dcrat | e95bce0f19ee0543b051928ebd7e1a7ebbc024a590b6d22278d6744063841778

Analysis

max time kernel
147s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e95bce0f19ee0543b051928ebd7e1a7ebbc024a590b6d22278d6744063841778.exe
Size

1.3MB
MD5

25d86d7e7c5285aaf00fb940e9dd0aef
SHA1

2bfbd063bb148321566377705978962bb0e40d0e
SHA256

e95bce0f19ee0543b051928ebd7e1a7ebbc024a590b6d22278d6744063841778
SHA512

df2b9a11720b1c725af1095198357d1aad4b2b197a24105c06cb63dd2dc9d057c6ff7e0d943f4fc4901c99af379e34f2ab8b8281e4f807e90f6411e7c1c59a8e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	652	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2712	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2712	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000195c6-12.dat	dcrat
behavioral1/memory/1896-13-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/2504-136-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/936-195-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/612-255-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/888-315-0x0000000000BF0000-0x0000000000D00000-memory.dmp	dcrat
behavioral1/memory/2904-375-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1972-435-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2864-495-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/1876-614-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2804	powershell.exe
2792	powershell.exe
2896	powershell.exe
2904	powershell.exe
2928	powershell.exe
2772	powershell.exe
2668	powershell.exe
1592	powershell.exe
1680	powershell.exe
2872	powershell.exe
1700	powershell.exe
2808	powershell.exe
2868	powershell.exe
2788	powershell.exe
2932	powershell.exe
3064	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1896	DllCommonsvc.exe
2504	System.exe
936	System.exe
612	System.exe
888	System.exe
2904	System.exe
1972	System.exe
2864	System.exe
2484	System.exe
1876	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	cmd.exe
2876	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\Resources\Ease of Access Themes\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Ease of Access Themes\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e95bce0f19ee0543b051928ebd7e1a7ebbc024a590b6d22278d6744063841778.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1984	schtasks.exe
2552	schtasks.exe
2348	schtasks.exe
2844	schtasks.exe
1488	schtasks.exe
960	schtasks.exe
2368	schtasks.exe
1668	schtasks.exe
836	schtasks.exe
1976	schtasks.exe
1176	schtasks.exe
1924	schtasks.exe
2216	schtasks.exe
2468	schtasks.exe
2428	schtasks.exe
2228	schtasks.exe
704	schtasks.exe
552	schtasks.exe
1408	schtasks.exe
764	schtasks.exe
2704	schtasks.exe
3000	schtasks.exe
2616	schtasks.exe
1844	schtasks.exe
2644	schtasks.exe
2304	schtasks.exe
1664	schtasks.exe
1140	schtasks.exe
784	schtasks.exe
2972	schtasks.exe
3040	schtasks.exe
2396	schtasks.exe
2540	schtasks.exe
692	schtasks.exe
1744	schtasks.exe
888	schtasks.exe
3052	schtasks.exe
2748	schtasks.exe
2164	schtasks.exe
1732	schtasks.exe
2024	schtasks.exe
2400	schtasks.exe
2860	schtasks.exe
652	schtasks.exe
1412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1896	DllCommonsvc.exe
1896	DllCommonsvc.exe
1896	DllCommonsvc.exe
2928	powershell.exe
2808	powershell.exe
3064	powershell.exe
2788	powershell.exe
2896	powershell.exe
1700	powershell.exe
2932	powershell.exe
2872	powershell.exe
2868	powershell.exe
2668	powershell.exe
2792	powershell.exe
2804	powershell.exe
2772	powershell.exe
1680	powershell.exe
1592	powershell.exe
2904	powershell.exe
2504	System.exe
936	System.exe
612	System.exe
888	System.exe
2904	System.exe
1972	System.exe
2864	System.exe
2484	System.exe
1876	System.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	1896	DllCommonsvc.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2504	System.exe
Token: SeDebugPrivilege	936	System.exe
Token: SeDebugPrivilege	612	System.exe
Token: SeDebugPrivilege	888	System.exe
Token: SeDebugPrivilege	2904	System.exe
Token: SeDebugPrivilege	1972	System.exe
Token: SeDebugPrivilege	2864	System.exe
Token: SeDebugPrivilege	2484	System.exe
Token: SeDebugPrivilege	1876	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2940	2772	JaffaCakes118_e95bce0f19ee0543b051928ebd7e1a7ebbc024a590b6d22278d6744063841778.exe	30
PID 2772 wrote to memory of 2940	2772	JaffaCakes118_e95bce0f19ee0543b051928ebd7e1a7ebbc024a590b6d22278d6744063841778.exe	30
PID 2772 wrote to memory of 2940	2772	JaffaCakes118_e95bce0f19ee0543b051928ebd7e1a7ebbc024a590b6d22278d6744063841778.exe	30
PID 2772 wrote to memory of 2940	2772	JaffaCakes118_e95bce0f19ee0543b051928ebd7e1a7ebbc024a590b6d22278d6744063841778.exe	30
PID 2940 wrote to memory of 2876	2940	WScript.exe	31
PID 2940 wrote to memory of 2876	2940	WScript.exe	31
PID 2940 wrote to memory of 2876	2940	WScript.exe	31
PID 2940 wrote to memory of 2876	2940	WScript.exe	31
PID 2876 wrote to memory of 1896	2876	cmd.exe	33
PID 2876 wrote to memory of 1896	2876	cmd.exe	33
PID 2876 wrote to memory of 1896	2876	cmd.exe	33
PID 2876 wrote to memory of 1896	2876	cmd.exe	33
PID 1896 wrote to memory of 1592	1896	DllCommonsvc.exe	81
PID 1896 wrote to memory of 1592	1896	DllCommonsvc.exe	81
PID 1896 wrote to memory of 1592	1896	DllCommonsvc.exe	81
PID 1896 wrote to memory of 2804	1896	DllCommonsvc.exe	82
PID 1896 wrote to memory of 2804	1896	DllCommonsvc.exe	82
PID 1896 wrote to memory of 2804	1896	DllCommonsvc.exe	82
PID 1896 wrote to memory of 1700	1896	DllCommonsvc.exe	84
PID 1896 wrote to memory of 1700	1896	DllCommonsvc.exe	84
PID 1896 wrote to memory of 1700	1896	DllCommonsvc.exe	84
PID 1896 wrote to memory of 2792	1896	DllCommonsvc.exe	85
PID 1896 wrote to memory of 2792	1896	DllCommonsvc.exe	85
PID 1896 wrote to memory of 2792	1896	DllCommonsvc.exe	85
PID 1896 wrote to memory of 2896	1896	DllCommonsvc.exe	86
PID 1896 wrote to memory of 2896	1896	DllCommonsvc.exe	86
PID 1896 wrote to memory of 2896	1896	DllCommonsvc.exe	86
PID 1896 wrote to memory of 2904	1896	DllCommonsvc.exe	87
PID 1896 wrote to memory of 2904	1896	DllCommonsvc.exe	87
PID 1896 wrote to memory of 2904	1896	DllCommonsvc.exe	87
PID 1896 wrote to memory of 2932	1896	DllCommonsvc.exe	88
PID 1896 wrote to memory of 2932	1896	DllCommonsvc.exe	88
PID 1896 wrote to memory of 2932	1896	DllCommonsvc.exe	88
PID 1896 wrote to memory of 2808	1896	DllCommonsvc.exe	89
PID 1896 wrote to memory of 2808	1896	DllCommonsvc.exe	89
PID 1896 wrote to memory of 2808	1896	DllCommonsvc.exe	89
PID 1896 wrote to memory of 1680	1896	DllCommonsvc.exe	90
PID 1896 wrote to memory of 1680	1896	DllCommonsvc.exe	90
PID 1896 wrote to memory of 1680	1896	DllCommonsvc.exe	90
PID 1896 wrote to memory of 2928	1896	DllCommonsvc.exe	91
PID 1896 wrote to memory of 2928	1896	DllCommonsvc.exe	91
PID 1896 wrote to memory of 2928	1896	DllCommonsvc.exe	91
PID 1896 wrote to memory of 2772	1896	DllCommonsvc.exe	92
PID 1896 wrote to memory of 2772	1896	DllCommonsvc.exe	92
PID 1896 wrote to memory of 2772	1896	DllCommonsvc.exe	92
PID 1896 wrote to memory of 3064	1896	DllCommonsvc.exe	93
PID 1896 wrote to memory of 3064	1896	DllCommonsvc.exe	93
PID 1896 wrote to memory of 3064	1896	DllCommonsvc.exe	93
PID 1896 wrote to memory of 2872	1896	DllCommonsvc.exe	94
PID 1896 wrote to memory of 2872	1896	DllCommonsvc.exe	94
PID 1896 wrote to memory of 2872	1896	DllCommonsvc.exe	94
PID 1896 wrote to memory of 2788	1896	DllCommonsvc.exe	95
PID 1896 wrote to memory of 2788	1896	DllCommonsvc.exe	95
PID 1896 wrote to memory of 2788	1896	DllCommonsvc.exe	95
PID 1896 wrote to memory of 2668	1896	DllCommonsvc.exe	96
PID 1896 wrote to memory of 2668	1896	DllCommonsvc.exe	96
PID 1896 wrote to memory of 2668	1896	DllCommonsvc.exe	96
PID 1896 wrote to memory of 2868	1896	DllCommonsvc.exe	98
PID 1896 wrote to memory of 2868	1896	DllCommonsvc.exe	98
PID 1896 wrote to memory of 2868	1896	DllCommonsvc.exe	98
PID 1896 wrote to memory of 2916	1896	DllCommonsvc.exe	113
PID 1896 wrote to memory of 2916	1896	DllCommonsvc.exe	113
PID 1896 wrote to memory of 2916	1896	DllCommonsvc.exe	113
PID 2916 wrote to memory of 984	2916	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e95bce0f19ee0543b051928ebd7e1a7ebbc024a590b6d22278d6744063841778.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e95bce0f19ee0543b051928ebd7e1a7ebbc024a590b6d22278d6744063841778.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Pictures\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FbCxnwLpxR.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:984
      - C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        7⤵
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2204
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        9⤵
        
        PID:2700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1992
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        11⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1520
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
        13⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2080
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
        15⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2156
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        17⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2704
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"
        19⤵
        
        PID:1088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2672
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        21⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1592
        
        C:\Users\Default User\System.exe
        
        "C:\Users\Default User\System.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat"
        23⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Resources\Ease of Access Themes\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Ease of Access Themes\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Documents\My Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Documents\My Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\ja-JP\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Start Menu\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3fa7f66d3c22ea861c9273eff56bd8b

SHA1
26bab0ac20872f43aac4131856767a69ab0a24a0

SHA256
da62dbafcaa089a417af95b25be1ee6c4183f9404a81d2d37cd20cc1d10d185f

SHA512
5dd6004017e8b9f7cda726b9cc68ae63452fd952ca62f7fc9265ec3cb65cae861b1c8f8e70147df5f3c196805a83088919ac45271f3015980432029c9f80d6f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a99a45e4817a5644db50d8d776e9f94

SHA1
5be07d2aa6aa6ead99ee5badf4e110616c36438f

SHA256
f109795b02d92cd3596901cfd97d1a4abe341dfd855f24e5eabe57c15f4bb71f

SHA512
049c79a706bac04a31f40ccb36c82c10fc2a671c3e381ef202f5abccc5f200b7fae027eb5ddd374cdfa5c7aa1a4375120e68b27e435102900d4688ceeca07b39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
348bed6eeff2c8ac0292d9e15d12d9c7

SHA1
8331b5ce0d400682de96ac5688789993e043f9c6

SHA256
ff101329a2c19733b6d2e9542f87edb309d98e54a46097553e54a9c783f8b147

SHA512
e7f633215db9cfcb45eedc31a9100911cf6b3d29ac7d959eee9830425b1018a16e22bd1c01c36bb310ee9c325bef1d1179972c174854d72eff0897257e5ce95b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0291ffe4c19bc34bdf3dc650e318daca

SHA1
39e7c27c9f138e04b8fc93b8deaeac0b32f24688

SHA256
88ce08d7fbbc87fce228ddd2cf03c21329e06b3e6abf23f303a1622c66f9054a

SHA512
3ad959418cc21d454f782db91ddb33e145f639534002901692fca46f20b386270add79a5f24d03f1a55306be13d9bcaa36f7f0333ee29968b8dc7eafa644a86e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c873bc6ae0fa860ea1501c347cad9962

SHA1
b25198deb234ed3d85f19efbb0fb2cbcacd865f7

SHA256
51416fd0cdb249c236467ca2730e1f68e607625033d55a8be3f50346c8c68d4b

SHA512
7eb11160960e5e0fa3e4e285b5dd4fb75b81193487644790cb66efbccd385cf67180c93b431806b31a8fa7ca8a2f5fa455af82d8be24379891e37b61d8b108a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed96ea1ad3a02bb8cd8e5064e33e2c6f

SHA1
89cefb8be702c3d410afa8978ee2feaadc6057fe

SHA256
45ad75502135d6b985cc72bf531d2fac13c68aecc70840843fc5ee9eb6b4e747

SHA512
5de90bd208a244de86792b0bc0b4a779d235508f8d3083f06b0ce7f56b7c06a8e258ad358cd75632a49a006a76644ed140299400610c08c089ed0f1ed069c491

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9330b989547acf389b52816945f9b37c

SHA1
f07a8a45c0817b7cbd1c89572ddedfa9f5160981

SHA256
cf0f47133f0a938761d9abd47c06bf30ebac1e050121129cd5ccb4cd1954033f

SHA512
a279fc87a0ef36b7bdbb60690a42c3e3bc6fdbd8ffb16bc0740fe85756729a5200522f54184cd00001a9c4f7330ab7b3d096e33f5d51eb2d63e7dafe8d0931c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec696493b1a6ad8b3d16b844965daa30

SHA1
5888f17ed4d3496da34b35801cb4e32cd3feb025

SHA256
a93f30ba1b0ddc632434337aaf2aa1ccd52ef4eaaaf8b4fee3cd8f2fb7b5ab96

SHA512
22a1b1376bb91cf5c1e553e559910d8f5829919c6eccef0a2d07853744da2edca54518aaf175dccdeb48e3ac515e6358cd192724f16f56197dcbdd8eb387f3e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
197B

MD5
fc4fdb219061cbf40572b8fdcedd3c8b

SHA1
efe9d354ae3a518186bd931b7f060fa20eb12f4c

SHA256
2587e8a45e36280463fd364dbb42fcdd754b8d0e4d71c0f78fd7a30e369a64de

SHA512
597ea474773524c97f5d24fe5900bdc96780210c71c297938b0084b590018201cfd04057b91e8fee2ce675296c1379c1826cb5897d440fcbcc89a9f781b0dd5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
197B

MD5
00e7499492e09b662a13f1656c9aea75

SHA1
1d9d4b0fb12df967f44df5b04d06482e11cf83d4

SHA256
f25653ca91ca171c498e43455699a816d7ac075bdb1361755d5cb4b9e1d6d181

SHA512
ae4790ded300cce5f94ceecfd4e05719b50bc564096fe97430f0cae35509192f3be2f87e96d22cd1ec8e050dcc007f55d7a93c45e533c73a0f88f0739c1c5862

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBB75.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FbCxnwLpxR.bat

Filesize
197B

MD5
9ccc6b50ad3dac1ba7cf293216826e2a

SHA1
65a9a1556870ebaac2774cdd08a17ef2a36e6b7b

SHA256
150986bf2feb89133aa9898b92ecd7a99353bc11945fb2ab550372444bf69ade

SHA512
083c1f0dd05007f28903139a3c6db8b6bfaf339d09053a2df133fc21f5dc1dd8705c05c19418dcd727e79e8ebc1de3437535d65300db4832b34a3850556ac1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

Filesize
197B

MD5
53957a330cf91d9fc116cda4130ca007

SHA1
06e8564dfb98085dab83893b7fc0be973b7cb0bc

SHA256
9e63e27fce5314f29f5185eb346cb2776438a85f7f14a105cca631a7587b14b1

SHA512
85e9b4328c591f53f7b12d8b5903d9ada38d3a87c7a89ae8ae09e946cb7a9c089c6b73ef458b83917677217062763f589f200056abcef7df4a3d0d7baaa8ab5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBC23.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
197B

MD5
13afb8ca97c54a6e5131f8ea17178c04

SHA1
259e95a7db122e21a01f56979b733138b77983db

SHA256
b6a447fd57231d441774f24eb7f406f3b03c8b380715ecea196284d67d790a2c

SHA512
4cfe07221f695a40ce088f059a575d2b1e4a265d44367a319267848cf51c42b7aa7b62d04bc3b547d0b64476725cf7746de61c4b08fe0f5a8eae0b2825cbe591

Download Submit
C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat

Filesize
197B

MD5
287000c0479ad57e5de99759e9c0ceeb

SHA1
8a3cf5a962d90ae4a19fac51618ccb16a6ab7327

SHA256
71c46168053df140994cfb3e8b71197de00bfaf558a891807e52c0512e2088fc

SHA512
e850acee85780ae794358936501a37e1f39fc01adb59e91cbe3007162066cbbef2583c484172a76bffa48c29cd58a0363c5d82183721a7ed26a231bdc0b538e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

Filesize
197B

MD5
1db5a231715e2601fe17698b1cf10915

SHA1
5fe6ee4c7637ece78de263ac975560588d7cb19a

SHA256
d50d21ef36979296aaeb2d7d096493428610940c00ce5fb1bd3406505e9185d1

SHA512
8790492c4e1b49f8f5ac86e1553caff3ce1c799fd9b4f90ac6f912985631c7db9877f031fc2337bfa5e76e9b7d60eeff42f1f94117c619107c09bcb6e057584d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

Filesize
197B

MD5
ffc71af48bae11c8a89c2944eb717ec4

SHA1
cb78ced56601ffeb3f8a8ba6dd04639fe016303c

SHA256
0c95c98fe0a1c4a2c4d7e612d69a07979566f8fd939d039634ee0bf28ec9fe72

SHA512
5ca23c8ec5cd720c69732d1afd6a626a4b7df75a2328d3164dbb6e65efae6799ea0ab530c215f4bd008c86f55b4d12e3e5c8d1fe33b29565e8894ced20945d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
197B

MD5
157b5557bef4bf8d566ea305848a33a6

SHA1
787d1f35d4b42be7eca50eb0f6fb8a78340595e7

SHA256
0a8c0024bb880dc4a7300fa2cf23f4a0498bd1c7b78806bacd80f3b2c5c39ad9

SHA512
ddc1c546ba9305c07c973e497fcb6141eefbb6dcb9f4a8b647764d339004e512bbfd6310cb62f10a52e5a657def80f1628b3bdd48438da73fefbc29cdd358a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\zi4n06VBpB.bat

Filesize
197B

MD5
d0e760bf1fe0bef233d110fef4d6cc11

SHA1
f8136752fcd8097284454e190ae5652770e118cd

SHA256
5ebdd7a189fccd02d0dca8a152daff1405db1f3ecb323a13a1634ff1f28225de

SHA512
03ade8d06e581701cab3cc148b910717815f6f5c38731dbc309d2eb15ea1afc4e7a18a4b547ce25d42cb58ebf06981d57680c04bb5f8ce5afb32993d69bb7476

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
978d17313b2b2c6dd681700e2546339a

SHA1
bfe60092d571e7077620ffbc8dd3f7c09837392e

SHA256
1b165159a24e1131001605a35c86194c77f419a5dfb6672414351c64bb7bfed4

SHA512
5af626ce0a50fc76ac62616ed48b9fb458a19ef4326c8af3f4d347b6050f54d91e8904ce1420d1628bc3185812219b0b0df449804e9e32fbcb2b98a248ab4afb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/612-255-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/888-315-0x0000000000BF0000-0x0000000000D00000-memory.dmp

Filesize
1.1MB

Download
memory/936-195-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1876-615-0x0000000000490000-0x00000000004A2000-memory.dmp

Filesize
72KB

Download
memory/1876-614-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/1896-16-0x000000001B060000-0x000000001B06C000-memory.dmp

Filesize
48KB

Download
memory/1896-15-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/1896-14-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/1896-17-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/1896-13-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/1972-435-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2504-136-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2808-133-0x0000000002570000-0x0000000002578000-memory.dmp

Filesize
32KB

Download
memory/2864-495-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download
memory/2904-375-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/3064-132-0x000000001B3A0000-0x000000001B682000-memory.dmp

Filesize
2.9MB

Download