dcrat | d08ced3a933d49adbbbe26e91fdcb79a09a2cf9d34083aa43cfdf34678b3855f

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d08ced3a933d49adbbbe26e91fdcb79a09a2cf9d34083aa43cfdf34678b3855f.exe
Size

1.3MB
MD5

c3eb38aa846e86ee2983be8dc52204ef
SHA1

fdb39bce400e93def646670afa578f083bc5e9d2
SHA256

d08ced3a933d49adbbbe26e91fdcb79a09a2cf9d34083aa43cfdf34678b3855f
SHA512

6a28fa053d33feed5946415b132755456b438d4ee99cec7f134ebe894da8319718e83268d9f8f205ef98c10845a508edb045f053a35da331e08bb29dc44faef2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2820	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d2c-12.dat	dcrat
behavioral1/memory/2768-13-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/1844-67-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/1380-205-0x0000000000A10000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/2148-265-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/2760-325-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat
behavioral1/memory/2632-385-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/1620-563-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2620-624-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2420	powershell.exe
2992	powershell.exe
1284	powershell.exe
2664	powershell.exe
2244	powershell.exe
2840	powershell.exe
2688	powershell.exe
1608	powershell.exe
2752	powershell.exe
2888	powershell.exe
2636	powershell.exe
2628	powershell.exe
2996	powershell.exe
2720	powershell.exe
2712	powershell.exe
2228	powershell.exe
2832	powershell.exe
2756	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2768	DllCommonsvc.exe
1844	lsass.exe
1380	lsass.exe
2148	lsass.exe
2760	lsass.exe
2632	lsass.exe
968	lsass.exe
936	lsass.exe
1620	lsass.exe
2620	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2852	cmd.exe
2852	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\uninstall\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\ShellNew\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\IME\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\IME\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d08ced3a933d49adbbbe26e91fdcb79a09a2cf9d34083aa43cfdf34678b3855f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1924	schtasks.exe
2656	schtasks.exe
1772	schtasks.exe
1964	schtasks.exe
2324	schtasks.exe
1956	schtasks.exe
2956	schtasks.exe
2336	schtasks.exe
860	schtasks.exe
948	schtasks.exe
1824	schtasks.exe
1356	schtasks.exe
1556	schtasks.exe
2608	schtasks.exe
1064	schtasks.exe
1048	schtasks.exe
1696	schtasks.exe
2156	schtasks.exe
1936	schtasks.exe
2232	schtasks.exe
1396	schtasks.exe
2132	schtasks.exe
2192	schtasks.exe
1572	schtasks.exe
1944	schtasks.exe
1808	schtasks.exe
2452	schtasks.exe
2964	schtasks.exe
568	schtasks.exe
1264	schtasks.exe
2292	schtasks.exe
2076	schtasks.exe
2376	schtasks.exe
1600	schtasks.exe
2780	schtasks.exe
2596	schtasks.exe
2788	schtasks.exe
3008	schtasks.exe
700	schtasks.exe
2148	schtasks.exe
1168	schtasks.exe
1044	schtasks.exe
836	schtasks.exe
2944	schtasks.exe
2188	schtasks.exe
2468	schtasks.exe
3020	schtasks.exe
1504	schtasks.exe
2696	schtasks.exe
2496	schtasks.exe
2476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2768	DllCommonsvc.exe
2752	powershell.exe
2244	powershell.exe
2756	powershell.exe
2832	powershell.exe
2628	powershell.exe
2840	powershell.exe
1844	lsass.exe
2888	powershell.exe
2420	powershell.exe
2688	powershell.exe
2664	powershell.exe
2996	powershell.exe
2228	powershell.exe
2712	powershell.exe
2636	powershell.exe
2992	powershell.exe
1284	powershell.exe
2720	powershell.exe
1608	powershell.exe
1380	lsass.exe
2148	lsass.exe
2760	lsass.exe
2632	lsass.exe
968	lsass.exe
936	lsass.exe
1620	lsass.exe
2620	lsass.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	DllCommonsvc.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1844	lsass.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1380	lsass.exe
Token: SeDebugPrivilege	2148	lsass.exe
Token: SeDebugPrivilege	2760	lsass.exe
Token: SeDebugPrivilege	2632	lsass.exe
Token: SeDebugPrivilege	968	lsass.exe
Token: SeDebugPrivilege	936	lsass.exe
Token: SeDebugPrivilege	1620	lsass.exe
Token: SeDebugPrivilege	2620	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_d08ced3a933d49adbbbe26e91fdcb79a09a2cf9d34083aa43cfdf34678b3855f.exe	30
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_d08ced3a933d49adbbbe26e91fdcb79a09a2cf9d34083aa43cfdf34678b3855f.exe	30
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_d08ced3a933d49adbbbe26e91fdcb79a09a2cf9d34083aa43cfdf34678b3855f.exe	30
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_d08ced3a933d49adbbbe26e91fdcb79a09a2cf9d34083aa43cfdf34678b3855f.exe	30
PID 2420 wrote to memory of 2852	2420	WScript.exe	31
PID 2420 wrote to memory of 2852	2420	WScript.exe	31
PID 2420 wrote to memory of 2852	2420	WScript.exe	31
PID 2420 wrote to memory of 2852	2420	WScript.exe	31
PID 2852 wrote to memory of 2768	2852	cmd.exe	33
PID 2852 wrote to memory of 2768	2852	cmd.exe	33
PID 2852 wrote to memory of 2768	2852	cmd.exe	33
PID 2852 wrote to memory of 2768	2852	cmd.exe	33
PID 2768 wrote to memory of 1608	2768	DllCommonsvc.exe	86
PID 2768 wrote to memory of 1608	2768	DllCommonsvc.exe	86
PID 2768 wrote to memory of 1608	2768	DllCommonsvc.exe	86
PID 2768 wrote to memory of 2752	2768	DllCommonsvc.exe	87
PID 2768 wrote to memory of 2752	2768	DllCommonsvc.exe	87
PID 2768 wrote to memory of 2752	2768	DllCommonsvc.exe	87
PID 2768 wrote to memory of 2832	2768	DllCommonsvc.exe	88
PID 2768 wrote to memory of 2832	2768	DllCommonsvc.exe	88
PID 2768 wrote to memory of 2832	2768	DllCommonsvc.exe	88
PID 2768 wrote to memory of 2756	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 2756	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 2756	2768	DllCommonsvc.exe	89
PID 2768 wrote to memory of 2996	2768	DllCommonsvc.exe	90
PID 2768 wrote to memory of 2996	2768	DllCommonsvc.exe	90
PID 2768 wrote to memory of 2996	2768	DllCommonsvc.exe	90
PID 2768 wrote to memory of 2244	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 2244	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 2244	2768	DllCommonsvc.exe	91
PID 2768 wrote to memory of 2840	2768	DllCommonsvc.exe	92
PID 2768 wrote to memory of 2840	2768	DllCommonsvc.exe	92
PID 2768 wrote to memory of 2840	2768	DllCommonsvc.exe	92
PID 2768 wrote to memory of 2420	2768	DllCommonsvc.exe	93
PID 2768 wrote to memory of 2420	2768	DllCommonsvc.exe	93
PID 2768 wrote to memory of 2420	2768	DllCommonsvc.exe	93
PID 2768 wrote to memory of 2992	2768	DllCommonsvc.exe	94
PID 2768 wrote to memory of 2992	2768	DllCommonsvc.exe	94
PID 2768 wrote to memory of 2992	2768	DllCommonsvc.exe	94
PID 2768 wrote to memory of 2720	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 2720	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 2720	2768	DllCommonsvc.exe	95
PID 2768 wrote to memory of 1284	2768	DllCommonsvc.exe	96
PID 2768 wrote to memory of 1284	2768	DllCommonsvc.exe	96
PID 2768 wrote to memory of 1284	2768	DllCommonsvc.exe	96
PID 2768 wrote to memory of 2888	2768	DllCommonsvc.exe	97
PID 2768 wrote to memory of 2888	2768	DllCommonsvc.exe	97
PID 2768 wrote to memory of 2888	2768	DllCommonsvc.exe	97
PID 2768 wrote to memory of 2712	2768	DllCommonsvc.exe	98
PID 2768 wrote to memory of 2712	2768	DllCommonsvc.exe	98
PID 2768 wrote to memory of 2712	2768	DllCommonsvc.exe	98
PID 2768 wrote to memory of 2636	2768	DllCommonsvc.exe	99
PID 2768 wrote to memory of 2636	2768	DllCommonsvc.exe	99
PID 2768 wrote to memory of 2636	2768	DllCommonsvc.exe	99
PID 2768 wrote to memory of 2628	2768	DllCommonsvc.exe	101
PID 2768 wrote to memory of 2628	2768	DllCommonsvc.exe	101
PID 2768 wrote to memory of 2628	2768	DllCommonsvc.exe	101
PID 2768 wrote to memory of 2688	2768	DllCommonsvc.exe	102
PID 2768 wrote to memory of 2688	2768	DllCommonsvc.exe	102
PID 2768 wrote to memory of 2688	2768	DllCommonsvc.exe	102
PID 2768 wrote to memory of 2228	2768	DllCommonsvc.exe	103
PID 2768 wrote to memory of 2228	2768	DllCommonsvc.exe	103
PID 2768 wrote to memory of 2228	2768	DllCommonsvc.exe	103
PID 2768 wrote to memory of 2664	2768	DllCommonsvc.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d08ced3a933d49adbbbe26e91fdcb79a09a2cf9d34083aa43cfdf34678b3855f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d08ced3a933d49adbbbe26e91fdcb79a09a2cf9d34083aa43cfdf34678b3855f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\uninstall\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
        6⤵
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2184
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"
        8⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2116
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat"
        10⤵
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2388
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"
        12⤵
        
        PID:628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2428
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat"
        14⤵
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:316
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
        16⤵
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:672
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat"
        18⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:840
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        20⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2140
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
        22⤵
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\IME\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\IME\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\IME\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\uninstall\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\uninstall\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77a9f371daa2a1a5ed910309556dc464

SHA1
fbb6853c854d6e6f6ed1af1bb2afca7fc2616ad9

SHA256
e8288311c61143351bf11a0281df9d6a54992fb701ed5b016710d7aa81a790f3

SHA512
718742f51e28022c6b3b1d992b58c91596837812be61911ee84776a8a5dbb44d7c90e71d22cf4b7df973c0e1bcd181392f1026cbafc4a73f4d46ea981a9d95cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab4b3227f8754ccccd0b7401717c3d24

SHA1
8d779305044335c5397c9ddccc04c83f346ffbf1

SHA256
94aa100e796e09c4f0fc13e2919ada7fea0b0fa51fb25a799eb05f5a66e5da61

SHA512
ce0cd280b2de92c966b2fe80a804ece84cec266c5194a0c682a6c0e68415ee82d3e6e086befbefdc1cbabb60d24f88ac75b5b6910a45d1f93ead4832d5705f2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f213d6ba197e1c159641fecfaaf55c91

SHA1
916cd05ad516db6117f5a960fa719285aef6ba50

SHA256
5f4845a5863f8428b0cf855a4d2927eb588ba9629ab82fab2f16c144ee2dee8e

SHA512
11b2cf7e23b5cc7811bf3eff5ba282a7e7a87ec0165b622e95657a8583c1c0319037dc714ae2281dfc3d4953a904dd6b037244699cb27f1ba18323fa244fef49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d527ee43088ee63473c583e008bef6a

SHA1
1d50822993e720e1187b669234906817e3f48e7d

SHA256
f3c7a24245426a3ffd04af5eb6725d793067c12b4a092459e8d9d87e6146cf05

SHA512
6454afe0650de3a41a430441e3b755189b5d471b87b6df3d855ebd430db745d0768da289e638f9010704c1a9968bdb3e2b107c0249db5fc016dc906ec7eaa54c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5e596ce3d1b8c6025cd9945cfafe0ef

SHA1
d678c6f483739e8845a4e94d3a18b7f2e5fe798a

SHA256
fede8d86c3863be9e9cd4b6179f8f018cdbe08d176c5c75eaf96efb940ca25bb

SHA512
bab0b3da36d7b3833cee6fff289050af4e53f2e6dd662cfebddf63df4f226dc19ce071063dd6dc7099d02ac92c9f3c9a0143a75346106ba6246d0bf6272c93a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e7af0dad9b7e4b0aae7bf534ba5b0aa

SHA1
86fafe6a73b749c76797eb1992ff72380581d0c0

SHA256
9abecbb0f5053085869ff5188dbf7a1cb72fb81dec65c1854f7dbb1dd1275437

SHA512
ed94d09adbf20e49b05c3a81004b850bca1886318af94eb7bf11ec567abbbc91b3b7c27e81d6a55a801f18f15672f2e9d7becfd4d952c7e10402f08dbd716daf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2ecf454788bc0d3a0d8645a64f551c0

SHA1
d7d15df3dc3042d491ee40cd9225e3453fc7dd22

SHA256
b5c16ee7da1c5e674f4f0c9ca0c876ea2b42788005c2c39fb28d484262cd7d53

SHA512
bd045c616dd1d491f7bfda3d27aa9bbdebc5147df92c0bf0cb3ed734cb9245cb72cad4be94a087eb551b1043f3df3789f1ae30e994ee540b42411a01717fd659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc14e57eef0a2f03ad247c173c1c41bd

SHA1
2ce7de4f9d2184f0068fd94eb96004dae0687167

SHA256
1ccce9e39f41c206b051278113871612cf837c597f11aa0629c7e6dbbe40cc5a

SHA512
6f877eed95240452c70a2baf67310967de6968002f53617ad99dfa5b91878e75c98f2f6fdce1de7aed0cd6983e59f595f6e0848753da55ed5273baaf083eb08d

Download Submit
C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

Filesize
196B

MD5
bf861ac95e3129cf99e8c381dd823e02

SHA1
ca68a1fac5b2741d28afd115e1424c07226422f4

SHA256
7802559c61f51e68a7cbb455d84f92e4e1d7efdb7d86f08244fdc3f1a5d1f831

SHA512
3ac7165ec759284e6a43767cead86988c5529fff7073d705fa8fe990fa068ac607acbbb519d8c2a7dc2e7f64e45e2be425893f271c3fbf4f64de6f9a727bfd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat

Filesize
196B

MD5
75cdc0d18244717e6de2bd99ff79f440

SHA1
d49b1cf520c6a1ab02e0a6cee1bca7f2e54c41f3

SHA256
8d4bccbd4684cecec127cbce22d39b99ab94d7bb9dfd1dea2a9765496e357ba7

SHA512
36f752b46ff5d7131462e8fa8f67babb6fad9528a29d86fab1f38c4dd53379426d81c8fbcb4674ca59c6d5d4de4a78f74ad17a3d59fb49b8ea80095812eb3099

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat

Filesize
196B

MD5
4ddeb4e58d241fcbd8c00da77cef54a9

SHA1
27114809fa6b52a2b6c7b45302dc76bcf305aaef

SHA256
d5663d93afedcc33fb6be60b9b7f93d4aa45fd4839be92372ad96b9e6c15ce9a

SHA512
a09ada46bf3d4963774badecfeaae9e693a43421d88241a65040477509b4d66ab3a827c54b0a326a464adc700f5ef1ecc23c9ddb575af8476bea896defc7e2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6BDF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

Filesize
196B

MD5
db8218b70981886d1a430e04796f4d6a

SHA1
d356bbe9f35e89c2621aa0dfc72d58ff79e408b0

SHA256
56618895315b3cbebdf85b622a8b1b6ecdc40286580244e3ff6502df7a2636f4

SHA512
55ccbaf44274a3351eb85e17749d1ecaf44c22d1b6ce2528427e16c87c7a78732c8284fd2e5edeeaf30031747bec763d05c459ef4bfbac8a2abdeec6a6e62479

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat

Filesize
196B

MD5
12281165e3d56ad44b7c5a0ff17f841d

SHA1
ee71bdf25dd4ec4214e920e1105f4da2cebf959b

SHA256
c014b676819d88f72c23afbbc297cf7c5c97dd2a3d71d17cce49d0fa2d974285

SHA512
e411d03fe1df5eb5765c341a35bc25f2bf85a8c172b9c4e92cfe4cc6ad7a3672799f293a44bbb0760a19a6d0556249d7dca03d97482e246a3c8dc3974298b364

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLJ4q7S46F.bat

Filesize
196B

MD5
e49277314184db75a1425d1411405563

SHA1
615f0c97b7af111acb27343ff64a2412a01cabc6

SHA256
23b93074d0b823afe48495d9b824aadcef86b030b51213edd26ed56a5e288356

SHA512
76f6c95394bf71d0f6fba6d1b1d5e859178efd88e7ab6a3dd10128bd9c06a0ebb40c8d5cdc859b6f6849894edd8b94e93b5b178ffe3a7628e9496c3affae81b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
196B

MD5
a65f80a9b923c0fb18e89e7bd424eded

SHA1
c967a87b35c594df79137575e5770703772128a8

SHA256
6a6e524b967f2d0f5b02b5e638aadc57637bfaaa81742ee77109e438215c6a5b

SHA512
f26e9f2959489f876570d265d1a30c041f967c3159ce87f6b981d37b297bca35713db6d660d5705cd38272c5da51c3a2ad01159279524804f3877f3701688247

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6CAD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
196B

MD5
f0ca553d7b3563abd00fed417e879a04

SHA1
f77ac24e87ac10609cbcb65b95ae455f1e90e6fb

SHA256
14c29860e6926268bc246f6997d2649d1ed1c51fb71af7ae34c9c8cef6341c5b

SHA512
0c43930c89f4cddc3e1d7c79b5d0eb49ea3538ee1d50fcd8d62bb384d137dc8fd1e68c3640c44edd742b03abf185c7944ce26a6e6c5bd5322aacec1132396d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat

Filesize
196B

MD5
587312364eacb96a8f92d7d9034a7460

SHA1
48c61077b9966968e51bf06e7326eb26975ddb85

SHA256
112ca65442cf56a08b56f6c233300c03706e7b3a7ef260d713328215ef9367ef

SHA512
c050542dc6226461a55614264aca83233c989f253290f597d7de289347e33ce4e5125132456b37d466133813548755a1d76b5519c498bbee72916d0bd1f8ddb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
263cc2b409721d343fd532696ff3ce56

SHA1
8ba1209c6a503e790ef9ec05e519f4988ee16b5c

SHA256
582a3c2e1bdeea1a5ed6ee7fbfa7cc5376d41e8f04e96aa2e6fc4c3bdf3954e3

SHA512
475c0494bea1138fe3880f35b4a498c23ffa3bf2554e9423b4fa5fba711025404a8233a4e62cc2033ac7b8c876cfe92bf870ef1b45a8c48e77096894b56f6c52

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1380-205-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download
memory/1620-564-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1620-563-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/1844-67-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2148-265-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/2244-70-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2244-69-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

Filesize
2.9MB

Download
memory/2620-624-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/2632-385-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2760-325-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download
memory/2768-17-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2768-16-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2768-15-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2768-14-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/2768-13-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download