dcrat | 533b950c414724cc320cbe928d079f64ce15f6c0ee20711215d3cdf7f66e1acf

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_533b950c414724cc320cbe928d079f64ce15f6c0ee20711215d3cdf7f66e1acf.exe
Size

1.3MB
MD5

95a9c8650e29191f70ae16a202707b2e
SHA1

cc4eded35dd161b06b29d218049a75b484d6f8c5
SHA256

533b950c414724cc320cbe928d079f64ce15f6c0ee20711215d3cdf7f66e1acf
SHA512

ff4a9a5bbaa7478ab3c7d31c6357bfbdc5bc50ec6fe8ba3226150d49a12ae17bdb4665974c02fb65eff2f87206f863e5489ec1a743d85151041bc29c517c7faa
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2984	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2984	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d0e-9.dat	dcrat
behavioral1/memory/2388-13-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/1644-131-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/1364-191-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/2592-251-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/2848-429-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2700-490-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1936	powershell.exe
2436	powershell.exe
1080	powershell.exe
272	powershell.exe
1192	powershell.exe
1920	powershell.exe
1684	powershell.exe
1604	powershell.exe
1524	powershell.exe
1916	powershell.exe
876	powershell.exe
1580	powershell.exe
1616	powershell.exe
2508	powershell.exe
2496	powershell.exe
2488	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2388	DllCommonsvc.exe
1644	services.exe
1364	services.exe
2592	services.exe
2704	services.exe
2248	services.exe
2848	services.exe
2700	services.exe
1956	services.exe
2532	services.exe
2000	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2172	cmd.exe
2172	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
29	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\WmiPrvSE.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Fonts\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\System.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_533b950c414724cc320cbe928d079f64ce15f6c0ee20711215d3cdf7f66e1acf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2804	schtasks.exe
2788	schtasks.exe
2168	schtasks.exe
2088	schtasks.exe
2160	schtasks.exe
1136	schtasks.exe
2868	schtasks.exe
3040	schtasks.exe
1824	schtasks.exe
1072	schtasks.exe
2308	schtasks.exe
1252	schtasks.exe
592	schtasks.exe
1164	schtasks.exe
1792	schtasks.exe
2084	schtasks.exe
1328	schtasks.exe
1360	schtasks.exe
2656	schtasks.exe
2688	schtasks.exe
2720	schtasks.exe
2888	schtasks.exe
444	schtasks.exe
1872	schtasks.exe
2912	schtasks.exe
2272	schtasks.exe
2132	schtasks.exe
1272	schtasks.exe
1320	schtasks.exe
3016	schtasks.exe
1976	schtasks.exe
2776	schtasks.exe
640	schtasks.exe
2568	schtasks.exe
2576	schtasks.exe
1660	schtasks.exe
1444	schtasks.exe
952	schtasks.exe
2744	schtasks.exe
2580	schtasks.exe
2900	schtasks.exe
1760	schtasks.exe
1988	schtasks.exe
2644	schtasks.exe
900	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2388	DllCommonsvc.exe
2388	DllCommonsvc.exe
2388	DllCommonsvc.exe
2388	DllCommonsvc.exe
2388	DllCommonsvc.exe
1192	powershell.exe
1604	powershell.exe
1936	powershell.exe
1580	powershell.exe
1080	powershell.exe
2496	powershell.exe
2508	powershell.exe
2436	powershell.exe
1920	powershell.exe
272	powershell.exe
1524	powershell.exe
876	powershell.exe
1616	powershell.exe
1684	powershell.exe
1916	powershell.exe
1644	services.exe
1364	services.exe
2592	services.exe
2704	services.exe
2248	services.exe
2848	services.exe
2700	services.exe
1956	services.exe
2532	services.exe
2000	services.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	DllCommonsvc.exe
Token: SeDebugPrivilege	1192	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1920	powershell.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	1644	services.exe
Token: SeDebugPrivilege	1364	services.exe
Token: SeDebugPrivilege	2592	services.exe
Token: SeDebugPrivilege	2704	services.exe
Token: SeDebugPrivilege	2248	services.exe
Token: SeDebugPrivilege	2848	services.exe
Token: SeDebugPrivilege	2700	services.exe
Token: SeDebugPrivilege	1956	services.exe
Token: SeDebugPrivilege	2532	services.exe
Token: SeDebugPrivilege	2000	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2664	3012	JaffaCakes118_533b950c414724cc320cbe928d079f64ce15f6c0ee20711215d3cdf7f66e1acf.exe	30
PID 3012 wrote to memory of 2664	3012	JaffaCakes118_533b950c414724cc320cbe928d079f64ce15f6c0ee20711215d3cdf7f66e1acf.exe	30
PID 3012 wrote to memory of 2664	3012	JaffaCakes118_533b950c414724cc320cbe928d079f64ce15f6c0ee20711215d3cdf7f66e1acf.exe	30
PID 3012 wrote to memory of 2664	3012	JaffaCakes118_533b950c414724cc320cbe928d079f64ce15f6c0ee20711215d3cdf7f66e1acf.exe	30
PID 2664 wrote to memory of 2172	2664	WScript.exe	31
PID 2664 wrote to memory of 2172	2664	WScript.exe	31
PID 2664 wrote to memory of 2172	2664	WScript.exe	31
PID 2664 wrote to memory of 2172	2664	WScript.exe	31
PID 2172 wrote to memory of 2388	2172	cmd.exe	33
PID 2172 wrote to memory of 2388	2172	cmd.exe	33
PID 2172 wrote to memory of 2388	2172	cmd.exe	33
PID 2172 wrote to memory of 2388	2172	cmd.exe	33
PID 2388 wrote to memory of 272	2388	DllCommonsvc.exe	80
PID 2388 wrote to memory of 272	2388	DllCommonsvc.exe	80
PID 2388 wrote to memory of 272	2388	DllCommonsvc.exe	80
PID 2388 wrote to memory of 1936	2388	DllCommonsvc.exe	81
PID 2388 wrote to memory of 1936	2388	DllCommonsvc.exe	81
PID 2388 wrote to memory of 1936	2388	DllCommonsvc.exe	81
PID 2388 wrote to memory of 1524	2388	DllCommonsvc.exe	82
PID 2388 wrote to memory of 1524	2388	DllCommonsvc.exe	82
PID 2388 wrote to memory of 1524	2388	DllCommonsvc.exe	82
PID 2388 wrote to memory of 1192	2388	DllCommonsvc.exe	83
PID 2388 wrote to memory of 1192	2388	DllCommonsvc.exe	83
PID 2388 wrote to memory of 1192	2388	DllCommonsvc.exe	83
PID 2388 wrote to memory of 1920	2388	DllCommonsvc.exe	84
PID 2388 wrote to memory of 1920	2388	DllCommonsvc.exe	84
PID 2388 wrote to memory of 1920	2388	DllCommonsvc.exe	84
PID 2388 wrote to memory of 1916	2388	DllCommonsvc.exe	85
PID 2388 wrote to memory of 1916	2388	DllCommonsvc.exe	85
PID 2388 wrote to memory of 1916	2388	DllCommonsvc.exe	85
PID 2388 wrote to memory of 876	2388	DllCommonsvc.exe	86
PID 2388 wrote to memory of 876	2388	DllCommonsvc.exe	86
PID 2388 wrote to memory of 876	2388	DllCommonsvc.exe	86
PID 2388 wrote to memory of 2508	2388	DllCommonsvc.exe	87
PID 2388 wrote to memory of 2508	2388	DllCommonsvc.exe	87
PID 2388 wrote to memory of 2508	2388	DllCommonsvc.exe	87
PID 2388 wrote to memory of 2436	2388	DllCommonsvc.exe	88
PID 2388 wrote to memory of 2436	2388	DllCommonsvc.exe	88
PID 2388 wrote to memory of 2436	2388	DllCommonsvc.exe	88
PID 2388 wrote to memory of 1684	2388	DllCommonsvc.exe	89
PID 2388 wrote to memory of 1684	2388	DllCommonsvc.exe	89
PID 2388 wrote to memory of 1684	2388	DllCommonsvc.exe	89
PID 2388 wrote to memory of 2496	2388	DllCommonsvc.exe	90
PID 2388 wrote to memory of 2496	2388	DllCommonsvc.exe	90
PID 2388 wrote to memory of 2496	2388	DllCommonsvc.exe	90
PID 2388 wrote to memory of 2488	2388	DllCommonsvc.exe	91
PID 2388 wrote to memory of 2488	2388	DllCommonsvc.exe	91
PID 2388 wrote to memory of 2488	2388	DllCommonsvc.exe	91
PID 2388 wrote to memory of 1580	2388	DllCommonsvc.exe	92
PID 2388 wrote to memory of 1580	2388	DllCommonsvc.exe	92
PID 2388 wrote to memory of 1580	2388	DllCommonsvc.exe	92
PID 2388 wrote to memory of 1616	2388	DllCommonsvc.exe	93
PID 2388 wrote to memory of 1616	2388	DllCommonsvc.exe	93
PID 2388 wrote to memory of 1616	2388	DllCommonsvc.exe	93
PID 2388 wrote to memory of 1080	2388	DllCommonsvc.exe	94
PID 2388 wrote to memory of 1080	2388	DllCommonsvc.exe	94
PID 2388 wrote to memory of 1080	2388	DllCommonsvc.exe	94
PID 2388 wrote to memory of 1604	2388	DllCommonsvc.exe	95
PID 2388 wrote to memory of 1604	2388	DllCommonsvc.exe	95
PID 2388 wrote to memory of 1604	2388	DllCommonsvc.exe	95
PID 2388 wrote to memory of 3008	2388	DllCommonsvc.exe	112
PID 2388 wrote to memory of 3008	2388	DllCommonsvc.exe	112
PID 2388 wrote to memory of 3008	2388	DllCommonsvc.exe	112
PID 3008 wrote to memory of 1424	3008	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_533b950c414724cc320cbe928d079f64ce15f6c0ee20711215d3cdf7f66e1acf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_533b950c414724cc320cbe928d079f64ce15f6c0ee20711215d3cdf7f66e1acf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Landscapes\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z6ibNNDRjp.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1424
      - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat"
        7⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:828
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"
        9⤵
        
        PID:380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2256
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
        11⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2656
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
        13⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2556
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"
        15⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1560
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        17⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:852
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat"
        19⤵
        
        PID:2976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:472
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat"
        21⤵
        
        PID:2372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2364
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat"
        23⤵
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1136
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Fonts\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\Landscapes\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Landscapes\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Application Data\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\Default\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Start Menu\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Public\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Public\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50bcfe65a6a14184639b3f2bc1a1fe32

SHA1
598b2e5aefc317b196a6b19190f4e05a8e6fa8b6

SHA256
717b208d88a80194fe6a04325631bb45002d096f44e6d3ca10292fc3bafbf685

SHA512
7ec9c8b4b8c89f8beace14b280bdfb07ed996756b778b49f96e87529d2b6217127725329a06fd0076602ad9891aa805418ddf600df98ef8f4fde2271c5c4b794

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9198754472b844ee586623f645931644

SHA1
588529763c3273551b04ec0adced5187f3d5d32f

SHA256
ce418325e6739d9056f9c2bf92e7984607a564ca0da0e2ba83e8a92b4c7a8a70

SHA512
ada4347dfe15b40643d574acc1409184ac80c671c01ce132527eb73e0018ce68c63fea6f93993beceee7291aad8529b5a1dfeddadb01b93ffddd0b385706d764

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09e20558f52c9b81d9ba01daf2f0bc16

SHA1
e3d196cf4de36c04fefe313de39d0b72256ab57a

SHA256
3ab56f8e5252485be39716887eb9a2af3624a51a47e70db73f7cf20815e26c20

SHA512
cf8035cce82a0a0048316df174e811affbe216aa09d3cabf8d33ee6f48f1080b18dba713e1c36d3cb0f9834bd79aa8ebba38918b1534bf9583964344fc87aa7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0070b30e8114d6682f96c8f87d33ba6b

SHA1
98503b2cc614bee2b1cd29fe107882847482dbfb

SHA256
feaa3429b001e09f1b9724a0c2d094e38401c36316c0fdc24afa031428aa7b91

SHA512
f75521a83244599d22c098c468c7bb4063bf123f4e3f37308c892dcb906a41be19e9d8f646e50607ce440911834d9b0bae156921a0abc5ddf70b5b7633a67d3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdfce193cd1050484a493a3b87680857

SHA1
89dd5ed0051bc80737b287085524ae46ec7f9bdc

SHA256
084f4b0b1e0031f54e37384182ed887845acb89d9202b1c4d9d8b7a4a4074fdf

SHA512
e4dd91a76ec5919550434e37fb8d73ff2b197f6ae506843f265d27245f7391f2102279dbaad779dc6dc6a41b7fc60d143333c4fd1455e91542420d5954c90525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d70d8bc6f43458b210635235d90f2bf6

SHA1
de17367471078290e5fc3eabf33b75ca6ede56b0

SHA256
6ef1636240299abc52637687349e4aaef4990745b27e9e65d86a44f9c859e758

SHA512
b37476c0ddc5fc324e67b1901292c16105b8c8b2256f69df4f16ba2155d7d0341889e41b537560cb781fec1d10903d128086d70ed623ebcef2efd7d67603690c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d28c31b283f6a5a23c31ecc06f38eacc

SHA1
75d0dfa380e79254ab1349b29af300f2737b8463

SHA256
fe84afb0adcd3c1542145e16c62c6c5aba44bf9cddbb6cf68a39d1212a4cb7b7

SHA512
040d26a08ac0faba21fb3b393e2cabdf9439fd12a42d8b2510962194a57bd3929b78dc6afc981b07d61d281977acf570ad838b5c0bbc41bd0c7c1a78810eccd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca98191bb54dc0af14f7734373ba1119

SHA1
f8f6f9fc4b73b5a83f4d4fe0ca10babbeb2483b8

SHA256
ad63fb961ed4c5f67883175f04f9d4696f8b4bcba3f049016097454114fff15f

SHA512
569a3160f7c4781142d6b0e152b412a42b2a8efc2af51cbb207902ad2fc48042c8b4ab3ccc7425b0ea6150dfc0fb9d804186deea20df704243a03efaa3d45cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat

Filesize
240B

MD5
afa9a82ecb8de267e339e6a3208811d3

SHA1
db092a8c759a7e55affc6ba53bbddcbd7fa918f6

SHA256
2ace0403f8f0ff89f81531e5ba08cdfbf085e014ea978a7ef51f100b958a6a6b

SHA512
7a363e1e3d9710efc8f40b60ca313f0f48b921c150d61e13c39db5f9ff1cf3cee77882417278391a25685b114506734222979197d223e7f662b6e22981210de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat

Filesize
240B

MD5
2a49de42b80b692394f2f5e8aa299fc7

SHA1
4c152f63f14fb5ef5c360dd1852d80dded7a8386

SHA256
88be08e467fb20b5148be258f171c3d85853f09f782af3595b0705d7090b0c14

SHA512
edc29076ab95df3a2c6eeafdd64aa805d549536784ed274f7c85cd507494c5c75c1d11206231cd2ccb4aee992c5cfffabbeaae55bb55532ca1b0edba5c4cb932

Download Submit
C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat

Filesize
240B

MD5
07bc006fe0c763f8eac3d5401c306324

SHA1
1f661c019360518d17f91ff3cd30a8e08b736f7b

SHA256
08f929feb5c9121cd95db2f2c9afb3325ae03bd3c7084c70004d8da79ca2c1ac

SHA512
9d5f790608fa166edeb6f1b1248f735789fb670e26f7bd65b759f8c088f5c8587a89c17048fdf967cff18b605a86729fb0e1abf70982ce515c54bebf1685e888

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab946.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat

Filesize
240B

MD5
0f9455fdd51d851c8a1e901d4c31f65d

SHA1
e84c4516c2c0ca596d8b147a6c6378db61cfe305

SHA256
d858cdf6d8f6dddd1c92d51a22a0f601d9f0fb0456896afd447a8c2e178892a1

SHA512
78556cce5d47c951be0e496d36cec7b623d0259353c2ec576c8740c29b44e11387c9225f78438818dcd46cf99f1b319ec1ed65e03b26aae50c65b0c56f980680

Download Submit
C:\Users\Admin\AppData\Local\Temp\L59TFxmxil.bat

Filesize
240B

MD5
072172d864d39aa6701bf95be316e5bf

SHA1
c724bcf56f5ccf128d40f953c8f3ac74d8a0c15f

SHA256
e346f62dcd5382dc6c1693d7a120a3e5a2df28ba98d2d167002632257dde232f

SHA512
e00a54ef20d3b6aaa3974baf6bdd568330743cb69d6ffa54ce9d70ac0e6d5f5681a008261bfef8e0b1de6d779cbadfaddd8eb2de6969d89011c3ca816a5e3e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar968.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat

Filesize
240B

MD5
a47754bbdd259a19d10b6d725c2ec561

SHA1
cb05fc53fae5def934d86f97e960d226ae40adb8

SHA256
ad05fcbbb162bcf2733ac8281f6e4c0b7770d3dccb13086da18bbaa65c22e36f

SHA512
5ed0a9273fa4a39162681379b604b3a56682ee3f7b2d7ea73413f811101e8abe9c1218fb7bfcb8e8f60ff1d6d36590475ef70d1be45c90662e9862d089a3e3fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z6ibNNDRjp.bat

Filesize
240B

MD5
379c75b50d7e95b85110b42d4aec89ea

SHA1
b24f16810d35432cd563b8ff8bb507d0a5511428

SHA256
0b1e2d20c455a3116935eb5a7ecdd9c09f402be95adc815acbb470cb32202950

SHA512
c5bf35970a9fe6b6e192dc0a3a1e504473a1f29098789026b8162dd91efd3e8a39b8cbceb0a3275cb9232f26fbefe5e0f425699667ec8423b33ec7e7ed83463d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat

Filesize
240B

MD5
3a13aeee2f436522f3b435ddb1290fe6

SHA1
82333ced27c66057ee0d26b82067e2ed9c5e9356

SHA256
9a6b4b57e578321732e95c3d4cbcbb92b4e0c9619bedae05b1dfc80da95b17f2

SHA512
b528abceeb8a24a7f5fb54b22afadc5038246031ffd2f8a58d8e3ce7cbdbbacd133e8accfe0b565c3afe7772031a70d97eefc38bf7cea5863c934251cbbee356

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
240B

MD5
2820d50b852249133b8e5f3eb41c721c

SHA1
d599faae7ee1818ece1d31dad548164164f719e3

SHA256
17d14d65b1fe58eb92fe680027686a6b7d0b32c9df8f0a9abec8638498a510a4

SHA512
b5d3c5e14b536b8f11c09eb7ec1c8107c12c85cce5e389d7ae99e3c5826192231a1d8c01bca1591eb7661a9dae9f1d9f07d6ffe899d48bdef5913e84c5b113b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat

Filesize
240B

MD5
b3cbdb6d66fe954e4a54bd4ae410e23f

SHA1
469f71290513f2d077a7ee4fbb2c8275c53dcf6f

SHA256
99423f4cc865bdc4de42fef469901e16ba9693ab5b24129fa51a705fccc14f5b

SHA512
a01beefa9502901903a0f96b568286c1aa7a22cf828854cf47e855b51e47c121a1b6c0a46fbec48a17f32cf7b09b29d71fc4ed39b5964a8d4be9737729470350

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3A4720BQ8801MGCRXWQ6.temp

Filesize
7KB

MD5
2f17ecec193a74bb480084fe3f6c204c

SHA1
6dbab8e66f4d683525b5370f2512fc8d190ad12f

SHA256
a775cf716be59b022ba16d79c8c6e39020f4bdd4a4d07181ea199c610a211f03

SHA512
cfa42fdbd7c65b211ade521c008aa26ad31677667d714be965bf05fd1c44809e3d4a59a0dd88818692ee470b4e828f80fdf1e8d1bb0b1aae9577ed523860dba7

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1192-59-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/1192-60-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1364-191-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1644-132-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1644-131-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2388-15-0x00000000006F0000-0x00000000006FC000-memory.dmp

Filesize
48KB

Download
memory/2388-13-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/2388-14-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2388-17-0x0000000000A40000-0x0000000000A4C000-memory.dmp

Filesize
48KB

Download
memory/2388-16-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/2592-251-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/2700-490-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/2848-430-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2848-429-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download