dcrat | dc1635003d31fd4b1fcbdcb3fa26bfcc9562ff2f229ec16e7318b86ac34fd9d6

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dc1635003d31fd4b1fcbdcb3fa26bfcc9562ff2f229ec16e7318b86ac34fd9d6.exe
Size

1.3MB
MD5

69d809a3552788deb6e00e4b75d0daf4
SHA1

4d54efd34b83fac43d8f22ba588c1d6ecc564dd6
SHA256

dc1635003d31fd4b1fcbdcb3fa26bfcc9562ff2f229ec16e7318b86ac34fd9d6
SHA512

02d073c4800d6c3e2b32d7de697a1f73113230c6cece8e00dd143acb22cb8afd93bb6329cec9263e7a34eb46845fd7045092757c6424431227c1e0c182744b3f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	3016	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	3016	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000186ed-10.dat	dcrat
behavioral1/memory/2300-13-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/1928-118-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/2620-178-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/2624-238-0x0000000000C30000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/2016-358-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/2288-536-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2092-596-0x0000000000AD0000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/memory/1732-657-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
behavioral1/memory/852-717-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1688	powershell.exe
2540	powershell.exe
2260	powershell.exe
2196	powershell.exe
2656	powershell.exe
1636	powershell.exe
2532	powershell.exe
2776	powershell.exe
2408	powershell.exe
2248	powershell.exe
3044	powershell.exe
2084	powershell.exe
2188	powershell.exe
2520	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2300	DllCommonsvc.exe
1928	OSPPSVC.exe
2620	OSPPSVC.exe
2624	OSPPSVC.exe
1552	OSPPSVC.exe
2016	OSPPSVC.exe
2248	OSPPSVC.exe
1944	OSPPSVC.exe
2288	OSPPSVC.exe
2092	OSPPSVC.exe
1732	OSPPSVC.exe
852	OSPPSVC.exe
1576	OSPPSVC.exe
1140	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	cmd.exe
2868	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
5	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
47	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
40	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\75a57c1bdf437c	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Boot\Fonts\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dc1635003d31fd4b1fcbdcb3fa26bfcc9562ff2f229ec16e7318b86ac34fd9d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1952	schtasks.exe
1252	schtasks.exe
1304	schtasks.exe
1028	schtasks.exe
700	schtasks.exe
2736	schtasks.exe
1160	schtasks.exe
1800	schtasks.exe
1932	schtasks.exe
1816	schtasks.exe
1764	schtasks.exe
2740	schtasks.exe
2996	schtasks.exe
1092	schtasks.exe
1648	schtasks.exe
1236	schtasks.exe
1044	schtasks.exe
2984	schtasks.exe
2684	schtasks.exe
2296	schtasks.exe
1628	schtasks.exe
2024	schtasks.exe
316	schtasks.exe
1900	schtasks.exe
1572	schtasks.exe
2148	schtasks.exe
1732	schtasks.exe
696	schtasks.exe
2004	schtasks.exe
1344	schtasks.exe
2876	schtasks.exe
2732	schtasks.exe
1524	schtasks.exe
2676	schtasks.exe
2908	schtasks.exe
2272	schtasks.exe
3012	schtasks.exe
2344	schtasks.exe
768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2300	DllCommonsvc.exe
2300	DllCommonsvc.exe
2300	DllCommonsvc.exe
2300	DllCommonsvc.exe
2300	DllCommonsvc.exe
2300	DllCommonsvc.exe
2300	DllCommonsvc.exe
2188	powershell.exe
2776	powershell.exe
2248	powershell.exe
2520	powershell.exe
2656	powershell.exe
2408	powershell.exe
2540	powershell.exe
1688	powershell.exe
3044	powershell.exe
2532	powershell.exe
2196	powershell.exe
1636	powershell.exe
2084	powershell.exe
2260	powershell.exe
1928	OSPPSVC.exe
2620	OSPPSVC.exe
2624	OSPPSVC.exe
1552	OSPPSVC.exe
2016	OSPPSVC.exe
2248	OSPPSVC.exe
1944	OSPPSVC.exe
2288	OSPPSVC.exe
2092	OSPPSVC.exe
1732	OSPPSVC.exe
852	OSPPSVC.exe
1576	OSPPSVC.exe
1140	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	DllCommonsvc.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1928	OSPPSVC.exe
Token: SeDebugPrivilege	2620	OSPPSVC.exe
Token: SeDebugPrivilege	2624	OSPPSVC.exe
Token: SeDebugPrivilege	1552	OSPPSVC.exe
Token: SeDebugPrivilege	2016	OSPPSVC.exe
Token: SeDebugPrivilege	2248	OSPPSVC.exe
Token: SeDebugPrivilege	1944	OSPPSVC.exe
Token: SeDebugPrivilege	2288	OSPPSVC.exe
Token: SeDebugPrivilege	2092	OSPPSVC.exe
Token: SeDebugPrivilege	1732	OSPPSVC.exe
Token: SeDebugPrivilege	852	OSPPSVC.exe
Token: SeDebugPrivilege	1576	OSPPSVC.exe
Token: SeDebugPrivilege	1140	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2612	2372	JaffaCakes118_dc1635003d31fd4b1fcbdcb3fa26bfcc9562ff2f229ec16e7318b86ac34fd9d6.exe	30
PID 2372 wrote to memory of 2612	2372	JaffaCakes118_dc1635003d31fd4b1fcbdcb3fa26bfcc9562ff2f229ec16e7318b86ac34fd9d6.exe	30
PID 2372 wrote to memory of 2612	2372	JaffaCakes118_dc1635003d31fd4b1fcbdcb3fa26bfcc9562ff2f229ec16e7318b86ac34fd9d6.exe	30
PID 2372 wrote to memory of 2612	2372	JaffaCakes118_dc1635003d31fd4b1fcbdcb3fa26bfcc9562ff2f229ec16e7318b86ac34fd9d6.exe	30
PID 2612 wrote to memory of 2868	2612	WScript.exe	32
PID 2612 wrote to memory of 2868	2612	WScript.exe	32
PID 2612 wrote to memory of 2868	2612	WScript.exe	32
PID 2612 wrote to memory of 2868	2612	WScript.exe	32
PID 2868 wrote to memory of 2300	2868	cmd.exe	34
PID 2868 wrote to memory of 2300	2868	cmd.exe	34
PID 2868 wrote to memory of 2300	2868	cmd.exe	34
PID 2868 wrote to memory of 2300	2868	cmd.exe	34
PID 2300 wrote to memory of 2776	2300	DllCommonsvc.exe	75
PID 2300 wrote to memory of 2776	2300	DllCommonsvc.exe	75
PID 2300 wrote to memory of 2776	2300	DllCommonsvc.exe	75
PID 2300 wrote to memory of 2408	2300	DllCommonsvc.exe	76
PID 2300 wrote to memory of 2408	2300	DllCommonsvc.exe	76
PID 2300 wrote to memory of 2408	2300	DllCommonsvc.exe	76
PID 2300 wrote to memory of 1688	2300	DllCommonsvc.exe	78
PID 2300 wrote to memory of 1688	2300	DllCommonsvc.exe	78
PID 2300 wrote to memory of 1688	2300	DllCommonsvc.exe	78
PID 2300 wrote to memory of 2248	2300	DllCommonsvc.exe	79
PID 2300 wrote to memory of 2248	2300	DllCommonsvc.exe	79
PID 2300 wrote to memory of 2248	2300	DllCommonsvc.exe	79
PID 2300 wrote to memory of 2540	2300	DllCommonsvc.exe	80
PID 2300 wrote to memory of 2540	2300	DllCommonsvc.exe	80
PID 2300 wrote to memory of 2540	2300	DllCommonsvc.exe	80
PID 2300 wrote to memory of 2188	2300	DllCommonsvc.exe	81
PID 2300 wrote to memory of 2188	2300	DllCommonsvc.exe	81
PID 2300 wrote to memory of 2188	2300	DllCommonsvc.exe	81
PID 2300 wrote to memory of 2656	2300	DllCommonsvc.exe	82
PID 2300 wrote to memory of 2656	2300	DllCommonsvc.exe	82
PID 2300 wrote to memory of 2656	2300	DllCommonsvc.exe	82
PID 2300 wrote to memory of 2520	2300	DllCommonsvc.exe	86
PID 2300 wrote to memory of 2520	2300	DllCommonsvc.exe	86
PID 2300 wrote to memory of 2520	2300	DllCommonsvc.exe	86
PID 2300 wrote to memory of 2532	2300	DllCommonsvc.exe	89
PID 2300 wrote to memory of 2532	2300	DllCommonsvc.exe	89
PID 2300 wrote to memory of 2532	2300	DllCommonsvc.exe	89
PID 2300 wrote to memory of 2196	2300	DllCommonsvc.exe	90
PID 2300 wrote to memory of 2196	2300	DllCommonsvc.exe	90
PID 2300 wrote to memory of 2196	2300	DllCommonsvc.exe	90
PID 2300 wrote to memory of 2260	2300	DllCommonsvc.exe	92
PID 2300 wrote to memory of 2260	2300	DllCommonsvc.exe	92
PID 2300 wrote to memory of 2260	2300	DllCommonsvc.exe	92
PID 2300 wrote to memory of 1636	2300	DllCommonsvc.exe	94
PID 2300 wrote to memory of 1636	2300	DllCommonsvc.exe	94
PID 2300 wrote to memory of 1636	2300	DllCommonsvc.exe	94
PID 2300 wrote to memory of 2084	2300	DllCommonsvc.exe	95
PID 2300 wrote to memory of 2084	2300	DllCommonsvc.exe	95
PID 2300 wrote to memory of 2084	2300	DllCommonsvc.exe	95
PID 2300 wrote to memory of 3044	2300	DllCommonsvc.exe	96
PID 2300 wrote to memory of 3044	2300	DllCommonsvc.exe	96
PID 2300 wrote to memory of 3044	2300	DllCommonsvc.exe	96
PID 2300 wrote to memory of 1928	2300	DllCommonsvc.exe	103
PID 2300 wrote to memory of 1928	2300	DllCommonsvc.exe	103
PID 2300 wrote to memory of 1928	2300	DllCommonsvc.exe	103
PID 1928 wrote to memory of 2836	1928	OSPPSVC.exe	104
PID 1928 wrote to memory of 2836	1928	OSPPSVC.exe	104
PID 1928 wrote to memory of 2836	1928	OSPPSVC.exe	104
PID 2836 wrote to memory of 1032	2836	cmd.exe	106
PID 2836 wrote to memory of 1032	2836	cmd.exe	106
PID 2836 wrote to memory of 1032	2836	cmd.exe	106
PID 2836 wrote to memory of 2620	2836	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc1635003d31fd4b1fcbdcb3fa26bfcc9562ff2f229ec16e7318b86ac34fd9d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc1635003d31fd4b1fcbdcb3fa26bfcc9562ff2f229ec16e7318b86ac34fd9d6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Landscapes\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1032
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat"
        8⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2752
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        10⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:888
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat"
        12⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2592
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"
        14⤵
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1808
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"
        16⤵
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2576
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat"
        18⤵
        
        PID:1156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2724
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        20⤵
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2860
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        22⤵
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2568
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
        24⤵
        
        PID:1860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1488
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"
        26⤵
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2524
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
        28⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2772
        
        C:\providercommon\OSPPSVC.exe
        
        "C:\providercommon\OSPPSVC.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
        30⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Landscapes\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\Landscapes\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\NetHood\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Favorites\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7cbc2552b2fb793b01cc7fc1c9c4c95

SHA1
f055749c9454065f8da656620a2acae3f020995f

SHA256
9cac3e2a820a4a41d6c357d76af6bd29fea9cb715c4e997ffda8726c280a5f7e

SHA512
b2e76c3af490a5b77a8925670566fb05a7b7944664fd0ee82f99e1bc023d96a610391618fd4f1f99d75500df0feb163cf3e3a56f43db14f7cf8d16494e836be6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
506d4d750c238c5456d4b7d80fcb0e30

SHA1
f7827081f57b316a29bc33fcbac32f2d89631bb9

SHA256
e272a5a156585504db5de3ead478df9eb44df432c71c94a878ef70df6a6180fe

SHA512
8d345de370a06954f79ffb536c4e012fbc854f61bc385a0de63823fff47ee260d4d0aaef02d914f2285018c85b383ab09c75e24a276172fa5c6286698187269b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47cd29913e7159d36757d33b146db87e

SHA1
ecf4a5d05472fe10a341f984dbac25f9293ed62c

SHA256
1e881a4d437d567b7c3465e0f7253ffa69b6c51535c2872f336e569e0dbc9954

SHA512
af0e124de9fab21d5379d1aa8f8ca4568f02d58ce8afe2ae5388b38d002dda6fa22e30078f2246c934ff33b67c44876130eb203dd1acfa9929fdc9bf29e1f945

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e50e80deca62f81d752f770102da468a

SHA1
290295fe8ec76031ed1ced5a31eb7d64974f0f88

SHA256
f631df6b765d134cfd9ada71e7d22f77414232c90b68e6e757a0c0164025c567

SHA512
c48d87b84ba25ee86985d023088f3752a4c8246b5df46cc68c017f48e0a375bd783e099ffb7384bea1cd2df4609a4e27ac86fb97153e6e31271ee9cbe5d96ad2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf39c9ed2f9b55d5760e2297754b91fd

SHA1
a57c006b367196424b3a5453dd55e001bbe0da96

SHA256
7684670daa626429397a920ac658173c061a6a49403cff285fd80408b4333295

SHA512
06386db372eabe77f1a957da71a88e4f62bb94b7a66df59728c406a35f23db1e313023d45358083be9d95b9e9ff1be564ee68b0dec3cfef53186d86287242db0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3f6304f67454fc0319ed9d8cc3c4db4

SHA1
669f4a6404e685a1b8717916df8317b7911d8ac4

SHA256
1d4902db084be6d1b29e572288432c85367890194f096fce75de80cddb2d2284

SHA512
969c7f84e61f82a1aa17b3e0ce484da27e3e593e0aec1d8871153fee7f062073a148e204cd918125153adedbd78088931af2aec29cb29bedb22a32dd80f334af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
669eca41a4ff140bbdc04ffff0b32c62

SHA1
02b2b11c0b18c4d32ec0a290c81f8d4856e33df8

SHA256
e79856c5c3255800e4b277d080660599d6d2e0a5fa2418163b5e9f96b115a811

SHA512
f6551858e7c28279cec59c1742d1a87d52097cf5d8d7667a3e37986e30ed6da620601dee4ae4ce4b5725c9d63d033f6e03bc6f6dcc245137f37acda5ed1d6b9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca9d94010dbb1e9c31ad9c0fcd8b35b2

SHA1
d7f34bb81de4d61f05a9b111568d629d7c36bb89

SHA256
4985df0cb40dc1d904aafb10159c5aa4dc17af25b1fb428da9ef9ad061aecafa

SHA512
7254d2db222ebd235b4373b6b1d5de3443410a01f60b756e37f2386ba455152436392862f6e4de443bc483a974c6bad78e05c12d2f276c6a6851a13c93b62c1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f236a0579c708024916552f48cd22e5

SHA1
c5e6c0e5ca1aa8743a73e52aa76582aec08f632d

SHA256
6611a75a550c0de21a2d6e8472e1e4e4824ed5fb76ccf1476c2b288368973d04

SHA512
a7e24a4a10bdcb3209215083e626a7dc6adfc47e70228dfaddfdf25193ad6c2e2043ac0a3fee2d7d766238bd518206032e9eb0dd61962633af3e05b2a397afcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e44d0c68a05c2093a9f7d2be23b3ccd4

SHA1
961b8af519bb580f155f49c50a531103f20ec6ed

SHA256
969192e369a554b76fdc9b61a3c82cba173566b188fb526ffc7d70f0c462aae1

SHA512
425dd5c1451f48b47dc07aec484914552c8ae214a88d99914ed048492e004b23d6450d3395d782390c4bfcbaf889cce8ffb2539bc926195fc7acd890857a796c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c720ea148b62a0ae93d4b5a8c3c912d9

SHA1
85885223c44c7bfb37475a330169eebe4129c360

SHA256
d87a93c94fd471aa7602084216d84e97e98aef86bb436b9c8279f9e3cb8e8967

SHA512
e04bedfbadd3d9e160a67337068fad4cf2183881fa76c4d1b108aa110488a8d12bdff56e1b925a57416edbb7a436ab4b61ffe09c2f82ebea2d64eb7c2ddf0fdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1280bdeed08774fb5b3939664739c5f

SHA1
28ffc0631a5e72bdc9e518dc4b78d7b01cc8f8e9

SHA256
deb13c61552323f6b7b67ce2c40f6e4c8173de5e8f537b664bbf7ee48f016628

SHA512
d40a494a19c840155b7aa104366c53a59c4c67a2ba288088e566333146604c81f30bfbd057670a04fff8a81f179d58412a9412c812fa0495c9b7b4de22503783

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

Filesize
194B

MD5
9cda6a7225faeaae639bcbf99ec233ec

SHA1
f97610a6370b9476fe3df2027cf9e0a161907421

SHA256
0fd02d219842b3cc4cc03ed704d7cc8b6c44325d206abd98d8dd73382182d0f8

SHA512
2c8e2984cc9184395fb7a7fcb9fa8181391667f353636d37885bade15a900623ffa9cd3eb3b7083dbdd1fa4c6c7d43e5af89084a4337211c2b0e4a2eaebb11f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF7F8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

Filesize
194B

MD5
15b1a8d264cf711b09e2066258759921

SHA1
4d65d1bb8dac29d977ec46ac24f9df3e9e8944ce

SHA256
43aabb506fb89d8012bde33928eab2c8c39ae82593b040cf22c0af77a31dfa7e

SHA512
3ba778f973d8add61af9a03c39709530c76e73abe4345283d2532160f4a0d90c8cdc6cc4175fee338a6693628ff2c0f8b7b22ba046ed7b990da463fbf975f718

Download Submit
C:\Users\Admin\AppData\Local\Temp\LEBHQwxRW8.bat

Filesize
194B

MD5
45e3806d090f9997f96618e4ddbdd808

SHA1
20956ce4ef813db4f896b88d0bba1a21c009d962

SHA256
a77ba9e9b10f299fc1da6fa3fca198a3c9ec75bb8345a3b12d3b37551aebe8fc

SHA512
392b0b2a620351ecc50cce3f11e940f131e87ca2ec74f527aefa2901eb6eae37a9817de3e4772371dbce88ede062cad3b4feb2e4db6133cefd26b4ea9c254215

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

Filesize
194B

MD5
82eb721915c8e0dda2a54eeed35de421

SHA1
86de331427be66ecc6f557f53ea47002506e979a

SHA256
387987253cde0fc53068dd731f4ad5bc9c17f979f0ad6a5916ed13cff1ce5b16

SHA512
a308181c11fab87957e1669f3af1742c597ae51009b90bb5184b423959fc576f86ff7753828d613ab260c8478b021083e859d6b6fe706e3ded4e9f3a8c06ca99

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat

Filesize
194B

MD5
1be46a8eb9be597657a19075f80d6036

SHA1
6d22fc741f637fcab188957010ab58c755267753

SHA256
d7bd13d7b9558b0ad18d9b214834b2359df36d44c5ac887fc7964b04b9b58e95

SHA512
2a26b3c52b15b7ae974f40bcbbfa09fa8d83fae24292ebc14d21d788230c2d9c51e1feba1a7ec06ab4101fd0c013954122074b1bbd5958e0dfbaa92a210dea51

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF80A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
194B

MD5
e9eeb1732142a799f76c536e76aab0e3

SHA1
d9c104d131844502bd080eaca4c40f9e0a574534

SHA256
03983553f5a087ba75976ec4b6b2a5fdaad1bc44a2e6d6de28548d988c997a27

SHA512
72e44a1318921b0be15f53ef28477dbba5525c1506c93209f3caeca4d16d31bf4c2544dbc8635e342436ec67388fdbc7984c691879ff6eddb25b51d56ef2c587

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat

Filesize
194B

MD5
a79e3192fdf10e89d6a3f9f0fae3b179

SHA1
a1b4c0bd1894309edd16b955218724f21d80e4a6

SHA256
4993c3cf8fec617dffb4b5352814514ecb10c2b30f176708ae015bb54a31baf4

SHA512
a2a7cf64fb82c7fdd0318e7f6bbdb1e63024c767c7aa3e654b750663cce8e64021f139dcd62d1af6b2568b1b9a5282339d33143ace5690f2030c4bfa3ad894aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat

Filesize
194B

MD5
577c2c510be26b42815be6f096256057

SHA1
e9553662e2e077d5f31bee253ea4213e997b740c

SHA256
0e3c56ff7c1d69673a6e91f1bc320678956578603d68fb3293791f5357c6f851

SHA512
ef016464f26de61115145f3d7c78ad4c6a325848010d82e53190c5bce7e147dc33e6bae30ddf5a821a89bc6192590383654e2e5c3a7400e1bfc37f681c04fd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
194B

MD5
ecbf77a7b65773d67ea968468c93e540

SHA1
9718ec15beadc52984b51bd023c21fed627d5ab4

SHA256
2cfe69b8ba20e4961880119cfc0d639981b72b702507993d2753cdc82dc9df89

SHA512
fd1f9c088f0c06e445e236919facb2003a05ec6b7286673a98d5d37c77e3ada5e89c94b5d428d7303c0f53f06845bdc1bd048551e0656f190e712c876383b228

Download Submit
C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat

Filesize
194B

MD5
3e95069a8b4e523780995fbc143b5958

SHA1
74a933eec2f14f5082fa044bfc82aff1f4a87718

SHA256
69fb3c9321d1cbddddaa974b4c7956ac0faf49a3bf3adcff5c623454421b3a98

SHA512
c03a5630aafb04fdc9efe680d35c69319c9ea2351023e19091288697d082ccdb799f8ac42cfd907d6157a5990d6d8c423da95a32acb365c7bf6744680a1d7bd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjNnGM38uG.bat

Filesize
194B

MD5
f06f1f1b663dcc30e8f5304863992782

SHA1
bb59a1ca5f379c33cd23d37a4c1003d99ef967ef

SHA256
0a60e7c93aada1bc05d334d82bff924a8ce28d03b103c92b8104588cb4d7dbd3

SHA512
d728e795fb3bf6f420d746b5fae72f277aa817d8c6c89827af482764e251478692cee933d9d00d1a531374e0623ff1af3fe13f45a5c49f512ddf359830009887

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
194B

MD5
7ea99d1be558c18bb7364ed331ba6c18

SHA1
eabab3eafd4802c55e172f1f6173baae0469c332

SHA256
5c992e9f5e72494127eebfa34145e3e7f2f3ac7464e448d30380b14e760b9b0a

SHA512
453faab56524e39324e2e305d98fa7c5e3d4ec295a4e689c006706aed404921aad923afd49c060296585b088eddf2d3ecbe8fc20922a345bd166e11518defd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat

Filesize
194B

MD5
f93fe724ad8cfabed12f2f9ef5c6f931

SHA1
846da20b91d5add478195cb39d1763cdd2db1089

SHA256
76c926e029e202b268b8d0f66e652dd6bede0672191e9c89bd10b4f20c7b686b

SHA512
e54f02f4b312c71f4619c0c590ab55e791ac53d51c4d4c1029918b032c228b361062b0af371a5da423a6da9036612e982d10cec13dbda5783414e900ce759264

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3251718250dbba9702d21ec3b2c2ef17

SHA1
77d16e8092632065be4900321eaf3deb06dd124d

SHA256
a47a1d5eb449e1223f2a99603073e3796ef0444c1cf38c779f7a07af7807b9b8

SHA512
e272b5c0f7b60be1fefbc79937b98967cf5c07425e17586cd895a3eb1824a2ec8cf3c7f3c36f2609bca365757297875ef55ca75f4a3376247ccdc8710ca44eb8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/852-717-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/1552-298-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1732-657-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/1928-119-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1928-118-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2016-358-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2092-596-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/2092-597-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2188-64-0x000000001B820000-0x000000001BB02000-memory.dmp

Filesize
2.9MB

Download
memory/2288-536-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2300-17-0x0000000000C70000-0x0000000000C7C000-memory.dmp

Filesize
48KB

Download
memory/2300-16-0x0000000000C60000-0x0000000000C6C000-memory.dmp

Filesize
48KB

Download
memory/2300-15-0x0000000000C50000-0x0000000000C5C000-memory.dmp

Filesize
48KB

Download
memory/2300-14-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/2300-13-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/2620-178-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/2624-238-0x0000000000C30000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/2776-76-0x0000000001C70000-0x0000000001C78000-memory.dmp

Filesize
32KB

Download