JP\OSPPSVC.exe
        
        "C:\Windows\ja-JP\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat"
        13⤵
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1624
        
        C:\Windows\ja-JP\OSPPSVC.exe
        
        "C:\Windows\ja-JP\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat"
        15⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2284
        
        C:\Windows\ja-JP\OSPPSVC.exe
        
        "C:\Windows\ja-JP\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
        17⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1768
        
        C:\Windows\ja-JP\OSPPSVC.exe
        
        "C:\Windows\ja-JP\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"
        19⤵
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:936
        
        C:\Windows\ja-JP\OSPPSVC.exe
        
        "C:\Windows\ja-JP\OSPPSVC.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        21⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2200
        
        C:\Windows\ja-JP\OSPPSVC.exe
        
        "C:\Windows\ja-JP\OSPPSVC.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
        23⤵
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:564
        
        C:\Windows\ja-JP\OSPPSVC.exe
        
        "C:\Windows\ja-JP\OSPPSVC.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat"
        25⤵
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2292
        
        C:\Windows\ja-JP\OSPPSVC.exe
        
        "C:\Windows\ja-JP\OSPPSVC.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\browser\features\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\browser\features\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\browser\features\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Windows\Registration\CRMLog\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Favorites\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows NT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\ja-JP\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6c0cd86cae5effc9e29ac952ac7226e

SHA1
4c74bce8deb2ffd2ae181f69576c4db6451aba4d

SHA256
bbbdc7f6d81319d0c721547d96ca6ac021507ffcaa479eb599d0d6c56791913c

SHA512
dc2c99bdaff2774e600b975fef8fe425c96164508d5775336bb8deceda80d6ee3976964f7a432bebda176b4b6d439e3361d1cb5eca42127b17cb6ebfb4d1f21d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f71eed5be21d70c55139bbe8ba7e158

SHA1
a922d6ce2eb5407891684b062acc03011b4bd4b6

SHA256
5929d1c22be0f8248adedb3d9579b2c6ccf5cab8ae74e5c21597e18879163aea

SHA512
00003fd5ad6cb9f30281a4ca2be7381234a524ecdefe9d48d1ccfe041f1585ad85d87d38dca86e3c287fb1c04b2a744da4daa153e48b5a03936dd063d31ad443

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eab748ff5b30133b1998c48880e1d51d

SHA1
95b49800ffab7917543a2bf956e5afe2fe3aa38d

SHA256
7914c02f2f79a84f6c01f3663ab1054eae25de3b16543b8ca03e5e41a0fdacd6

SHA512
ef8c912ed7cf1fab6c895c4315091a8931a30abaa34ef7a25b824da74e0da65ffdd296dda40caf08b27f60cdf5d51820f6e47a6490d189c52a687350f3cc7ac3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90432f8c079183410ee48d5d18bc9ce7

SHA1
485083bcee640745b7abc14e2b9e24561c340184

SHA256
4cb56f4ce8f31e9dcec7a21bb6e45d256b2b057734b32d067c237cd0228b2f66

SHA512
74b7fb79943e8c7b319cdb17a1d61fe16dfcd3d0001ccc05461f19c488380d78ab7e34cf8da62853ca06269d985366dac8c1cb69fb4b86b3c3ed5c4361f853cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
567fe9e409723b2fcb7bce67c1ca7294

SHA1
ecf623cc1e3566d95886a66b2d13b0b17e331127

SHA256
2dcfe062d2faff0c00c1c6ff4d7b4b5219a1a3d752a138271b348410ac959946

SHA512
cdb2c41ecdcbbc57f0dc622391abfac94f3b3c27392086f60ea62461f65f1e5c33d899b17f7953821377ae5525e155753d8d065eb5e426b5a609dc24ccf3f954

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f3e13aac867bfb83767a104a58abfd6

SHA1
811bfbd7f92a5b10ef786d4d80ce773432cb00bb

SHA256
113f25274a86477fe8afb3c902b481571e95b0db4141c2bbb5d9b4bc558229ed

SHA512
3b9a332e9f8d3836fefbe7868666cf7afbad46b9b620433332b18130cbc5e96bc1b2a0a77ac1bbeb48fe06ec8bd6f12c9fe374f3d0bf25252a0d1f03f4972b3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58258e6172fea8a47e3aeac1d6f24c77

SHA1
3272242fc81bbe256695a598421df94afb974681

SHA256
7ba1b7cc37fcf9a3a9c297c187a3359684f97699d21166ea5bd21026f3bdab32

SHA512
83a45ac9cc4211ce0d3e2b4792b10770c047f4fdb4d9441b2f222c8534c1c39a2556dc39be0bb7b5e57cf2a34d13d198516f9f711509e0992a0507a32100068d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57fb6513e6967bf5557c7a5063bacfa4

SHA1
29e16d73c2e19b2344d4916c320ae918ed43dbfd

SHA256
2351cd6277517e09543c210d6eaa91acd30633910c9232f442c71c32129a151e

SHA512
8184f81c1f194504c1ab60c7b4e41e3bc3b5beb37b04b001e08e8659c8c71722d360d7286f9a1f40248bcf02d8fcd0833a59dc917d04d21e9f2026e6116ffcb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
178bb6f98842aaa9c1c0d263734e9eae

SHA1
05708720f1b833229a34a6495facfed6d251219f

SHA256
ae08276c5b83f332200865d251c5debe5ed4de26106bef96162ec8556eb3481b

SHA512
49f96933cc8501a7ed937818cffd4039ca5982a9737543084d2a0c922a79a54edbc284a350c5f6f91783f61d9d05c92e6ca4755c94a1c7c84e52cb7a89dd275e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat

Filesize
193B

MD5
8be40fab81faa25a34ab46a5447e8e55

SHA1
73337260f6ebd50ddecd4824af03a84fc3d32d32

SHA256
d0a1a5fb1f02a71fc9f5f3dbf41737820475a6cecd331433671d5dac92e44e59

SHA512
32a60a9b160a9a826435ac69ae686d8ce431e66464428b794bb0127afe874f591941f6b626180583935643a3ee45a47547fa70aacc90549b8c8791358e471e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5cWoBfSAzl.bat

Filesize
193B

MD5
0dabc402cd75499ed8a054de8b2b1f02

SHA1
94e579717e678414eb9b48d7a63e13c10b750eba

SHA256
383a8a0fc28b85e90c4d3ec4c9fdba636856c01c627e37e915622bcfb4b43ab4

SHA512
b26bd80cced01a0306d4ca47a2714d703883745fa3945b3e32d0bf3fbd1b3cf843fc9ab95b32532c35388c901b02c558bb7b75134dfa747ec78d2f34c554d406

Download Submit
C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat

Filesize
193B

MD5
1c2746c431deb7ceae56c1b24c244720

SHA1
e0c8a69c80f08fd47164a87ecece21c873483b9f

SHA256
1f7bb0235783d6b957141015b84f5d08c6c6875b3172e2738573b740aa18071e

SHA512
ff835df7dd341063ac27204329fc42244489a160b9d4aed39f6197ba97d199182fcc41d7bc32d20a179a6037c783ac53daa986d718162f65c566b651d5520f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3381.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat

Filesize
193B

MD5
f102bc397f8a0f06cec915b5d4434815

SHA1
d7e9df755f7254f0165e7ee18aa22a3e0d3a7426

SHA256
4e7633ee9e58f26cad5604b1ad8217f5cb730198e19f81d4ec6d38a4cc82f00f

SHA512
957923b6ef8190d884831548ca550d0c79a7112ab86677e150c51c1e2155a6758c92c7ead2a8ab5c929d4a2b2817050de9ec2ff9dfd99610f279412d1c674156

Download Submit
C:\Users\Admin\AppData\Local\Temp\InhrPXXuGB.bat

Filesize
193B

MD5
e844d2336590455fe0b1ae3c97fab89c

SHA1
d215491d296a7c2bdebd8049a74949139a4c65d9

SHA256
490b1ded85f3a0f4681e346768139c17caf3bce2ea62fa1e43003fa2a1f5a29b

SHA512
b08737f050fc80a56eff713b98247939c3aeefea316b6a532163512374290571621a2b82c8bbdafd311ba21a37f3d5d43ef3f5d758a274d338e6fc8c3eaf5192

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat

Filesize
193B

MD5
11f723a3a3ddab8e02da98d6c38cc691

SHA1
ece1c1160599811f7e95914c6ec1df13fcc45977

SHA256
5e4c84d5f80ab4cea1dd68ab61cbedeb92805fe8278d5dca0c0a70a023a7f0e4

SHA512
4eb268aaf38e86164a9c595891dcaf59655192c6748a43a3a4f80d3535046d9cb3525848f5b89006ef49e35fa3c046249ba397c83ccc4b72323faa5eae144545

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3393.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

Filesize
193B

MD5
3eddbfbcfb6be077ea2cc9681e04ecf3

SHA1
ab8e9ad23b533bc20796ffd8fa5680e1956edbdb

SHA256
205d640e61c07b8b99b5eeee00c85ef53c74c0d2c0e6cfe14bc7e24f8c8cd0d7

SHA512
2013bf62ee2ffe643a5af6112a1bda8d34dc196be6702567ef9a7cc360222a8e5f856dc6924dec22f16c5b58bfc79502a1a3ac1a4c588ef32ac46ecc3f141d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBgHK1Vy37.bat

Filesize
193B

MD5
88d6de907760dba9bc1a9cce3bf59719

SHA1
f68ccdc118c33516c35c15b81ddc5aaa91d8cecb

SHA256
fbe4347b0e87561b15a8ef40afc8c413b87ab6b90fc1608b4de565e156d2dd05

SHA512
a276a894a77c760412261bf8ebe262a9f4c34bf86508eca09ba5a6dd00348d080439deb70123c3504cc4a44d74d750dce2123bf3bc4834e1948fd7c430d6885c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
193B

MD5
3034019e762e571db3f2faab49c5eb31

SHA1
eb8a04174f3a574e789d94a2e6ca30fb35e779d7

SHA256
29d9b397905326e54c780b3f2d0bc892f203b5a8f2f1d9934eccb32f8b74f457

SHA512
2a0a782121c289f6878ecca67e0b922ed57283b9b36e62cd0ddd339109251c4bae3229eb2450bc959c3f591ba35bee079fb09e865cbc42e90f67381205517ae9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat

Filesize
193B

MD5
1a53098a8e28222d5986f0109607b51c

SHA1
7d0ac768232c6fa2ad84ccfb25210242b8f5955b

SHA256
c20549ed0223b20bb58f58496c1a094d6d6bfc60e5a4a245f6b36c2e1ce5a607

SHA512
c31d44d34e03b8f3af2a47c3f01145587e31e332530c1baba6d9007d1a69c2eaab18cd8527aea2e31d4426b04e0ea41ae0337d697c71fa02d502d6bfa4bf71e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1kGixCDpk.bat

Filesize
193B

MD5
821fb6bbe4cd2de7fdc424fd5da1ede2

SHA1
44b7ad5cab01f00290e1c8f260b49d2f0d82e008

SHA256
0da5a592f0877d316099a10a37c94c14e501782d8e36100bfc80c5a5eb235749

SHA512
804bf5e3a14d28dc5d9e7982b6321dbe03d7b3043f296f22c5ec8da38dc3fa3a09a56e6cb10fbeac8bdcca5453e2bdf8d21b609d2c098cb47f5d0db6f02f44e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8dab1bf80d29fa0856a6932b754ff9a5

SHA1
d9151dedd7823376830f05b92e6ce1cb7b6fa785

SHA256
c183551e5ec0ef42b77708dbb560e95f1ca54f6b6607e3473d76c001545c3bc6

SHA512
e623d312677adc6319dba0029b02a603a9a699882e12d4fdbfdb80830f849ee67c268a69404453f086719319ec50b3d0e477af0faa913648a7e78f9b3665a87c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/864-248-0x0000000000C10000-0x0000000000D20000-memory.dmp

Filesize
1.1MB

Download
memory/864-249-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1004-70-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1004-71-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1264-188-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/1300-369-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1464-489-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/1848-429-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2244-549-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2396-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2396-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2396-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2396-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2396-13-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/2396-309-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2712-728-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/2720-609-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2932-129-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download