dcrat | a902630a1a33d3a92176799778e0fb628521e565bdc26c627056e7636a51e64a

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 11:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a902630a1a33d3a92176799778e0fb628521e565bdc26c627056e7636a51e64a.exe
Size

1.3MB
MD5

6d23232a78a6b829470e3d7693164614
SHA1

f9efd63beea0296b82eb801ec89cfa2843f6cc61
SHA256

a902630a1a33d3a92176799778e0fb628521e565bdc26c627056e7636a51e64a
SHA512

cc02bcef6f44178350aeeaf5cca4ccb73d57a8f93d73c4ef18ba48396254820efaa26de159dc946033920d7d665b7fa026570da6de76ab1cb5bfc44f751653cd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2916	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d21-10.dat	dcrat
behavioral1/memory/2724-13-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/1888-137-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/108-196-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/692-315-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/332-375-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/2532-435-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/2364-554-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/2624-614-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/2136-674-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1636	powershell.exe
2208	powershell.exe
2248	powershell.exe
3008	powershell.exe
2264	powershell.exe
2736	powershell.exe
1740	powershell.exe
3044	powershell.exe
1520	powershell.exe
1560	powershell.exe
1524	powershell.exe
2528	powershell.exe
3032	powershell.exe
1864	powershell.exe
1536	powershell.exe
1448	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2724	DllCommonsvc.exe
1888	explorer.exe
108	explorer.exe
1704	explorer.exe
692	explorer.exe
332	explorer.exe
2532	explorer.exe
1732	explorer.exe
2364	explorer.exe
2624	explorer.exe
2136	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
1888	cmd.exe
1888	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
23	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\audiodg.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Vss\Writers\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a902630a1a33d3a92176799778e0fb628521e565bdc26c627056e7636a51e64a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2676	schtasks.exe
1632	schtasks.exe
2880	schtasks.exe
1372	schtasks.exe
3012	schtasks.exe
748	schtasks.exe
784	schtasks.exe
2644	schtasks.exe
1112	schtasks.exe
772	schtasks.exe
1160	schtasks.exe
280	schtasks.exe
300	schtasks.exe
1564	schtasks.exe
1052	schtasks.exe
1208	schtasks.exe
820	schtasks.exe
2756	schtasks.exe
2852	schtasks.exe
1932	schtasks.exe
1412	schtasks.exe
2372	schtasks.exe
2032	schtasks.exe
2872	schtasks.exe
2016	schtasks.exe
1640	schtasks.exe
2296	schtasks.exe
916	schtasks.exe
2592	schtasks.exe
1856	schtasks.exe
328	schtasks.exe
880	schtasks.exe
1608	schtasks.exe
2160	schtasks.exe
1404	schtasks.exe
2740	schtasks.exe
2192	schtasks.exe
1124	schtasks.exe
2960	schtasks.exe
2948	schtasks.exe
2424	schtasks.exe
2164	schtasks.exe
1664	schtasks.exe
2076	schtasks.exe
2580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
1520	powershell.exe
2208	powershell.exe
3044	powershell.exe
1448	powershell.exe
1560	powershell.exe
3008	powershell.exe
1536	powershell.exe
2736	powershell.exe
2264	powershell.exe
1864	powershell.exe
1740	powershell.exe
2528	powershell.exe
3032	powershell.exe
1524	powershell.exe
2248	powershell.exe
1636	powershell.exe
1888	explorer.exe
108	explorer.exe
1704	explorer.exe
692	explorer.exe
332	explorer.exe
2532	explorer.exe
1732	explorer.exe
2364	explorer.exe
2624	explorer.exe
2136	explorer.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	DllCommonsvc.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1888	explorer.exe
Token: SeDebugPrivilege	108	explorer.exe
Token: SeDebugPrivilege	1704	explorer.exe
Token: SeDebugPrivilege	692	explorer.exe
Token: SeDebugPrivilege	332	explorer.exe
Token: SeDebugPrivilege	2532	explorer.exe
Token: SeDebugPrivilege	1732	explorer.exe
Token: SeDebugPrivilege	2364	explorer.exe
Token: SeDebugPrivilege	2624	explorer.exe
Token: SeDebugPrivilege	2136	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 2384	2304	JaffaCakes118_a902630a1a33d3a92176799778e0fb628521e565bdc26c627056e7636a51e64a.exe	30
PID 2304 wrote to memory of 2384	2304	JaffaCakes118_a902630a1a33d3a92176799778e0fb628521e565bdc26c627056e7636a51e64a.exe	30
PID 2304 wrote to memory of 2384	2304	JaffaCakes118_a902630a1a33d3a92176799778e0fb628521e565bdc26c627056e7636a51e64a.exe	30
PID 2304 wrote to memory of 2384	2304	JaffaCakes118_a902630a1a33d3a92176799778e0fb628521e565bdc26c627056e7636a51e64a.exe	30
PID 2384 wrote to memory of 1888	2384	WScript.exe	31
PID 2384 wrote to memory of 1888	2384	WScript.exe	31
PID 2384 wrote to memory of 1888	2384	WScript.exe	31
PID 2384 wrote to memory of 1888	2384	WScript.exe	31
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 2724 wrote to memory of 1740	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 1740	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 1740	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 2208	2724	DllCommonsvc.exe	81
PID 2724 wrote to memory of 2208	2724	DllCommonsvc.exe	81
PID 2724 wrote to memory of 2208	2724	DllCommonsvc.exe	81
PID 2724 wrote to memory of 3044	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 3044	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 3044	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 1448	2724	DllCommonsvc.exe	84
PID 2724 wrote to memory of 1448	2724	DllCommonsvc.exe	84
PID 2724 wrote to memory of 1448	2724	DllCommonsvc.exe	84
PID 2724 wrote to memory of 1536	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 1536	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 1536	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 1560	2724	DllCommonsvc.exe	86
PID 2724 wrote to memory of 1560	2724	DllCommonsvc.exe	86
PID 2724 wrote to memory of 1560	2724	DllCommonsvc.exe	86
PID 2724 wrote to memory of 1864	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 1864	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 1864	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 3008	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 3008	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 3008	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 2264	2724	DllCommonsvc.exe	89
PID 2724 wrote to memory of 2264	2724	DllCommonsvc.exe	89
PID 2724 wrote to memory of 2264	2724	DllCommonsvc.exe	89
PID 2724 wrote to memory of 3032	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 3032	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 3032	2724	DllCommonsvc.exe	90
PID 2724 wrote to memory of 2248	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 2248	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 2248	2724	DllCommonsvc.exe	91
PID 2724 wrote to memory of 1520	2724	DllCommonsvc.exe	92
PID 2724 wrote to memory of 1520	2724	DllCommonsvc.exe	92
PID 2724 wrote to memory of 1520	2724	DllCommonsvc.exe	92
PID 2724 wrote to memory of 2528	2724	DllCommonsvc.exe	93
PID 2724 wrote to memory of 2528	2724	DllCommonsvc.exe	93
PID 2724 wrote to memory of 2528	2724	DllCommonsvc.exe	93
PID 2724 wrote to memory of 1524	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 1524	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 1524	2724	DllCommonsvc.exe	94
PID 2724 wrote to memory of 1636	2724	DllCommonsvc.exe	105
PID 2724 wrote to memory of 1636	2724	DllCommonsvc.exe	105
PID 2724 wrote to memory of 1636	2724	DllCommonsvc.exe	105
PID 2724 wrote to memory of 2736	2724	DllCommonsvc.exe	110
PID 2724 wrote to memory of 2736	2724	DllCommonsvc.exe	110
PID 2724 wrote to memory of 2736	2724	DllCommonsvc.exe	110
PID 2724 wrote to memory of 2852	2724	DllCommonsvc.exe	112
PID 2724 wrote to memory of 2852	2724	DllCommonsvc.exe	112
PID 2724 wrote to memory of 2852	2724	DllCommonsvc.exe	112
PID 2852 wrote to memory of 2676	2852	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a902630a1a33d3a92176799778e0fb628521e565bdc26c627056e7636a51e64a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a902630a1a33d3a92176799778e0fb628521e565bdc26c627056e7636a51e64a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sgECYpyxUl.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2676
      - C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
        7⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2488
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        9⤵
        
        PID:2152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2532
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        11⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2328
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
        13⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2188
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
        15⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:108
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"
        17⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1928
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        19⤵
        
        PID:1920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2132
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        21⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1768
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"
        23⤵
        
        PID:564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2832
        
        C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe
        
        "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Pictures\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Start Menu\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7fc6f2e01c47d11bf474a8ae3ce640b

SHA1
661913b70709a33e90ca4cc886047b5d732154be

SHA256
a6ac1804f3e0427ca41af3f2726e036f1047ea168ad6cf202724078f16ae0a3d

SHA512
3a20383e7a0a847262d63c6587ada705952129cebb3deae1084bfbf93bc9ba297e29d79ba64647cfa39de6ee417726f0dba2f77bd748c089ac3ced91098b635d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78d17ca051729dffb4062a4b70c51525

SHA1
9f23832c8633c19379e812e2aa223aa2e0d99c7f

SHA256
ce70562441f7bb63ae75e5573059acf451dc4f250525f437a20c2ee5ecbedea4

SHA512
1c45389bc40de729ce72262d95e60f8f881a80a5440f1d329eb84381edd6cb729bbf738f11ca193ca14e0261c2412835a97e3631935d4bbfa227942236752ab8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6a21272ff0d21409d3319a2c20156bd

SHA1
f54e2afbad14d494917496f63e5d21f275828ccd

SHA256
420844a67995cc7345c95fbfb94f5d3839268a40960174c6d9330e37e6e4682c

SHA512
b982594ad501cc7902b03d733036a4b1854ed94ce7a7a1670707c92b84852ab60873d3aab01f362c4b5f212fa97db1844637104b3460eeee100e2ea70d20f938

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b45df38ded054189f06b9968a3689f1

SHA1
7b9a8a972b470ff734fe9176e90a02ed34e1f531

SHA256
0e57ac1f5916962dea8c06a0ea7a38c0dcfec6dae8936748c077c045c2119c54

SHA512
c0cc8120975098e4327f3457defae7437dcecf68772cd570825e7eded72cfcf6e958b563e0ad8ca566f1f11f881fa9a74ef2ae34ddc32a38ea8c0f09ef40394f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9987d1133a52306110575ae979aabe78

SHA1
e705277f3d7b391fe20aba9d95577d7efe62fc60

SHA256
0d9642a1636f8bffa62c38d0a4f967bdda159796ed6ed67b8c0e2b00f0a5eded

SHA512
f6a484401ae2e7d867b7f8522d230116144197d7f7aefc7bce2ddfd52162f0985a7243b45463428260ec8b8ba2dba9767f6036d09745b17874663d3a62faa2bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
961907487a9aa710eef661b98c95a770

SHA1
22d5dfe933e682c85d13592f666e7417eee13a2c

SHA256
39f260287f57a0535064c33d0229594fed6ff49145861e34305d3f6c6c7f3bd3

SHA512
7b4436b8ee9a2b4d5ca19c5c01656f59240b6700456a6943095b503281662fed0e1ef63f651aeed3423a1d99c96c9c1638f20acb703b552ca4cbe79eb854300d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a45c83e4ec63a6f81ad7bd70c0624ce7

SHA1
f2ca69b4687644ff647e32abfb05e0e2eaa1f8e8

SHA256
84e73a5e5e7c68a335387597940b6c0295d554f4191f886d0c29ce5b9d3a808c

SHA512
5770906a41bb9a2f2375433588f9c84b85e75d179c00202e46497c4703cd70674c5014453def3b1214da6342635dd496d2bd098aa24062a08e26eb29daaae341

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa3494ca5ed43bb5b70b6930498bdfcb

SHA1
1e913d2675ec12b9025740a3cf8d213a68a033e6

SHA256
24c9de344259390c260ad1af27e57f7658bd94fda7797b8db58f8951e4bcfa0f

SHA512
0e80b0754735170f96d3288a8b9433bb73f61b1ed704953a2b41019756c24719d7c5ac890069de9206fc77b0313408ae0510c41d4ec7ca0ce06612f740346b7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

Filesize
240B

MD5
103d74d86f3bab2a693d0ddd87cb0387

SHA1
150fa46ba4c73becca48129bd00245d575574b33

SHA256
75d75696eefa028ff639b7a07db5e0a3f066184d83900f52d2d10ad7536281d1

SHA512
28b687f24fcf3f152216d257f8d69256c7ef7175e4f14b203d07a9d5c97deb9d8b50b4e9b0c0fd7ef24d8b6d280adcbcdd023ce4f0aba16ee49426efa8a95a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

Filesize
240B

MD5
c2bc17a797b9a89bd4c5380903278a8a

SHA1
15adbeb280adfd464b53052a8052ae69c9082542

SHA256
79abbebd32bb461d9b47dc7b8ccdd3f93f0a884b65b6b7abbc212f9cdd5daa46

SHA512
c132b83528d16ce4ea6528cb8bbb0903fa41a63678aefa0f0216e3d3a95a629403b3db8c4e37b1ca195c6c9bb15175cd68ef4c5b97cb5699c603ed96cea89786

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE6C8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat

Filesize
240B

MD5
e2d7eb912bafb30191f62e561037a87c

SHA1
7ea02595885d5e73a0e6cc0849bf55fc55c0c710

SHA256
483a4daa220c5225adebc4e414ceb168ee20e8cbdaead80e499bd4f40c18f0f5

SHA512
4cf748e5da9df8254c1cff6a450cbc256b6acbd2f6f9874ee0021bf674a44fe6a1d86f23eb7e7d6da29ab55039063eeb2dad36f6da55e1c075cb5d63344ebcb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
240B

MD5
3b86e3018aea8f36e2817b5008d030a5

SHA1
7320801f56117b11e6632a93c1cddcb899c8cc2f

SHA256
38f443ff75642b9b9a56f52b2c684f789b813e0230e2a5b9f09b1e620b4c8d00

SHA512
c73967f747721e22e93a4df14b2faaad03c7ca4dcea6b6de12bdb02e5959da03d9f87d5a16149d4ec5b3b818a017e13558ccd46fcb1cce16beeefe44b326cc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

Filesize
240B

MD5
048dd453b238efe07d96c2f723bc6514

SHA1
cf79fe5c2b4a85a7661e2e32680cd7cb7c67488b

SHA256
052945130b7dd818d108f7c12287eac2e8dee2714752c355a35b7f3c0a5a16ec

SHA512
2ca6e7bba0b165605e787f063290aa808e4bd7dd121eea8143bc41f0578e133b5ac26af0ec23e1c6574811e7ec9cd3031a517929384e11b0b555e270d3d869e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE6EB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat

Filesize
240B

MD5
6d743f535ac0fa58daa06869425eed8e

SHA1
03e7703dbeed921257699866f5d96dee7dd7eed2

SHA256
73870633fde2c2140ee10eb9873929601396dec695268314170325a606edf547

SHA512
29c3b3c168d7f4ef1c14840e864f6dab94c0081919290d64475fed30280e756ed7e53b52c6a473c8a6130d16b43aebbf1acba21f00613d3fff725f0f9480ec41

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
240B

MD5
065f839abd5315653803f1e876adeed8

SHA1
49629a5026629562ee6e70f47046ed75a76a6c81

SHA256
c34b1d1c4f83da351a9cf7d07468c5abeac541d010e549692973f48fefa4506b

SHA512
3597a6a62bcfcff0b5587015609d05b618679cf882dc14e81ca8671ef3fd1acca6b20f5414541590f25eae5287092fd87c64e6314ad0ea332ce7969438942ecd

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
240B

MD5
80115c1fa23da350f862c01ffb16b73a

SHA1
ab68292cd42d725ff14a4c21187ca6d1e282ef86

SHA256
ff4a03ffae866390350a6419d11a57911177067b69f4c9c9b2f7e19ebd0c6636

SHA512
2b8a04f530581d028da24f1a6b4a8edcea470e8f7f384c5bc7f5dd557c45b15965001a50238bd19a341364e472fc17ab8785f1912f1fb24e4c34853924eaa3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\sgECYpyxUl.bat

Filesize
240B

MD5
294a5c8c9f2713b0955961e4adafd403

SHA1
f02cde429060286dc42f8276af0037323cebe22c

SHA256
17473340e168501ac5a150992255cf7e528beac30a4cd8cb01ef907b1bcca470

SHA512
24cab6182cf997b37a80db8d470b836da8e3da212a961b4bbf21027fb5dc0d215b462c77f067b5ddca6217c5bc7f05504a335f89909ea297f3e391a129740ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
240B

MD5
8e6198d154b4f749afc45f4b95a3a9d2

SHA1
fffa0d0d3206ac94b8dd868d1db0c25894404a90

SHA256
ada64acefa77069d9b3be93b5718f1f87035df06f06e0edc1d3e762a5a624ac7

SHA512
01d7149f5e5db5b000b9b9a39fc42e39ee27571a482a4a2c0c0b733bdaa834ba9adcb435ad8a827be0112b8e3736b0a4e41a0ce37d1442e653494acdea9626ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XH7PPD1JL734QGEAIDFG.temp

Filesize
7KB

MD5
f016487ead83e92cce436928f97a15e1

SHA1
2af8aa170061f977d6336215c7209377c8b11bd6

SHA256
56b4b055402558cf4ddfcdc196cb47287da8dd846e5634460266b73230af206a

SHA512
a002f17cc674266305a53b11e56038f71d787f10531aa6505a0049473e3f213da064656f7b86f1642fc973f8f4530c6227a6e28c9b70e7d7658deded8cbb2964

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/108-196-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/332-375-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/692-315-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/1520-72-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/1520-66-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/1888-137-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2136-674-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/2364-554-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2532-435-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/2624-614-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/2724-13-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/2724-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2724-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2724-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download