dcrat | 7f92db21342747b67a1ebbf04b2dcc6586941bdbc8cf4c2bb4cff1b82ddae82a

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7f92db21342747b67a1ebbf04b2dcc6586941bdbc8cf4c2bb4cff1b82ddae82a.exe
Size

1.3MB
MD5

5834dce8c271bee957548978cd9e1bbb
SHA1

de656cad26ec0df947746c85ec4a25db6e2b039d
SHA256

7f92db21342747b67a1ebbf04b2dcc6586941bdbc8cf4c2bb4cff1b82ddae82a
SHA512

f2539a41f49f4a572039560d6ccb6b6daa3580395645d6d76ca6dd5dac0d77fe7f23ecd309c7995f3066ce9d1d58787fa7e1cc284c23860ea5f831419a571e78
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2908	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2908	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016fc9-9.dat	dcrat
behavioral1/memory/2952-13-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/1312-77-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/1584-246-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/2556-306-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/1660-426-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2172-486-0x00000000009F0000-0x0000000000B00000-memory.dmp	dcrat
behavioral1/memory/800-546-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/2144-606-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat
behavioral1/memory/2268-666-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2692	powershell.exe
2824	powershell.exe
2680	powershell.exe
2540	powershell.exe
2128	powershell.exe
2716	powershell.exe
2572	powershell.exe
1964	powershell.exe
892	powershell.exe
1904	powershell.exe
1448	powershell.exe
1728	powershell.exe
2564	powershell.exe
2208	powershell.exe
1564	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2952	DllCommonsvc.exe
1312	services.exe
620	services.exe
1584	services.exe
2556	services.exe
832	services.exe
1660	services.exe
2172	services.exe
800	services.exe
2144	services.exe
2268	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2960	cmd.exe
2960	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
18	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\AppPatch\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7f92db21342747b67a1ebbf04b2dcc6586941bdbc8cf4c2bb4cff1b82ddae82a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1060	schtasks.exe
1824	schtasks.exe
1708	schtasks.exe
2284	schtasks.exe
2712	schtasks.exe
2436	schtasks.exe
2756	schtasks.exe
2472	schtasks.exe
1520	schtasks.exe
2360	schtasks.exe
2428	schtasks.exe
2600	schtasks.exe
2432	schtasks.exe
2216	schtasks.exe
1596	schtasks.exe
2660	schtasks.exe
108	schtasks.exe
1676	schtasks.exe
3060	schtasks.exe
2384	schtasks.exe
2728	schtasks.exe
1900	schtasks.exe
2580	schtasks.exe
2440	schtasks.exe
2512	schtasks.exe
1148	schtasks.exe
872	schtasks.exe
2204	schtasks.exe
812	schtasks.exe
2296	schtasks.exe
1168	schtasks.exe
1636	schtasks.exe
1472	schtasks.exe
2100	schtasks.exe
1196	schtasks.exe
2588	schtasks.exe
3040	schtasks.exe
3024	schtasks.exe
2476	schtasks.exe
2228	schtasks.exe
1480	schtasks.exe
2792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2952	DllCommonsvc.exe
2952	DllCommonsvc.exe
2952	DllCommonsvc.exe
2692	powershell.exe
2824	powershell.exe
1564	powershell.exe
1964	powershell.exe
1448	powershell.exe
892	powershell.exe
2128	powershell.exe
2208	powershell.exe
2680	powershell.exe
2540	powershell.exe
2572	powershell.exe
1904	powershell.exe
2564	powershell.exe
2716	powershell.exe
1728	powershell.exe
1312	services.exe
620	services.exe
1584	services.exe
2556	services.exe
832	services.exe
1660	services.exe
2172	services.exe
800	services.exe
2144	services.exe
2268	services.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	DllCommonsvc.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1312	services.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	620	services.exe
Token: SeDebugPrivilege	1584	services.exe
Token: SeDebugPrivilege	2556	services.exe
Token: SeDebugPrivilege	832	services.exe
Token: SeDebugPrivilege	1660	services.exe
Token: SeDebugPrivilege	2172	services.exe
Token: SeDebugPrivilege	800	services.exe
Token: SeDebugPrivilege	2144	services.exe
Token: SeDebugPrivilege	2268	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 972 wrote to memory of 2832	972	JaffaCakes118_7f92db21342747b67a1ebbf04b2dcc6586941bdbc8cf4c2bb4cff1b82ddae82a.exe	30
PID 972 wrote to memory of 2832	972	JaffaCakes118_7f92db21342747b67a1ebbf04b2dcc6586941bdbc8cf4c2bb4cff1b82ddae82a.exe	30
PID 972 wrote to memory of 2832	972	JaffaCakes118_7f92db21342747b67a1ebbf04b2dcc6586941bdbc8cf4c2bb4cff1b82ddae82a.exe	30
PID 972 wrote to memory of 2832	972	JaffaCakes118_7f92db21342747b67a1ebbf04b2dcc6586941bdbc8cf4c2bb4cff1b82ddae82a.exe	30
PID 2832 wrote to memory of 2960	2832	WScript.exe	31
PID 2832 wrote to memory of 2960	2832	WScript.exe	31
PID 2832 wrote to memory of 2960	2832	WScript.exe	31
PID 2832 wrote to memory of 2960	2832	WScript.exe	31
PID 2960 wrote to memory of 2952	2960	cmd.exe	33
PID 2960 wrote to memory of 2952	2960	cmd.exe	33
PID 2960 wrote to memory of 2952	2960	cmd.exe	33
PID 2960 wrote to memory of 2952	2960	cmd.exe	33
PID 2952 wrote to memory of 2824	2952	DllCommonsvc.exe	77
PID 2952 wrote to memory of 2824	2952	DllCommonsvc.exe	77
PID 2952 wrote to memory of 2824	2952	DllCommonsvc.exe	77
PID 2952 wrote to memory of 1904	2952	DllCommonsvc.exe	78
PID 2952 wrote to memory of 1904	2952	DllCommonsvc.exe	78
PID 2952 wrote to memory of 1904	2952	DllCommonsvc.exe	78
PID 2952 wrote to memory of 2680	2952	DllCommonsvc.exe	79
PID 2952 wrote to memory of 2680	2952	DllCommonsvc.exe	79
PID 2952 wrote to memory of 2680	2952	DllCommonsvc.exe	79
PID 2952 wrote to memory of 2564	2952	DllCommonsvc.exe	80
PID 2952 wrote to memory of 2564	2952	DllCommonsvc.exe	80
PID 2952 wrote to memory of 2564	2952	DllCommonsvc.exe	80
PID 2952 wrote to memory of 1448	2952	DllCommonsvc.exe	81
PID 2952 wrote to memory of 1448	2952	DllCommonsvc.exe	81
PID 2952 wrote to memory of 1448	2952	DllCommonsvc.exe	81
PID 2952 wrote to memory of 2208	2952	DllCommonsvc.exe	82
PID 2952 wrote to memory of 2208	2952	DllCommonsvc.exe	82
PID 2952 wrote to memory of 2208	2952	DllCommonsvc.exe	82
PID 2952 wrote to memory of 2692	2952	DllCommonsvc.exe	83
PID 2952 wrote to memory of 2692	2952	DllCommonsvc.exe	83
PID 2952 wrote to memory of 2692	2952	DllCommonsvc.exe	83
PID 2952 wrote to memory of 2540	2952	DllCommonsvc.exe	84
PID 2952 wrote to memory of 2540	2952	DllCommonsvc.exe	84
PID 2952 wrote to memory of 2540	2952	DllCommonsvc.exe	84
PID 2952 wrote to memory of 1564	2952	DllCommonsvc.exe	85
PID 2952 wrote to memory of 1564	2952	DllCommonsvc.exe	85
PID 2952 wrote to memory of 1564	2952	DllCommonsvc.exe	85
PID 2952 wrote to memory of 2128	2952	DllCommonsvc.exe	86
PID 2952 wrote to memory of 2128	2952	DllCommonsvc.exe	86
PID 2952 wrote to memory of 2128	2952	DllCommonsvc.exe	86
PID 2952 wrote to memory of 2716	2952	DllCommonsvc.exe	87
PID 2952 wrote to memory of 2716	2952	DllCommonsvc.exe	87
PID 2952 wrote to memory of 2716	2952	DllCommonsvc.exe	87
PID 2952 wrote to memory of 1728	2952	DllCommonsvc.exe	88
PID 2952 wrote to memory of 1728	2952	DllCommonsvc.exe	88
PID 2952 wrote to memory of 1728	2952	DllCommonsvc.exe	88
PID 2952 wrote to memory of 892	2952	DllCommonsvc.exe	89
PID 2952 wrote to memory of 892	2952	DllCommonsvc.exe	89
PID 2952 wrote to memory of 892	2952	DllCommonsvc.exe	89
PID 2952 wrote to memory of 1964	2952	DllCommonsvc.exe	90
PID 2952 wrote to memory of 1964	2952	DllCommonsvc.exe	90
PID 2952 wrote to memory of 1964	2952	DllCommonsvc.exe	90
PID 2952 wrote to memory of 2572	2952	DllCommonsvc.exe	91
PID 2952 wrote to memory of 2572	2952	DllCommonsvc.exe	91
PID 2952 wrote to memory of 2572	2952	DllCommonsvc.exe	91
PID 2952 wrote to memory of 1312	2952	DllCommonsvc.exe	107
PID 2952 wrote to memory of 1312	2952	DllCommonsvc.exe	107
PID 2952 wrote to memory of 1312	2952	DllCommonsvc.exe	107
PID 1312 wrote to memory of 560	1312	services.exe	108
PID 1312 wrote to memory of 560	1312	services.exe	108
PID 1312 wrote to memory of 560	1312	services.exe	108
PID 560 wrote to memory of 2632	560	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f92db21342747b67a1ebbf04b2dcc6586941bdbc8cf4c2bb4cff1b82ddae82a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7f92db21342747b67a1ebbf04b2dcc6586941bdbc8cf4c2bb4cff1b82ddae82a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2960
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Program Files (x86)\Uninstall Information\services.exe
        
        "C:\Program Files (x86)\Uninstall Information\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1312
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2632
        
        C:\Program Files (x86)\Uninstall Information\services.exe
        
        "C:\Program Files (x86)\Uninstall Information\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
        8⤵
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3056
        
        C:\Program Files (x86)\Uninstall Information\services.exe
        
        "C:\Program Files (x86)\Uninstall Information\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
        10⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2540
        
        C:\Program Files (x86)\Uninstall Information\services.exe
        
        "C:\Program Files (x86)\Uninstall Information\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
        12⤵
        
        PID:800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2836
        
        C:\Program Files (x86)\Uninstall Information\services.exe
        
        "C:\Program Files (x86)\Uninstall Information\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat"
        14⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1780
        
        C:\Program Files (x86)\Uninstall Information\services.exe
        
        "C:\Program Files (x86)\Uninstall Information\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"
        16⤵
        
        PID:940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1208
        
        C:\Program Files (x86)\Uninstall Information\services.exe
        
        "C:\Program Files (x86)\Uninstall Information\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
        18⤵
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2092
        
        C:\Program Files (x86)\Uninstall Information\services.exe
        
        "C:\Program Files (x86)\Uninstall Information\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
        20⤵
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2456
        
        C:\Program Files (x86)\Uninstall Information\services.exe
        
        "C:\Program Files (x86)\Uninstall Information\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        22⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2384
        
        C:\Program Files (x86)\Uninstall Information\services.exe
        
        "C:\Program Files (x86)\Uninstall Information\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Prefetch\ReadyBoot\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Music\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\AppPatch\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\AppPatch\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\AppPatch\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ce0a7a4f8616b48856c42fda39fa4d3

SHA1
b932f60005965c306f4b94c60439dbc6dcbc81ac

SHA256
2e35e5d9b1d5aa2e603c01ec34d20ac66f19982585186ec603f4f7b34e9e0a8a

SHA512
6386e8520bc0e3976de4e17c92d5a88f4516170da8e12409d61e9677ce855ffb846c497f5dede3b14af9b8e31413c65add870dbcc289fa01ce42042393f0bf2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e24ca4e1e5f2f932a480e5bdf3b27361

SHA1
73eda81555516176c1801da65bf73b93e033d159

SHA256
d978097438dae345bdd3971f1596ef88be66baa9f1d4114fadb91d26b41b84c4

SHA512
77cc7f578aabd98202d4cd9420d3ee7ceaceb27531f93a03977087973e52f3e1b2d5e10df9c0fbef9c7b06b58c9bf5fd10d4d8d1dba61ed90b527710f4bd04b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e2566eed35e97cc29ace808c0a05c0d

SHA1
6b796ca29bbea6c16d9f7567efc8de63e8526084

SHA256
7b61aa08d36bd29fa76a11fc3471c2bb600693d2ba67c171343f531e7f5c00e6

SHA512
75a57b9d6c0b43daf40188063e1ebcd2381c1f7c5d69b3f605c271a39dd8b3824ba820c3cce0d83c7ddeef90e9a8e0496383d0813f6a74f20c597fcf08b6b709

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70c32ec48f65a28cf61f3fda9bce8782

SHA1
433bacc92d5acc5bd0ba56e56caa9d86c28de369

SHA256
680c588568f3bf6afd3b5e7c7ccd41c2f4dba0b0fafe273b4adfdd46567e242a

SHA512
146952098c1ecd1e0ca9fa77844809b1b931ec46a2873e9d0cf479bb739c763b6aa9aa5efd5265849fa5983dc5a4389fe5ab2d23009d8b9d24cb983068f148f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5adb6731fd60010df998da8f1f877d5b

SHA1
61bb3692b80b3909b95b2b9209c784ae3b7668f7

SHA256
5454712b1ec3b1f34611e272a9eede9877c844138e0bec6c91dea73051696f06

SHA512
ee7c01371eb64c293988b2b728870053ab4af0948c12cca19c92cd152b6b2b05f4002a8bea4d8b2fc6e9e805706a3ab93c7ccbef9e3791a8170b3a3499785f2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c36810ac0c32545bacbafda5368fa102

SHA1
956c5b7e5be263b7bf45b850edcc54eccac3da54

SHA256
4636eadf83ad0a4338a60121db2eb36ea0e193af1e82915f6dfb0dd5c7f33306

SHA512
e7ad3e2200793d42a95b21c3fd85e39e7af84a1e8c08d91f3899f7ce7846fd1f52ed1278071c28c7d3e090a2325014325f3b6d9f8982144690ee466dfb288d84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23964deb2e95bd39939a3a696868214c

SHA1
939053fa339e727ac477dbd7766fa84ce7cebce5

SHA256
6df86228628bcfd5d4c862d6eb333898381dd9fc7453031a351a659b2768ce04

SHA512
24c50042ce754064e7ab2cab843cd19bfb3c244e140fa128496ac2444f4c2e84d2f816ee712d12d65de40f4c82c7c099b5a7d5b7c0d885cb9924b4674ba73737

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efe476c19a6f45dd11e8d59c586a0ea4

SHA1
66c659fae46e96a891d975748846ec7b5cd44011

SHA256
07e7e6fa1b892329ba2cf41f81eeec145ef30e6545368c7848783afd0a0c01bb

SHA512
7144280ae44550be3c69a5e298f84c5157a6bb7cbd5159201645c47e4d37c9fcf534772d7456f997a4a2a50c853e439fc975076010eebefcbcd1fa5bad048eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

Filesize
222B

MD5
614e7eb2867c46d25abd7351139819cb

SHA1
f2e09f4c2b9a92ba65c92f54bb76283e535d0f66

SHA256
877a83aeba74dbb61ceb5683a100fed769998168cf2acb29fb4076ac460ea229

SHA512
12a3022f9dd86b726a7ae271b815c447c4251c725529ae261d84279b11dab418a43400bccb04cf6089ddb09e92faf4e99f65a3d915ee4a479b7cc9e379a82213

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
222B

MD5
4e35cffcb9fcd5cec97868d652754d12

SHA1
2bd94913ce6ec1f5c53529bb23375cfca0635048

SHA256
147f427f69b9bda19182ed2d74718f333d5222096e6e4e81dff9c8f94fcd5126

SHA512
1a7587f24a4d03ae08fb6b667fa4b0ae6fc1701e98c5f9f504391a005c7926abfa0b33bbae252a37bbbae1d8dbbc2c6285c174a1bddfab59b783ea0e34509a00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2001.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
222B

MD5
9ea72d44a536d31b25219961f379fb68

SHA1
1f431c0c6c52266eb4afe040a7514345cd55f743

SHA256
d13d167de6b4b72c846d5ee9a8f18fa1441f5e2abd847f6c0c285ce6e6102800

SHA512
04a527ea91aa43d48530dca508af5f540824fde36a10c0ed18986a805df5d1bc2288e0b6ad8c20f7a7233a158928f78edec1dba7054a6feedade5be7bf378e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat

Filesize
222B

MD5
37afd400631da14dd31e763bac4ccdc3

SHA1
4a3bd1c163787c5ab09cfb24fe900d9dbf972876

SHA256
02de635e310a1ebc9d682bc7fac4371924c541c46c6ac60e60c163013c1cd04d

SHA512
fa97d78b37d2ebb5678c3eb7161966b7b20e4f8c9a2311bbc099322e8daefcf4d774576e5f539470d04968ac70d12dc6e064afde6bd4bbc3f28c6c4d49c0a45f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

Filesize
222B

MD5
16dc66c0683d1dbb78b2fec94d389a9b

SHA1
0d3b396297860c35ea4258568a92e18b205705e6

SHA256
11cf237d02184b3b5c690b26aaa299cb37e04d4ad761035fe91cab40c530d605

SHA512
84904778834be91a64d5b205f1a4bf686d221789f7cce2ccab6fc42927c0e820f776fe6370600fd1e6a5634266ab1238ba5365cf467a630f2f215db4e7775d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar20BF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

Filesize
222B

MD5
22e44c9a8e4380f9907b91e3ac537438

SHA1
b04401eafd6bf5fb99b0facff09790312df22b70

SHA256
deb6fa7ac0e83926f8c75b781aecf1ef9ca39272b725087efe5c3046d2a8414d

SHA512
8dbf4c1eb2c8b70c4c8388b8a81cc850cf39f354313038e6ad52e46866544e8a1ce313bd1da7cc119aed135797145019a26d4c59f85f06071555468068cd2f95

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

Filesize
222B

MD5
07010064504d451a72b68934658dc2ff

SHA1
983803f5f4a38b3f3987c850ed18c78ce91e77e7

SHA256
5c4f2299631d997844a4b3f1ea700086bc39390d996a8abb0cd2e210f862ca13

SHA512
5b861de54ef2dcdd3c8f84504af1fdbec58d8a96b1476d0b5607f6bfd16cfe8c2c97e36ea6723b1669492b924c70313fae1de2b4f7d7ff6b00876216a4748c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

Filesize
222B

MD5
df6a031478d559c20797c1844782e0d7

SHA1
7bb469a6510a77293360a395a58db99270e46dbd

SHA256
0c55308ff316c9ac9810c42ab38c6ddca369b6720fadcaea002bffb535e32368

SHA512
2f106f5dd28bfe9690ee17dd4d0965b67c051cb9ae7a8bcc5424fa90645fd441cd4fca6bc270dfdcab6a22d15d75a86bab88c2dc2afc0e05ae079bc6591f116a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat

Filesize
222B

MD5
10dd99f4a8b4884e0f3f011746f0d735

SHA1
e41973e7af8de6d1a798b049f048cfa1f60d2c9a

SHA256
7540c57e52479292049ea08fccc5a61c78e5f4a8a71ca82214a65f55b3b771ae

SHA512
d33482806de28a34ee004585f9ad44bc1f3296e17e34077d9a8a4e7bff0decced92fde7985ae08acd47529b54549f5de2af58161a16e467956d56cdfa9c3b6b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a79f493bb011f7cb46c51c369c39c0b2

SHA1
807a7dbb117e4832fe743773d30f278ded805b43

SHA256
7a7f9f2b0bdedbb42e91803e390afbb5923873151a627d78048a3d6caee09d5e

SHA512
d42b812d01be937a1921fab6a105f85525c579878ccd593645dd53f3cbd59928c98eb691598e76f0d910cb3a3ed073a86e02b07de3615639d0491bf7deb84b18

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/800-546-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/832-366-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/1312-77-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/1584-246-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/1660-426-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2144-606-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/2172-486-0x00000000009F0000-0x0000000000B00000-memory.dmp

Filesize
1.1MB

Download
memory/2268-667-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2268-666-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/2556-306-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2692-67-0x000000001B2C0000-0x000000001B5A2000-memory.dmp

Filesize
2.9MB

Download
memory/2692-68-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2952-17-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2952-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2952-15-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2952-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2952-13-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download