dcrat | 0a280a806844d0de9d78623eb00f5f89a1df257fbfd6dfcbbb185dce37ce9c75

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0a280a806844d0de9d78623eb00f5f89a1df257fbfd6dfcbbb185dce37ce9c75.exe
Size

1.3MB
MD5

97dfc753660ce462c0a130dce27716de
SHA1

a2ece2203c1f868598a1a15f161af2958088b0a9
SHA256

0a280a806844d0de9d78623eb00f5f89a1df257fbfd6dfcbbb185dce37ce9c75
SHA512

d0aef291eba6a01fa0707890e77027df82eaea5042a27e0b51b414598407a9fc1957549fad759ea77944130b63572cba40ff2894a541487f80ac59f12abb09cd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	2084	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2084	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015e48-11.dat	dcrat
behavioral1/memory/2476-13-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/1476-60-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/3864-216-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/3284-335-0x0000000001240000-0x0000000001350000-memory.dmp	dcrat
behavioral1/memory/2904-395-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/2800-456-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/3828-516-0x0000000000AE0000-0x0000000000BF0000-memory.dmp	dcrat
behavioral1/memory/3952-577-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
600	powershell.exe
992	powershell.exe
2892	powershell.exe
2628	powershell.exe
2800	powershell.exe
1088	powershell.exe
1308	powershell.exe
2592	powershell.exe
588	powershell.exe
2660	powershell.exe
1756	powershell.exe
2828	powershell.exe
1948	powershell.exe
2776	powershell.exe
3032	powershell.exe
2620	powershell.exe
1800	powershell.exe
2764	powershell.exe
876	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2476	DllCommonsvc.exe
1476	dwm.exe
3864	dwm.exe
2252	dwm.exe
3284	dwm.exe
2904	dwm.exe
2800	dwm.exe
3828	dwm.exe
3952	dwm.exe
3224	dwm.exe
2468	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2788	cmd.exe
2788	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
18	raw.githubusercontent.com
25	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
28	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\088424020bedd6	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\smss.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0a280a806844d0de9d78623eb00f5f89a1df257fbfd6dfcbbb185dce37ce9c75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2296	schtasks.exe
2468	schtasks.exe
1544	schtasks.exe
1592	schtasks.exe
3068	schtasks.exe
2088	schtasks.exe
1896	schtasks.exe
2932	schtasks.exe
1712	schtasks.exe
1164	schtasks.exe
2744	schtasks.exe
2632	schtasks.exe
380	schtasks.exe
2484	schtasks.exe
1040	schtasks.exe
336	schtasks.exe
1440	schtasks.exe
784	schtasks.exe
3004	schtasks.exe
1980	schtasks.exe
664	schtasks.exe
1032	schtasks.exe
2252	schtasks.exe
2116	schtasks.exe
2740	schtasks.exe
2724	schtasks.exe
2840	schtasks.exe
1884	schtasks.exe
1292	schtasks.exe
2184	schtasks.exe
712	schtasks.exe
1704	schtasks.exe
1316	schtasks.exe
2864	schtasks.exe
2464	schtasks.exe
1620	schtasks.exe
1940	schtasks.exe
2276	schtasks.exe
2844	schtasks.exe
604	schtasks.exe
1324	schtasks.exe
896	schtasks.exe
2160	schtasks.exe
3024	schtasks.exe
2624	schtasks.exe
3052	schtasks.exe
688	schtasks.exe
1320	schtasks.exe
1736	schtasks.exe
2124	schtasks.exe
1108	schtasks.exe
2052	schtasks.exe
2304	schtasks.exe
2564	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2476	DllCommonsvc.exe
1800	powershell.exe
2660	powershell.exe
3032	powershell.exe
2892	powershell.exe
2620	powershell.exe
2628	powershell.exe
2764	powershell.exe
2776	powershell.exe
1948	powershell.exe
600	powershell.exe
1756	powershell.exe
1308	powershell.exe
1476	dwm.exe
2592	powershell.exe
588	powershell.exe
876	powershell.exe
992	powershell.exe
1088	powershell.exe
2828	powershell.exe
2800	powershell.exe
3864	dwm.exe
2252	dwm.exe
3284	dwm.exe
2904	dwm.exe
2800	dwm.exe
3828	dwm.exe
3952	dwm.exe
3224	dwm.exe
2468	dwm.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2476	DllCommonsvc.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	1476	dwm.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	3864	dwm.exe
Token: SeDebugPrivilege	2252	dwm.exe
Token: SeDebugPrivilege	3284	dwm.exe
Token: SeDebugPrivilege	2904	dwm.exe
Token: SeDebugPrivilege	2800	dwm.exe
Token: SeDebugPrivilege	3828	dwm.exe
Token: SeDebugPrivilege	3952	dwm.exe
Token: SeDebugPrivilege	3224	dwm.exe
Token: SeDebugPrivilege	2468	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1864	1732	JaffaCakes118_0a280a806844d0de9d78623eb00f5f89a1df257fbfd6dfcbbb185dce37ce9c75.exe	30
PID 1732 wrote to memory of 1864	1732	JaffaCakes118_0a280a806844d0de9d78623eb00f5f89a1df257fbfd6dfcbbb185dce37ce9c75.exe	30
PID 1732 wrote to memory of 1864	1732	JaffaCakes118_0a280a806844d0de9d78623eb00f5f89a1df257fbfd6dfcbbb185dce37ce9c75.exe	30
PID 1732 wrote to memory of 1864	1732	JaffaCakes118_0a280a806844d0de9d78623eb00f5f89a1df257fbfd6dfcbbb185dce37ce9c75.exe	30
PID 1864 wrote to memory of 2788	1864	WScript.exe	31
PID 1864 wrote to memory of 2788	1864	WScript.exe	31
PID 1864 wrote to memory of 2788	1864	WScript.exe	31
PID 1864 wrote to memory of 2788	1864	WScript.exe	31
PID 2788 wrote to memory of 2476	2788	cmd.exe	33
PID 2788 wrote to memory of 2476	2788	cmd.exe	33
PID 2788 wrote to memory of 2476	2788	cmd.exe	33
PID 2788 wrote to memory of 2476	2788	cmd.exe	33
PID 2476 wrote to memory of 2764	2476	DllCommonsvc.exe	89
PID 2476 wrote to memory of 2764	2476	DllCommonsvc.exe	89
PID 2476 wrote to memory of 2764	2476	DllCommonsvc.exe	89
PID 2476 wrote to memory of 2628	2476	DllCommonsvc.exe	90
PID 2476 wrote to memory of 2628	2476	DllCommonsvc.exe	90
PID 2476 wrote to memory of 2628	2476	DllCommonsvc.exe	90
PID 2476 wrote to memory of 1800	2476	DllCommonsvc.exe	91
PID 2476 wrote to memory of 1800	2476	DllCommonsvc.exe	91
PID 2476 wrote to memory of 1800	2476	DllCommonsvc.exe	91
PID 2476 wrote to memory of 2776	2476	DllCommonsvc.exe	92
PID 2476 wrote to memory of 2776	2476	DllCommonsvc.exe	92
PID 2476 wrote to memory of 2776	2476	DllCommonsvc.exe	92
PID 2476 wrote to memory of 3032	2476	DllCommonsvc.exe	93
PID 2476 wrote to memory of 3032	2476	DllCommonsvc.exe	93
PID 2476 wrote to memory of 3032	2476	DllCommonsvc.exe	93
PID 2476 wrote to memory of 2660	2476	DllCommonsvc.exe	94
PID 2476 wrote to memory of 2660	2476	DllCommonsvc.exe	94
PID 2476 wrote to memory of 2660	2476	DllCommonsvc.exe	94
PID 2476 wrote to memory of 2620	2476	DllCommonsvc.exe	95
PID 2476 wrote to memory of 2620	2476	DllCommonsvc.exe	95
PID 2476 wrote to memory of 2620	2476	DllCommonsvc.exe	95
PID 2476 wrote to memory of 2892	2476	DllCommonsvc.exe	97
PID 2476 wrote to memory of 2892	2476	DllCommonsvc.exe	97
PID 2476 wrote to memory of 2892	2476	DllCommonsvc.exe	97
PID 2476 wrote to memory of 588	2476	DllCommonsvc.exe	99
PID 2476 wrote to memory of 588	2476	DllCommonsvc.exe	99
PID 2476 wrote to memory of 588	2476	DllCommonsvc.exe	99
PID 2476 wrote to memory of 992	2476	DllCommonsvc.exe	101
PID 2476 wrote to memory of 992	2476	DllCommonsvc.exe	101
PID 2476 wrote to memory of 992	2476	DllCommonsvc.exe	101
PID 2476 wrote to memory of 1948	2476	DllCommonsvc.exe	102
PID 2476 wrote to memory of 1948	2476	DllCommonsvc.exe	102
PID 2476 wrote to memory of 1948	2476	DllCommonsvc.exe	102
PID 2476 wrote to memory of 2592	2476	DllCommonsvc.exe	103
PID 2476 wrote to memory of 2592	2476	DllCommonsvc.exe	103
PID 2476 wrote to memory of 2592	2476	DllCommonsvc.exe	103
PID 2476 wrote to memory of 876	2476	DllCommonsvc.exe	104
PID 2476 wrote to memory of 876	2476	DllCommonsvc.exe	104
PID 2476 wrote to memory of 876	2476	DllCommonsvc.exe	104
PID 2476 wrote to memory of 1308	2476	DllCommonsvc.exe	105
PID 2476 wrote to memory of 1308	2476	DllCommonsvc.exe	105
PID 2476 wrote to memory of 1308	2476	DllCommonsvc.exe	105
PID 2476 wrote to memory of 600	2476	DllCommonsvc.exe	106
PID 2476 wrote to memory of 600	2476	DllCommonsvc.exe	106
PID 2476 wrote to memory of 600	2476	DllCommonsvc.exe	106
PID 2476 wrote to memory of 2828	2476	DllCommonsvc.exe	107
PID 2476 wrote to memory of 2828	2476	DllCommonsvc.exe	107
PID 2476 wrote to memory of 2828	2476	DllCommonsvc.exe	107
PID 2476 wrote to memory of 2800	2476	DllCommonsvc.exe	108
PID 2476 wrote to memory of 2800	2476	DllCommonsvc.exe	108
PID 2476 wrote to memory of 2800	2476	DllCommonsvc.exe	108
PID 2476 wrote to memory of 1756	2476	DllCommonsvc.exe	109

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a280a806844d0de9d78623eb00f5f89a1df257fbfd6dfcbbb185dce37ce9c75.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0a280a806844d0de9d78623eb00f5f89a1df257fbfd6dfcbbb185dce37ce9c75.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
        6⤵
        
        PID:3792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3832
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"
        8⤵
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1224
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"
        10⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2276
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        12⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1608
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"
        14⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3256
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat"
        16⤵
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3516
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
        18⤵
        
        PID:408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3908
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat"
        20⤵
        
        PID:2980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2452
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
        22⤵
        
        PID:3392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2540
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat"
        24⤵
        
        PID:2588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Google\Temp\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Google\Temp\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\SchCache\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\SchCache\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8afd6e98f649e32401edb8deca596180

SHA1
32d7b3dc01826125aca18eb701f505e20769b377

SHA256
a53cd67a0f1bc13945c84f3c55f377a31739fdaa71a1a053d32015ac8b765508

SHA512
b00abd215f03726917a9fbd97bff0aca7b83b5d92f2e41e5db786378e49a2b0c6c60e914ea16f29b7dd0cb4d3f7bf3733de372dbe718f61ca15c79fee5ff8436

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10ff89291e2f86835e79276cb5d5b49c

SHA1
c8674bf89d7b366088feeac91845784b8a79acf0

SHA256
236780ce03267a8063c517d3bfae828b8e295132e22c0c54319bdc8342890a0c

SHA512
5d7a18e48d307fe3aded48545648c1b100c10171bbe7291e821e130e147ff0d833afc7287ab13b634ba28e2ab69f150386774876b2c3077cbfc4f3c79feb3ab6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ed90a8437216b16d6856b1a3ac1fcf6

SHA1
eb77254d3dfb8e900691c462ba6fe677d3dd110e

SHA256
45fc06f36b306e94237ff5019ccd16f4bce19ae4d0bf0de6203102c7bf39097d

SHA512
825ae18208d4f41b81836dcae2251c3582996b0c1b52fde0c77405f34ced746a6a9485864dff23df2c4f007c539bd3d586ddc2ff975e28c788395decd72dcd58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b9c04125c7fea0be55dbb63d264f339

SHA1
4a31e6afb74d6939b1fc898991fe3378ac8da7d7

SHA256
5d7f18fc690bbfb7d52f25f64f4d473edb2b5603fa610354012e6a0eac76067f

SHA512
4338af40380ab0d1d6e2c1fc58391d026f63cccbef877a39b2ec6e7d0cad8cdf4d2fe89f76bc5a214ffb85caf0a8eaf84c9905420441aab747525f81c48b33a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca4a7df3d1baf52e552781f8ef101410

SHA1
f1eaa37e58dc4e26593615ea0922a8145bebc3b3

SHA256
65818d06070138e91afa0b0b0e8a0e43a117886644ade4c397f743486a22ba76

SHA512
2d0457081717e0df3564926fbd5a2f5eb2bbef944486a9d01fe805ef681db8cd693d3ff6d5b2e307f9988898adcfae2166f811f0d71a4e223b740e86c0c9cb5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e01de9c39796fecbff5c6003dea6949c

SHA1
3531e4918660834c5b8f28487d3c178bb0b84dc0

SHA256
e992407312beee81e2c4b56a542b5401a3f5b10d5f7c0f28efe305c9a1fc2e89

SHA512
b0e1f8f96aab348dba96d88a3f23a13337c35b23db5c801c08c913f92df49f954fe238b12fbda0a488e552b05d2485af2c3e7df550444ad200a66c1f8d790d90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21e102ba8dea7d2137bc9259b85045ac

SHA1
35202a2ddf6bba48a12162c3ba108e0c3bfb2093

SHA256
cda50cad833b51921a558aa8f5ccd96270679e148c0466b66536b1f2e10228c3

SHA512
a6f29819b7945a75e5841e907691a8d8f199c29750fac3b355adb327adabe7d432657495d64e0bb984452d89fa3a3e90550820d676733f2ec1c0e533d4d3ab9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c0886b04af810177436e0388b44cb9e

SHA1
6cde4ea044c3cbf24b0fb43888e6adf512fa0f6c

SHA256
8e33e85f304b7c8bc24b68ffcf0c4f7084758423f9e26749825e38ce3319c8b8

SHA512
74053834cd8f1a536e9d6f06aa28166ec9649ca77c245b4723401cdc10b12a0ae8d99a293a65b4ba698f283c7e03c9cdba8ba3842b86bc4f9a5cac2bf246ab6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b33ed9464fe1ee23c3dc6215311c07a

SHA1
7407ad4587981fbbd91d7bf4a9c0a8e426bcf9d0

SHA256
a787f0937a4bb7b637f75a23237de63781894dac6204b24c259cb65e7fcf350f

SHA512
eebad4f7d748ca525ba6233d9af65f0c4c2d953c6f3178a085e1c2759fc3f529b8398af8daa4d20cc74b6dd2c52a1335205d465974cb635db52edaaab5972998

Download Submit
C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat

Filesize
190B

MD5
8ade03b421566b60b0b7a22f735abd2f

SHA1
49dbb3023687cfa3e469f77990d3db73ce18dfb2

SHA256
1b13d059d37e074d4d105c57727d286184efdb049ba4f9a1f39cbae8cdd54714

SHA512
dd10ffea68c60f3575071ecad6c9dc8e1743e36adc82d8cc7e842ff044102f8759d0577eb7bd36640a7fc0cce6970f26fb17ea4b5619ccf81e1a40315d04b945

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

Filesize
190B

MD5
8d5af9d6784cea1764d6d920cee39d9f

SHA1
244302b6faa812b89baba219a2e4fb45fd3a1072

SHA256
33c5b2c983c868bfeb5044641ba72aedc139e8d31bfa6f710630c38955e89b84

SHA512
c07b5bdeaa80e7d3383389afa3d199fc0d11569d3e970f5e847a924f91ac65eff4e4994dde9a2421b2031e5838410a63d7390db8f46d03dda969d31f2d764601

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE11E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat

Filesize
190B

MD5
2a400a7c639ab729f3dc689b1dad3bef

SHA1
c334be487f6322bcb3efc2bcedb8ed5cdacd16b0

SHA256
f2a65c6bfce90e1ed446976f8fd5309d483fa6309cafb1da3f1447a70bdd969a

SHA512
3dffa260150a2d3dcfee0b4a566037c9f9e462d76a5083b111f33b5dfe8cbb6429bca86f710a2a7879dd032df8663220d1a6438cbb5a7c1c4931d063932dc15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\N4rS0hE0df.bat

Filesize
190B

MD5
a8164fb9418de9572512d1ce6eb67874

SHA1
4c779de8a614378b4f8af7434eb77081580c46f1

SHA256
184cf453bfb791d2851bb108da6a02b82fa5d47328e91d0e1d34a050cb1b351f

SHA512
19b037c6c02e4ed41b7517e94a25e9b8a2995d8264aad094c48886421da24a7c6d09f3c1d5a0d5ed0b4ee7554648b5e61f1349e5e9a60622362ea5f8fe056eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\SK7IuFDp7o.bat

Filesize
190B

MD5
ebf19acbad90b0a2b4a31529cb58aebe

SHA1
e4e5c9dfd1ee3145f7fecae932705621265f9280

SHA256
34e3333e6b912a9cae1447e50b722de4c049bb4a09a9b39be2a7dfe51735524a

SHA512
ad80692ff64fb2f407a1ae9722a256da3a3ad04e62bb88f28a5c996ddde86bfa1d020466652cd488d7d9423a6aa137694100869abe08ca78440c6b78df509ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE140.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat

Filesize
190B

MD5
bb564c9803f9d3de8be25f275cca5a2d

SHA1
c61a24ff731b62e652ac56b387fd1e813abc346e

SHA256
80c436f3f4d61577bf5d5d1c243f3b6aedaa420b2cd9c204dbdb9e5353ee0791

SHA512
78faeb93b46a7c98e83b4bdb731f2dce3c9a6a8a18333423a9b503d77284b86a84d784078d70ced263b64faed91c474e9f6d6e2ed4a66c620004c62a30c61ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat

Filesize
190B

MD5
fa25035ae96a895fa364727342b76f96

SHA1
6dc02cef9770394eb7ab40932a09a54605494f8c

SHA256
7faa6894655f0c88c204ac1b8b2636af4d061f355afea1298bf1f1c93c34d835

SHA512
338fd61112bc145bf764d8f0c5d02bc271d988832eed02062acd1a2c89f6b2d26363b3fea9097739c2c751fe935dccb94e88989b096a9c897a527d3b85602ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
190B

MD5
0c61028df037cacae538262e1f349219

SHA1
e650d9170106f92c71646be33f54b2b19e50352b

SHA256
427c5f49a6c633a0811dac9cf737f7d9477f1f859e8037a1b22c486b3238b628

SHA512
987e0c56d547acad8c53365190708adfafb57e0b4cd80d18896dca8994d5fcea22149a43204062538178b1bc13ea16a21528351b881cb947cb291cf0b443b837

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat

Filesize
190B

MD5
56ada615aaaff2c578478220391f1e4c

SHA1
a327bdc3cf2584709be4a63834dbc83a7cf3e2b6

SHA256
3e100be9fe17b2471cbb448aec99143f7d63ab158674e561e202aba535c7b69f

SHA512
d3c9f9e4dd9edeff3a248a2efbb9e674c0b3ad720175ec804fc9c025df47dd21f0196459d8e6c7e0df08cb9a5e79d0b51e5affefa296bab04365c57278ed1618

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

Filesize
190B

MD5
358fd788d148e175b52afda78fa5b545

SHA1
58c17c9a632240c3c8c5ee54a7a58c088d79fa98

SHA256
fa6c3ef3644208d1e0c11fc09685432b3fa30eb7083e556e1bb64a84c9f3677c

SHA512
6acddd6830e63e4936ae9585d71972fec0045b48714a4b762276564a610f8ea963ac4d948a5b2f548701d38dadb6d251529f2edb5aed54817c2fedc02aeb622d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
03fa7145e01edc646e2fc7e4537d58d3

SHA1
92cec3a8f86e9b064d7c4ea1548524cc2f30313c

SHA256
6bfe69970918118650723d4b1c8a197688a57a22588675150f920c99ce1bdf1e

SHA512
3ad869af148f7d1c76fda3cf2dd143dfb840b78f5adf591585e3b040b18323ef46ad9a206bc46eac845970a8afa590b588c8c4b9cc0d13b9793adc88ae88a59d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1476-109-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1476-60-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/1800-86-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2476-16-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2476-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2476-15-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2476-13-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2476-17-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2660-85-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2800-456-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2904-396-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2904-395-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/3224-637-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3284-335-0x0000000001240000-0x0000000001350000-memory.dmp

Filesize
1.1MB

Download
memory/3828-517-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/3828-516-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

Filesize
1.1MB

Download
memory/3864-216-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/3952-577-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download