dcrat | 59aec149e72eacf5fcedd48cf0ceb04fa2302d780974cff47a702d25cafd0671

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_59aec149e72eacf5fcedd48cf0ceb04fa2302d780974cff47a702d25cafd0671.exe
Size

1.3MB
MD5

81cce5fc33a24f2193324f92e5023e5e
SHA1

0541a0a278e03925d6b52d15226ae1758d1dbffb
SHA256

59aec149e72eacf5fcedd48cf0ceb04fa2302d780974cff47a702d25cafd0671
SHA512

1bb304203e5c59318e899cdb81e2e7ee7d2d78c94404a447e118de96f1903a3e0a639a71b178ab9c9460bfe653fa02e99a70e2e2a7aac2c2426406b5958d1146
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	488	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1932	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016399-9.dat	dcrat
behavioral1/memory/2752-13-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/2620-129-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/660-189-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/2320-249-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/1084-309-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2532-369-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/2484-429-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/2856-489-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2160-550-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/2988-669-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1752	powershell.exe
1944	powershell.exe
1680	powershell.exe
564	powershell.exe
2304	powershell.exe
2104	powershell.exe
1512	powershell.exe
848	powershell.exe
1732	powershell.exe
2440	powershell.exe
2116	powershell.exe
2352	powershell.exe
896	powershell.exe
2484	powershell.exe
2204	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2752	DllCommonsvc.exe
2620	csrss.exe
660	csrss.exe
2320	csrss.exe
1084	csrss.exe
2532	csrss.exe
2484	csrss.exe
2856	csrss.exe
2160	csrss.exe
2544	csrss.exe
2988	csrss.exe
644	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	cmd.exe
2364	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
28	raw.githubusercontent.com
31	raw.githubusercontent.com
21	raw.githubusercontent.com
25	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\csrss.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Help\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Help\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_59aec149e72eacf5fcedd48cf0ceb04fa2302d780974cff47a702d25cafd0671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe
2412	schtasks.exe
3016	schtasks.exe
3012	schtasks.exe
2592	schtasks.exe
600	schtasks.exe
2896	schtasks.exe
2124	schtasks.exe
488	schtasks.exe
2776	schtasks.exe
2616	schtasks.exe
796	schtasks.exe
916	schtasks.exe
2472	schtasks.exe
1548	schtasks.exe
1092	schtasks.exe
2036	schtasks.exe
1984	schtasks.exe
2256	schtasks.exe
1384	schtasks.exe
2656	schtasks.exe
2160	schtasks.exe
2788	schtasks.exe
1912	schtasks.exe
1152	schtasks.exe
1284	schtasks.exe
2944	schtasks.exe
1800	schtasks.exe
1856	schtasks.exe
1620	schtasks.exe
1788	schtasks.exe
1924	schtasks.exe
1784	schtasks.exe
2128	schtasks.exe
588	schtasks.exe
1496	schtasks.exe
2428	schtasks.exe
2156	schtasks.exe
1660	schtasks.exe
1876	schtasks.exe
532	schtasks.exe
1332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2752	DllCommonsvc.exe
2104	powershell.exe
2352	powershell.exe
2116	powershell.exe
2484	powershell.exe
2440	powershell.exe
1512	powershell.exe
1944	powershell.exe
848	powershell.exe
2204	powershell.exe
896	powershell.exe
564	powershell.exe
1680	powershell.exe
1752	powershell.exe
1732	powershell.exe
2304	powershell.exe
2620	csrss.exe
660	csrss.exe
2320	csrss.exe
1084	csrss.exe
2532	csrss.exe
2484	csrss.exe
2856	csrss.exe
2160	csrss.exe
2544	csrss.exe
2988	csrss.exe
644	csrss.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	848	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2620	csrss.exe
Token: SeDebugPrivilege	660	csrss.exe
Token: SeDebugPrivilege	2320	csrss.exe
Token: SeDebugPrivilege	1084	csrss.exe
Token: SeDebugPrivilege	2532	csrss.exe
Token: SeDebugPrivilege	2484	csrss.exe
Token: SeDebugPrivilege	2856	csrss.exe
Token: SeDebugPrivilege	2160	csrss.exe
Token: SeDebugPrivilege	2544	csrss.exe
Token: SeDebugPrivilege	2988	csrss.exe
Token: SeDebugPrivilege	644	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 2540	3056	JaffaCakes118_59aec149e72eacf5fcedd48cf0ceb04fa2302d780974cff47a702d25cafd0671.exe	30
PID 3056 wrote to memory of 2540	3056	JaffaCakes118_59aec149e72eacf5fcedd48cf0ceb04fa2302d780974cff47a702d25cafd0671.exe	30
PID 3056 wrote to memory of 2540	3056	JaffaCakes118_59aec149e72eacf5fcedd48cf0ceb04fa2302d780974cff47a702d25cafd0671.exe	30
PID 3056 wrote to memory of 2540	3056	JaffaCakes118_59aec149e72eacf5fcedd48cf0ceb04fa2302d780974cff47a702d25cafd0671.exe	30
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2540 wrote to memory of 2364	2540	WScript.exe	31
PID 2364 wrote to memory of 2752	2364	cmd.exe	33
PID 2364 wrote to memory of 2752	2364	cmd.exe	33
PID 2364 wrote to memory of 2752	2364	cmd.exe	33
PID 2364 wrote to memory of 2752	2364	cmd.exe	33
PID 2752 wrote to memory of 564	2752	DllCommonsvc.exe	77
PID 2752 wrote to memory of 564	2752	DllCommonsvc.exe	77
PID 2752 wrote to memory of 564	2752	DllCommonsvc.exe	77
PID 2752 wrote to memory of 1732	2752	DllCommonsvc.exe	78
PID 2752 wrote to memory of 1732	2752	DllCommonsvc.exe	78
PID 2752 wrote to memory of 1732	2752	DllCommonsvc.exe	78
PID 2752 wrote to memory of 2440	2752	DllCommonsvc.exe	79
PID 2752 wrote to memory of 2440	2752	DllCommonsvc.exe	79
PID 2752 wrote to memory of 2440	2752	DllCommonsvc.exe	79
PID 2752 wrote to memory of 2304	2752	DllCommonsvc.exe	80
PID 2752 wrote to memory of 2304	2752	DllCommonsvc.exe	80
PID 2752 wrote to memory of 2304	2752	DllCommonsvc.exe	80
PID 2752 wrote to memory of 2484	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 2484	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 2484	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 2204	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 2204	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 2204	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 2116	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 2116	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 2116	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 1752	2752	DllCommonsvc.exe	84
PID 2752 wrote to memory of 1752	2752	DllCommonsvc.exe	84
PID 2752 wrote to memory of 1752	2752	DllCommonsvc.exe	84
PID 2752 wrote to memory of 1944	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 1944	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 1944	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 2104	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 2104	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 2104	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 2352	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 2352	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 2352	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 1680	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 1680	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 1680	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 848	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 848	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 848	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 1512	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 1512	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 1512	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 896	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 896	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 896	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2864	2752	DllCommonsvc.exe	107
PID 2752 wrote to memory of 2864	2752	DllCommonsvc.exe	107
PID 2752 wrote to memory of 2864	2752	DllCommonsvc.exe	107
PID 2864 wrote to memory of 1056	2864	cmd.exe	109
PID 2864 wrote to memory of 1056	2864	cmd.exe	109
PID 2864 wrote to memory of 1056	2864	cmd.exe	109
PID 2864 wrote to memory of 2620	2864	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59aec149e72eacf5fcedd48cf0ceb04fa2302d780974cff47a702d25cafd0671.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_59aec149e72eacf5fcedd48cf0ceb04fa2302d780974cff47a702d25cafd0671.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UOph32PSWo.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1056
      - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"
        7⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2492
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
        9⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2716
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat"
        11⤵
        
        PID:2684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2232
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
        13⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1488
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
        15⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1300
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"
        17⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2996
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat"
        19⤵
        
        PID:1084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2928
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
        21⤵
        
        PID:2076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2780
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat"
        23⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2752
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"
        25⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1696
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Help\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Common Files\Microsoft Shared\MSInfo\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Recorded TV\Sample Media\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Templates\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\Templates\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Templates\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\NetHood\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\NetHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2d2ebb629a30f86ee8ababf058d23a9

SHA1
89441b59b1130e516f00ee337638d61e1fc19400

SHA256
3b6eb2d7f6e600ced7e50b1862bb9322d54d116c1496f9c65b18895817b210ee

SHA512
41acb4ce9c0ca7f9784c549c7e13f6a450a4f6141feedfd71d178b4edcbf4ad32bffe100ede429c5bfd471d4df318860320f958a4fb6992fc0ae1ab3d4b26285

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63c2ea7615111631c588cff751c6ed7f

SHA1
5290084ca7d49bb2fc4579cd0b53ed73d6dd8216

SHA256
123d4cc3925c6f4c9f55f023c3f80877074ec69dd6ee72713a1fa47d904ef569

SHA512
bb6e72af542b6859b97203e536f359568d4151d46a596067b3598433c8d3ae2b9149d8b752981d5e8ba7223de9220b02468876b01017767f61b00a69f2f799ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5625c9f95dd9311555dc1bc1be555d2d

SHA1
41251e6adc65ea61959f1fd509e26594e8ebdf7c

SHA256
bbc6137ddb718d619893fefa2c44022d63ba0638d81fb1e777bad0bb84a397c7

SHA512
2fa83c3f07e71abb991225a8ce127b0aff27657cde4aea18cdb767713aeb340c683d189f04c46e0398420a606c7c994c1424e89db31079d72f4925445555f625

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9922b502254e95beb6280874967f29b4

SHA1
5f632c75629872f566e3474cbc9f13a3d7d4e5f6

SHA256
a58c6c0d6f6e6efce1081cada60e24d3a32bd38c5d63daf9ea8ee925bffe05e2

SHA512
dc692edb8612d7b3db2e2dd069614d0beb05481ee0639b4c878de3c4bca43904e0e2921c80d0c3e961d75f815205c80bd91ea2df2c244704e89da5d4ad340003

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
554d96e1f5d20123fd612b0f701bb4cb

SHA1
26cad42fe3c801acc4e712bc18a7341a10db9d27

SHA256
4b07b127f2177001e0c655afeb6742bebb06e2b7bb864d91eb6f5d506d9650c6

SHA512
5d9e426e250dc643724103ff7fc2dd8204218bc02afefa729d2d0bfabc475aff066b393de5575ecb5217d053120cb2b2e4473bcf2a21dc91a598fe176a06fbdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ddb92a07e862c2928e8f25971e22144

SHA1
b3e81dbdfce02a8bcb52ae0b6a3794deb751d751

SHA256
a8a20d8b8511b5580cf7ba0aabdd64a6b280a3fa5c1ef0edb69543b3702b0e94

SHA512
f75f40fda628f9caa94fd12dfc4809e35d3c4f9e2f96b3d4a9ac93200a5e977e8e0e2be516eace5aebf8bf68b92aec13bdd88ba770f2b86faca26c6dcffdf02a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5885dcd722b3bc5fdc1ee8c7a516d642

SHA1
2efcbe5dda042fe797a5c0565ab162816036291c

SHA256
5f87e152bcfab1a7345156b819e39c2fa60c90c8e42eb42fb50b076d5a1a4594

SHA512
5f654aed9eb8e3c450c750316c90c707ec2fdf6d2b2dd081410cdb318707fddddd0078bb49264e486c0eae7c3a3bf8ee84ce238ee9b257c0a7078d32e93d1b64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d661f6aacb283ce93e9fe839b434814

SHA1
de0e248bc365d57d6732cf67b0d28f20a726a7a7

SHA256
7b8856d56a97d62a8ec0127d2390d648dc4ee7518354080a7b8b01a301b2b1d8

SHA512
dec58524402e35bb9c4472672a37269c52ab42b6bfb61adbd53de7e9f62d6b78f1d76862560c5e09254e0ff054d667ae2310cdc373a3e660e98620ad60e68df0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf291a222e155c5b6cc124ff0fda9e6b

SHA1
1c23fce6ef39251ca68ecae93dd9cf64834ad26f

SHA256
f158fac8802b908e6fd63dcd5801817500e37ed974ce6d5ccd89e78a653bd026

SHA512
60bb7caffe447c54d39131f8d3528c2a8a6ec9c79eff697ec1d6b8fd1b95ed38de0196a202e8c94c154a2eadf499bab60b4bfda21c18991fd47c2d6fcf7969bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\3EiKDvRnKw.bat

Filesize
223B

MD5
d7f11514d52674e32bfafe9ba47e8402

SHA1
b6683a7fb09245dae02dff06e4e84f2da1682c50

SHA256
789e9700044e764e5e64d33c91a4dbc7394efcabdc6b2bfa6d7c16cc6d9775a0

SHA512
a69ab5c7ab2effb66879dd7d5a480effd83eeb3e82b2816000fc392303bf91ec4ce6f77b99d969e0c2148127877cc8ad066ecf58ffb5ad97b0882f5b9eb3055e

Download Submit
C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat

Filesize
223B

MD5
0ee1ffa8635310116aaab45705d6d1a4

SHA1
ca4ccbabb2ecdda14b0640ee64fe7348e1f96171

SHA256
53cf98aa433c14582f612f8d4f9f87a422094a93fcdc2862baa15b92dc20ffba

SHA512
cfdb01c457a4e4edf4371546d42d85d96f689594ca9f7f676f2659dd6d40c451a0b93aa48f5c75e24355474f02fd6ac93bd88e3b7a9e492fa3126ad475d2d4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat

Filesize
223B

MD5
121175d951a42b117139dbbaea99d702

SHA1
58c5c36efc5cf7424347906a06d2637b071a77c2

SHA256
c5369864272c874f94cb97a809aefa676ff3e817e5184ea849b0df19ed7b7c65

SHA512
3ac9cebd7967313376ef4868e4b45c94276c287d5b58b36159b55a8335fac2b6461f044da2bdeb5df90cd8ed5f2a13fed496165c0fdda3b37277b2e2d778a13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabED5D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

Filesize
223B

MD5
a29dfc8e8997b1e7c67a8c21d59272be

SHA1
fed30e09cbcc2517329a4e005256840d9c6714f2

SHA256
498fad2a674fea16164b1dbb7c9eecb2b949cb6ce27c092fc5f169f1a79107ba

SHA512
c96c4f91a9ae6e031299921f6e65d428eb96cd3ef0fa208303e0626688c280b684facae5e55727fc2be0a3ae52ad7c88ee95c92fd66267fa57a0f500523b6769

Download Submit
C:\Users\Admin\AppData\Local\Temp\QUR8LTwG0H.bat

Filesize
223B

MD5
8b86c172d0e4df38c11363afc4e0555c

SHA1
f97949610ab3f96cee1d719285177b2ef0147ce2

SHA256
86766c3ddfd852c759d94f9cf3e6ae151e0d6ecfbde8a41bad701de42e1ae585

SHA512
9a27417baebc95d9db267729c3604ea61caa56e5c348168a23a0e6766ede6a8cc633d1be2f2a5078bce875484278de427ecb12857e0838e5290c0071bda73dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarED70.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat

Filesize
223B

MD5
fa1102b7b04eeda3c973028fff7bb5a5

SHA1
719ec9fbef18a720e94305bd8f7826a00967d4a6

SHA256
821e9135f8430284e8541ddefb5b24cc1545f841c756e13673a1325d29611e0c

SHA512
76b2be2528616dfb83095288ad761d7198660e874ebbd1a9277e47973c07f531946e6162b1c180b0448b0d95f28197a7a5e0cff4bcd510f10954d48728faa0f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\UOph32PSWo.bat

Filesize
223B

MD5
a7941d5abaf5d323606dfa6db23cd6d7

SHA1
fcdcee250757a05892d8435e32ed618261b39275

SHA256
cf5e41ee256a1de1f0bec39eeda7610daa62a306862fc6555d2871ea54721a57

SHA512
ea0c9b26b12463803a82f1c010f434240f3291cd0dc81dda5507f20a55371f75ad4d3269835e5d5779941a6a69ea1254194140e0d3c1e149f1167121dadd1d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

Filesize
223B

MD5
c6abc3f0a5cfb0f300f76296ff385447

SHA1
b4fa3c1e4b8aec07a25f363c730cda2d3ab149db

SHA256
b78e2ab2a8c37d8ffdb054ceba181800949ad3f797d26ced7055fee925572ab0

SHA512
fdc5c5bbfe644ddf0053e58a12e7bb1cf1927c4532e293022da9d8a9e67f0ea27248e54a8ba87a6658da50fad27e09b8a4a9e3398731636067bd5c6a2b843d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat

Filesize
223B

MD5
f1cfe7f5c723914366bf762574ad4f89

SHA1
a984274ea05f79631b4c252811f3cfd824edd751

SHA256
ff5376e4d872e33631eccf3400ee0e61882936ad18bde1de75a2724aa94fa75f

SHA512
b58666540f7cadb036cb63fae00c6cc2ce0bda27c66d06913787c01fb9c5f5f90ff863d95b1b56c38b8ee3ae2a91e9f39b8a47397e3bba595feb766856a4b12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lBSBdtFHPx.bat

Filesize
223B

MD5
a29d2d9a06c4b6383741089ffcf385f5

SHA1
e9df3aa6669f883400896c532957b9fc82ec2282

SHA256
cce39d867a69164bd5bd9a2b6387f0c9aa6af6fdb6e6a4288904b17695451c6d

SHA512
aff03d937cbf573cdc56557e705c26c3a6189ed969bc084a42b8857f5f2ec08664c5bb6f15bb0d97379482f97edb354e5b8a7780a4ccd715502830234b65297e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

Filesize
223B

MD5
71acea7353cbc2f1f0e883056ec5849f

SHA1
d3f076e88065f013d30d1fa1df59fbfbd6682fc6

SHA256
73216ba8aac226d5acea41019fce841244bc72f386ebf18efdc5ee73ee4ca172

SHA512
7286bc707298c436cf825fcf444c7b9c6de2923370e38bff20cf4e1146a6f9183d0a3b2fd21e91891a8ab71803bd7a3ae0746b784bc605efa831341a6f0e558a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
214e5b21ce9668cf30b452354515f5b6

SHA1
fda054114714ab8f874c9d667f8345a175713593

SHA256
60f0f321e16857baecf952e22c29db09ec54f9df4a27d8049d8943bda4179b5b

SHA512
41906b5b020ce2e43d0cc44830cab3d5387218e635d6f13a2f3c2614349476e97419fadae10410885d6046d95581463341f1a84380b4886d67e02c6f1ad2acdf

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/660-189-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1084-309-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2104-70-0x0000000002700000-0x0000000002708000-memory.dmp

Filesize
32KB

Download
memory/2160-550-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/2320-249-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2352-69-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2484-429-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2532-369-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/2620-129-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/2620-130-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2752-15-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/2752-14-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2752-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2752-13-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/2752-16-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/2856-490-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2856-489-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2988-669-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download