dcrat | 8cb6011f94b938d3a0b306954acd0b99d595fc4858144226072ccd0a54699d1f

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8cb6011f94b938d3a0b306954acd0b99d595fc4858144226072ccd0a54699d1f.exe
Size

1.3MB
MD5

495a5d313c6b92f825aa52fd6c16d1d4
SHA1

f44c47c9b0e29235ed48c877e293ed49c38d7f57
SHA256

8cb6011f94b938d3a0b306954acd0b99d595fc4858144226072ccd0a54699d1f
SHA512

5f9807614d73379a647874f5e1a137d0123a71c9e02221a113855ef67d1cddbc78be9666715239c87772d800992056ba6fbbd15fa2a7fabcda7c4f41bf4edab0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2780	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2780	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001939c-9.dat	dcrat
behavioral1/memory/1696-13-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/1580-150-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/1664-209-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/2528-269-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/580-329-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/1848-390-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2392-451-0x0000000000A10000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/2572-570-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/836-630-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2560	powershell.exe
2332	powershell.exe
3008	powershell.exe
2096	powershell.exe
300	powershell.exe
1488	powershell.exe
1248	powershell.exe
2908	powershell.exe
2764	powershell.exe
2356	powershell.exe
1512	powershell.exe
2756	powershell.exe
2740	powershell.exe
2368	powershell.exe
1484	powershell.exe
1740	powershell.exe
2576	powershell.exe
2712	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1696	DllCommonsvc.exe
1580	lsass.exe
1664	lsass.exe
2528	lsass.exe
580	lsass.exe
1848	lsass.exe
2392	lsass.exe
1540	lsass.exe
2572	lsass.exe
836	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	cmd.exe
2364	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
34	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\taskhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\ja-JP\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8cb6011f94b938d3a0b306954acd0b99d595fc4858144226072ccd0a54699d1f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
432	schtasks.exe
2440	schtasks.exe
2548	schtasks.exe
2668	schtasks.exe
2624	schtasks.exe
1588	schtasks.exe
2224	schtasks.exe
1924	schtasks.exe
2064	schtasks.exe
556	schtasks.exe
2412	schtasks.exe
1808	schtasks.exe
1584	schtasks.exe
1272	schtasks.exe
2960	schtasks.exe
2480	schtasks.exe
2868	schtasks.exe
2200	schtasks.exe
1860	schtasks.exe
2072	schtasks.exe
1432	schtasks.exe
1704	schtasks.exe
2460	schtasks.exe
912	schtasks.exe
1852	schtasks.exe
1516	schtasks.exe
2256	schtasks.exe
2396	schtasks.exe
1972	schtasks.exe
484	schtasks.exe
2320	schtasks.exe
1964	schtasks.exe
536	schtasks.exe
548	schtasks.exe
1360	schtasks.exe
1548	schtasks.exe
1508	schtasks.exe
2512	schtasks.exe
2264	schtasks.exe
2656	schtasks.exe
2660	schtasks.exe
2036	schtasks.exe
2524	schtasks.exe
2056	schtasks.exe
1656	schtasks.exe
2592	schtasks.exe
344	schtasks.exe
2748	schtasks.exe
2676	schtasks.exe
2076	schtasks.exe
2080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1696	DllCommonsvc.exe
2560	powershell.exe
2756	powershell.exe
2332	powershell.exe
2576	powershell.exe
2712	powershell.exe
2740	powershell.exe
2356	powershell.exe
1248	powershell.exe
2096	powershell.exe
1484	powershell.exe
2764	powershell.exe
1488	powershell.exe
1512	powershell.exe
300	powershell.exe
3008	powershell.exe
2908	powershell.exe
1740	powershell.exe
2368	powershell.exe
1580	lsass.exe
1664	lsass.exe
2528	lsass.exe
580	lsass.exe
1848	lsass.exe
2392	lsass.exe
1540	lsass.exe
2572	lsass.exe
836	lsass.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	DllCommonsvc.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1580	lsass.exe
Token: SeDebugPrivilege	1664	lsass.exe
Token: SeDebugPrivilege	2528	lsass.exe
Token: SeDebugPrivilege	580	lsass.exe
Token: SeDebugPrivilege	1848	lsass.exe
Token: SeDebugPrivilege	2392	lsass.exe
Token: SeDebugPrivilege	1540	lsass.exe
Token: SeDebugPrivilege	2572	lsass.exe
Token: SeDebugPrivilege	836	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2540	2568	JaffaCakes118_8cb6011f94b938d3a0b306954acd0b99d595fc4858144226072ccd0a54699d1f.exe	30
PID 2568 wrote to memory of 2540	2568	JaffaCakes118_8cb6011f94b938d3a0b306954acd0b99d595fc4858144226072ccd0a54699d1f.exe	30
PID 2568 wrote to memory of 2540	2568	JaffaCakes118_8cb6011f94b938d3a0b306954acd0b99d595fc4858144226072ccd0a54699d1f.exe	30
PID 2568 wrote to memory of 2540	2568	JaffaCakes118_8cb6011f94b938d3a0b306954acd0b99d595fc4858144226072ccd0a54699d1f.exe	30
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 1696 wrote to memory of 2712	1696	DllCommonsvc.exe	86
PID 1696 wrote to memory of 2712	1696	DllCommonsvc.exe	86
PID 1696 wrote to memory of 2712	1696	DllCommonsvc.exe	86
PID 1696 wrote to memory of 1512	1696	DllCommonsvc.exe	87
PID 1696 wrote to memory of 1512	1696	DllCommonsvc.exe	87
PID 1696 wrote to memory of 1512	1696	DllCommonsvc.exe	87
PID 1696 wrote to memory of 2332	1696	DllCommonsvc.exe	88
PID 1696 wrote to memory of 2332	1696	DllCommonsvc.exe	88
PID 1696 wrote to memory of 2332	1696	DllCommonsvc.exe	88
PID 1696 wrote to memory of 2576	1696	DllCommonsvc.exe	89
PID 1696 wrote to memory of 2576	1696	DllCommonsvc.exe	89
PID 1696 wrote to memory of 2576	1696	DllCommonsvc.exe	89
PID 1696 wrote to memory of 1740	1696	DllCommonsvc.exe	91
PID 1696 wrote to memory of 1740	1696	DllCommonsvc.exe	91
PID 1696 wrote to memory of 1740	1696	DllCommonsvc.exe	91
PID 1696 wrote to memory of 1248	1696	DllCommonsvc.exe	92
PID 1696 wrote to memory of 1248	1696	DllCommonsvc.exe	92
PID 1696 wrote to memory of 1248	1696	DllCommonsvc.exe	92
PID 1696 wrote to memory of 2560	1696	DllCommonsvc.exe	93
PID 1696 wrote to memory of 2560	1696	DllCommonsvc.exe	93
PID 1696 wrote to memory of 2560	1696	DllCommonsvc.exe	93
PID 1696 wrote to memory of 2356	1696	DllCommonsvc.exe	94
PID 1696 wrote to memory of 2356	1696	DllCommonsvc.exe	94
PID 1696 wrote to memory of 2356	1696	DllCommonsvc.exe	94
PID 1696 wrote to memory of 1488	1696	DllCommonsvc.exe	95
PID 1696 wrote to memory of 1488	1696	DllCommonsvc.exe	95
PID 1696 wrote to memory of 1488	1696	DllCommonsvc.exe	95
PID 1696 wrote to memory of 1484	1696	DllCommonsvc.exe	96
PID 1696 wrote to memory of 1484	1696	DllCommonsvc.exe	96
PID 1696 wrote to memory of 1484	1696	DllCommonsvc.exe	96
PID 1696 wrote to memory of 300	1696	DllCommonsvc.exe	97
PID 1696 wrote to memory of 300	1696	DllCommonsvc.exe	97
PID 1696 wrote to memory of 300	1696	DllCommonsvc.exe	97
PID 1696 wrote to memory of 2096	1696	DllCommonsvc.exe	98
PID 1696 wrote to memory of 2096	1696	DllCommonsvc.exe	98
PID 1696 wrote to memory of 2096	1696	DllCommonsvc.exe	98
PID 1696 wrote to memory of 2368	1696	DllCommonsvc.exe	99
PID 1696 wrote to memory of 2368	1696	DllCommonsvc.exe	99
PID 1696 wrote to memory of 2368	1696	DllCommonsvc.exe	99
PID 1696 wrote to memory of 2740	1696	DllCommonsvc.exe	100
PID 1696 wrote to memory of 2740	1696	DllCommonsvc.exe	100
PID 1696 wrote to memory of 2740	1696	DllCommonsvc.exe	100
PID 1696 wrote to memory of 3008	1696	DllCommonsvc.exe	101
PID 1696 wrote to memory of 3008	1696	DllCommonsvc.exe	101
PID 1696 wrote to memory of 3008	1696	DllCommonsvc.exe	101
PID 1696 wrote to memory of 2764	1696	DllCommonsvc.exe	102
PID 1696 wrote to memory of 2764	1696	DllCommonsvc.exe	102
PID 1696 wrote to memory of 2764	1696	DllCommonsvc.exe	102
PID 1696 wrote to memory of 2908	1696	DllCommonsvc.exe	103
PID 1696 wrote to memory of 2908	1696	DllCommonsvc.exe	103
PID 1696 wrote to memory of 2908	1696	DllCommonsvc.exe	103
PID 1696 wrote to memory of 2756	1696	DllCommonsvc.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8cb6011f94b938d3a0b306954acd0b99d595fc4858144226072ccd0a54699d1f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8cb6011f94b938d3a0b306954acd0b99d595fc4858144226072ccd0a54699d1f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Hearts\ja-JP\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yhXGfi446B.bat"
        5⤵
        
        PID:1164
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2960
      - C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
        7⤵
        
        PID:444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1716
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
        9⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1780
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat"
        11⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2280
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        13⤵
        
        PID:556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2960
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        15⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1080
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        17⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1684
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"
        19⤵
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2372
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
        21⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2544
        
        C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe
        
        "C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        23⤵
        
        PID:780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Hearts\ja-JP\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Downloads\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Downloads\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Java\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Libraries\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\de-DE\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\de-DE\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc6d788eb75068e158aa27fcffc49bd8

SHA1
bcf2960182ec72b6177dc85e0255c825cfbb3ecc

SHA256
d14b7d61250d92ff8fbb157e15a3d69a349794b7a54ee6aae84e8cf5d9a012e2

SHA512
9dece1f885e7eafb852499bacaa81f1b8fae4598a1132631834c731b9b121af026ea17a9c0d477fbeef58324dafac59f30408cd0bccc932f785beef5d203b52d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7237030b734d0b0527bf6918db33b502

SHA1
b9cd18a133d08a71204be7fbd082da0c22af027b

SHA256
077faff6a0a67cc0726e517fc679754cd95511e8d0226a41887f1ad9b95b8d96

SHA512
f170b88e678841550819fbfb8f386e79d4e84074e78c0b3197c2efbff1f7b8b818c3f1e8bbf7a289d5be2487efcc1764823eb441a81dfffd68004788a0b6b007

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b28755285f06359a20fbc93ae2926e5

SHA1
d88ed1e4f87f49a44cbdc5375b0164c70032b340

SHA256
9c9be7fecf4b5853edc51e6be7ddb96c988590c64296770b1b6bd54fe7b608eb

SHA512
de23585826b076909106b611d63b28d808407b02a76731092db75de8286881aa3196bc97257926f2c8ecc25190fa2576066612a5b44627ae7f28deaf3f4005bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb1b1992d5e2cc98a35e891725bdda53

SHA1
7620a96b46dec6fe08ebffeb832eadad9f2379f4

SHA256
6940250e082f4b7f18fb5698404b8fabef3a2a24dd5ace142d3275bff8d03fc8

SHA512
0bdb04112bde8f029c0a17595e0ef4e79461898dd2525cee56545976ad86b9368e2fef32a47f99bc202c0ca95b807c05ea6f1aa6c8902ff2b4b7f9f3cea4b5c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e03a05385770efc239128b81885a6c44

SHA1
c5d8a7e5865a559a0d3429b8d16117de7b731c16

SHA256
a8a490625a2bcde784fab8031fb0620a6ecb5147569270f4cf48d964090a0631

SHA512
68877491cf2bc783941ed36d0bb5f7e06a8bbc48725eb2466123a6e47340ee71944a563039f8d0522b61a7854c5de1012807411327d9611059e3fb408c6bc17f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcb76a11f8941e6da1886988a5413b06

SHA1
1234d5cc6f20cd8040f150369883689696b6f166

SHA256
11a2fa3b02065c90c61e5e665a7b6007940e89ca95cdd293f631f6211afea53c

SHA512
5774ca19e26d4e27958e5368e432b7a593cee4f41de113d2fa0fa79e3d6f4513aa04a7119cfa57d55d2ab83981e1448677522a546b645dc1ff740194030408b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16f9d78acc4716974f0b829ce8ddef13

SHA1
8209d0823bed51193f0751041d3484ab2240a788

SHA256
6c8f5a102003393a4f79ef0e3c6682c640a9aed84de5cbc31343cacf3bab848c

SHA512
d6f0780010530902fff475497525cd4b8ce883ea9177790da31089d8b2830f05c542c4ffbcba9e8eca174395b85c9a3aa20e38bbadd7e203d9e754bd5f9baff7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6767832ab843a007a6ef0c27325b7a7

SHA1
2c8cdd710e0cb7c67d5fc1bdf94e71797b8899f2

SHA256
9e8603563bb1ffcf2b889d5664c7a14b921d03c255b4e7be0db957c23305d90a

SHA512
949cd379372ad43758cf6f770ad22b1997db0b9e4b48000d089420eacee0fecb320717669d8a7d3d56b422eb11071e16b45dc012218d590cfc378238f3845f15

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

Filesize
223B

MD5
1173c21879270c90185e4983ab0de402

SHA1
d3901540dfad54390d2c87176cc96b90b28cd05f

SHA256
905320354f5d6205416b06449ea20bf5565f95006fd4db1b32e6cefa47008925

SHA512
3a3e9e888f82a26715943960ecf8eda77de6cbbb2693520ac93577b3e9c5e15f63e4b9036f960d4114b71f4c796d93f215a685264da8696b5c20f3ecd319bb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD9AE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

Filesize
223B

MD5
273554751d8272b9ca78cd3b84058c56

SHA1
b072976f7136bf500c4e606cbd96436d56f18361

SHA256
7918ef1bf57cf5275f8546497e6a7b212be762355b3bc20e31a6eae29573d60f

SHA512
f8f6e05ecb47df9f6f196717fd199ddc5338d7b6e48cb7fcc0033af89360bb5ef920bf4c3d97d979802423c7bc6f80b26b88c0f653c94654ac104f16f48cd2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

Filesize
223B

MD5
ff7077ac6902250f2243e0c323394cf8

SHA1
32515299fe999e8cfbb2bf62d685a0e4564e7851

SHA256
fde868f67118b7c1ca6a8a85c1a325d30bcb294ad66181838102b3855fdaa26e

SHA512
ae3322784810457c94d2fbc17b7963aed61e8485e8f05bd51b5787ec041c620fd5dca318fb26a2dbebd7de3db30b766a7f8c20105a34340375e2460742e0a33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
223B

MD5
3dfc20499d9fbc70c005732c47d322f4

SHA1
12ed1c6f1417f7918f8ca8b933596541fb1d0e76

SHA256
675b86aad6eeb410fb48c9e8f6f3cbb265b8ae3d44395b83d36ac3f11e2cad6d

SHA512
2a57731d2b38e190673c46eac129e35b674e781a4367cfeff7b78d47676446eede38e9e3342848d04b547c7364323982e4e77f07bd9c8b0e6d374c91d9f5a1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD9D0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat

Filesize
223B

MD5
cf1356ed158ce394aba0aeeadeff7881

SHA1
7d533854a41a9d396ae71146025f3fcf0a529346

SHA256
290d363c9678062ef8425183a447e47b9d733283451277dd66dfaf777709d617

SHA512
cbe28dcf50169dd385181a7f21a0d7361ffba01dac9741d1a07cf1ac3e88d5269d95f93e51a8f5f62e1dc09509174ad56f53aaa05a9fd9ce5775101c7d521899

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
223B

MD5
7e72412ba1cca334af215081269f5a45

SHA1
158f8822859718985fb7c30fd224296040c60803

SHA256
b22526791e26929a6dc53a5f3fca9af60bab0b5be8d6e130de9aaf95e41494ed

SHA512
27c23e0b4373f7faed38ac5b0a24bb67f0083108bc693f92ac0b688ae80e987be60d9de7fca5a04183da8a323ec0b9d10bcd8f54774d212599fdccdfa31a7b16

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat

Filesize
223B

MD5
a929ae908107859e3ab227fdda7eb500

SHA1
8a485ebb1050f7b4d8a6378e17304d4ed3a05835

SHA256
e0017b062319180d9443413d07f02f26b77a3eefc8c625e9ca0c4bcf9fab375a

SHA512
5873dd59b23b19834ffc2dc3b0506af480816b1e34186e2671ae95868ff2674966a5bc63e4a21312048edcddb7560dbb829d7538ee0cf47416184687d6c9f58c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

Filesize
223B

MD5
aa442dc7f71fc4d2accd2a921e082967

SHA1
6f0876f7a5d455de7395ea122123393b3a212dfb

SHA256
b483aab9a95131223a8da7072ca92151233f8d82347cc1411a83ae086723889e

SHA512
0dff280b2d5d358744a764046cfa139d6c48bc15cc8afde535ca75da80c0121686c30408733553073bf42b3d1727bdc26435a3b10827f1986a5640529a7b5e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
223B

MD5
46c9eb67181161daaec27cceff3c77c0

SHA1
2456ff3590a8ea8b37a678c5a0447353f7a91179

SHA256
5133b8762d0204ccab1fc9bf87ea11b44bdd15f70a24f4bf272e1a2d53670754

SHA512
8b40dfdf4d28419aef73d8c7bab245b6354282e2ff15cb86ee624672de1666199ef70d67db46be77937c2638a4482288427d8438175419ebd2162ad599f9b8f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yhXGfi446B.bat

Filesize
223B

MD5
6d34b5bbf1f1a6f4300d220e98123c1f

SHA1
4315e4770b8ca06645321188cca36fe163aeb667

SHA256
61cf8c799f72b39fcc2041716cae1c7b7dfd936b1743895a6d2aec2ab29578df

SHA512
105d416f02bad634a3dc16819c3ac3711595afc548ae9c38ba22c0754f64314a6e21d48dfe6c600d9adddcc693dba7b4cfc30ebb34a807e7b9150cbc8719ae51

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6dfa8614c4015fa6ba12a5b761cad18a

SHA1
44c039094e03c99fcad4d7dbd1de9a47b0f0dc1e

SHA256
4c0bb0e00dd9b5baf9b63ad10c58e5a3cb5f652d7a65d39746c3f649fba39ca0

SHA512
4b61385725397e4f0ba8c3d58e9d107f135bd455b7c190ac29c883275e08cdc7c3b5622d7f5c91281c5e03f010a0c553f04f6e968ca758d98e1c1921045a1d69

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/580-329-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/580-330-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/836-630-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/1580-150-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/1664-209-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/1696-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1696-16-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/1696-17-0x00000000007C0000-0x00000000007CC000-memory.dmp

Filesize
48KB

Download
memory/1696-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1696-13-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/1848-391-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1848-390-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2392-451-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download
memory/2528-269-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2560-96-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2572-570-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/2756-82-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download