dcrat | c510dbb0f9d0043c4b60e4f4c407e34e329ea035aed402bd5710d239c1cadcd8

Analysis

max time kernel
145s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c510dbb0f9d0043c4b60e4f4c407e34e329ea035aed402bd5710d239c1cadcd8.exe
Size

1.3MB
MD5

73d38f30aca8a28c2fa53318d62c2bfa
SHA1

9122472282a6fd371f2dd03e76bed17e66d830ca
SHA256

c510dbb0f9d0043c4b60e4f4c407e34e329ea035aed402bd5710d239c1cadcd8
SHA512

f3be1caad7cb16fa8516bb270dc077a1f72841414484ab346344b97cbc34a63b632398c5acffe7d9f4c6fba5e686e0f8bd730a1fb21dd1bebe8803f0de065385
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2568	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2568	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019217-9.dat	dcrat
behavioral1/memory/2788-13-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/2588-56-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/1256-202-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat
behavioral1/memory/1656-382-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/320-442-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2768-502-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/1324-562-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2440	powershell.exe
2828	powershell.exe
2112	powershell.exe
2452	powershell.exe
1596	powershell.exe
1764	powershell.exe
2728	powershell.exe
3036	powershell.exe
2888	powershell.exe
2100	powershell.exe
2684	powershell.exe
1608	powershell.exe
1732	powershell.exe
2624	powershell.exe
1576	powershell.exe
2996	powershell.exe
1424	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2788	DllCommonsvc.exe
2588	lsm.exe
1256	lsm.exe
2728	lsm.exe
2704	lsm.exe
1656	lsm.exe
320	lsm.exe
2768	lsm.exe
1324	lsm.exe
3000	lsm.exe
1932	lsm.exe
2948	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	cmd.exe
2692	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
37	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\101b941d020240	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\OSPPSVC.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\L2Schemas\OSPPSVC.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c510dbb0f9d0043c4b60e4f4c407e34e329ea035aed402bd5710d239c1cadcd8.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2344	schtasks.exe
2168	schtasks.exe
2712	schtasks.exe
2592	schtasks.exe
288	schtasks.exe
2416	schtasks.exe
2076	schtasks.exe
680	schtasks.exe
2872	schtasks.exe
544	schtasks.exe
1540	schtasks.exe
800	schtasks.exe
1220	schtasks.exe
2104	schtasks.exe
344	schtasks.exe
2060	schtasks.exe
304	schtasks.exe
976	schtasks.exe
376	schtasks.exe
2388	schtasks.exe
972	schtasks.exe
2244	schtasks.exe
2908	schtasks.exe
2988	schtasks.exe
1368	schtasks.exe
2068	schtasks.exe
1152	schtasks.exe
2940	schtasks.exe
268	schtasks.exe
1680	schtasks.exe
1088	schtasks.exe
2000	schtasks.exe
1724	schtasks.exe
3028	schtasks.exe
2560	schtasks.exe
2760	schtasks.exe
664	schtasks.exe
448	schtasks.exe
3004	schtasks.exe
2656	schtasks.exe
1612	schtasks.exe
2136	schtasks.exe
1472	schtasks.exe
2324	schtasks.exe
2192	schtasks.exe
2120	schtasks.exe
340	schtasks.exe
1020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2788	DllCommonsvc.exe
2788	DllCommonsvc.exe
2788	DllCommonsvc.exe
2100	powershell.exe
2624	powershell.exe
1596	powershell.exe
2440	powershell.exe
2996	powershell.exe
2728	powershell.exe
2588	lsm.exe
1764	powershell.exe
3036	powershell.exe
2684	powershell.exe
2888	powershell.exe
2452	powershell.exe
1732	powershell.exe
1576	powershell.exe
2112	powershell.exe
2828	powershell.exe
1424	powershell.exe
1608	powershell.exe
1256	lsm.exe
2728	lsm.exe
2704	lsm.exe
1656	lsm.exe
320	lsm.exe
2768	lsm.exe
1324	lsm.exe
3000	lsm.exe
1932	lsm.exe
2948	lsm.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2788	DllCommonsvc.exe
Token: SeDebugPrivilege	2588	lsm.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1256	lsm.exe
Token: SeDebugPrivilege	2728	lsm.exe
Token: SeDebugPrivilege	2704	lsm.exe
Token: SeDebugPrivilege	1656	lsm.exe
Token: SeDebugPrivilege	320	lsm.exe
Token: SeDebugPrivilege	2768	lsm.exe
Token: SeDebugPrivilege	1324	lsm.exe
Token: SeDebugPrivilege	3000	lsm.exe
Token: SeDebugPrivilege	1932	lsm.exe
Token: SeDebugPrivilege	2948	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2264	1940	JaffaCakes118_c510dbb0f9d0043c4b60e4f4c407e34e329ea035aed402bd5710d239c1cadcd8.exe	31
PID 1940 wrote to memory of 2264	1940	JaffaCakes118_c510dbb0f9d0043c4b60e4f4c407e34e329ea035aed402bd5710d239c1cadcd8.exe	31
PID 1940 wrote to memory of 2264	1940	JaffaCakes118_c510dbb0f9d0043c4b60e4f4c407e34e329ea035aed402bd5710d239c1cadcd8.exe	31
PID 1940 wrote to memory of 2264	1940	JaffaCakes118_c510dbb0f9d0043c4b60e4f4c407e34e329ea035aed402bd5710d239c1cadcd8.exe	31
PID 2264 wrote to memory of 2692	2264	WScript.exe	32
PID 2264 wrote to memory of 2692	2264	WScript.exe	32
PID 2264 wrote to memory of 2692	2264	WScript.exe	32
PID 2264 wrote to memory of 2692	2264	WScript.exe	32
PID 2692 wrote to memory of 2788	2692	cmd.exe	34
PID 2692 wrote to memory of 2788	2692	cmd.exe	34
PID 2692 wrote to memory of 2788	2692	cmd.exe	34
PID 2692 wrote to memory of 2788	2692	cmd.exe	34
PID 2788 wrote to memory of 2440	2788	DllCommonsvc.exe	84
PID 2788 wrote to memory of 2440	2788	DllCommonsvc.exe	84
PID 2788 wrote to memory of 2440	2788	DllCommonsvc.exe	84
PID 2788 wrote to memory of 2112	2788	DllCommonsvc.exe	85
PID 2788 wrote to memory of 2112	2788	DllCommonsvc.exe	85
PID 2788 wrote to memory of 2112	2788	DllCommonsvc.exe	85
PID 2788 wrote to memory of 1596	2788	DllCommonsvc.exe	86
PID 2788 wrote to memory of 1596	2788	DllCommonsvc.exe	86
PID 2788 wrote to memory of 1596	2788	DllCommonsvc.exe	86
PID 2788 wrote to memory of 1608	2788	DllCommonsvc.exe	87
PID 2788 wrote to memory of 1608	2788	DllCommonsvc.exe	87
PID 2788 wrote to memory of 1608	2788	DllCommonsvc.exe	87
PID 2788 wrote to memory of 2452	2788	DllCommonsvc.exe	88
PID 2788 wrote to memory of 2452	2788	DllCommonsvc.exe	88
PID 2788 wrote to memory of 2452	2788	DllCommonsvc.exe	88
PID 2788 wrote to memory of 1732	2788	DllCommonsvc.exe	89
PID 2788 wrote to memory of 1732	2788	DllCommonsvc.exe	89
PID 2788 wrote to memory of 1732	2788	DllCommonsvc.exe	89
PID 2788 wrote to memory of 2624	2788	DllCommonsvc.exe	90
PID 2788 wrote to memory of 2624	2788	DllCommonsvc.exe	90
PID 2788 wrote to memory of 2624	2788	DllCommonsvc.exe	90
PID 2788 wrote to memory of 1576	2788	DllCommonsvc.exe	91
PID 2788 wrote to memory of 1576	2788	DllCommonsvc.exe	91
PID 2788 wrote to memory of 1576	2788	DllCommonsvc.exe	91
PID 2788 wrote to memory of 1764	2788	DllCommonsvc.exe	92
PID 2788 wrote to memory of 1764	2788	DllCommonsvc.exe	92
PID 2788 wrote to memory of 1764	2788	DllCommonsvc.exe	92
PID 2788 wrote to memory of 2828	2788	DllCommonsvc.exe	93
PID 2788 wrote to memory of 2828	2788	DllCommonsvc.exe	93
PID 2788 wrote to memory of 2828	2788	DllCommonsvc.exe	93
PID 2788 wrote to memory of 2996	2788	DllCommonsvc.exe	94
PID 2788 wrote to memory of 2996	2788	DllCommonsvc.exe	94
PID 2788 wrote to memory of 2996	2788	DllCommonsvc.exe	94
PID 2788 wrote to memory of 1424	2788	DllCommonsvc.exe	95
PID 2788 wrote to memory of 1424	2788	DllCommonsvc.exe	95
PID 2788 wrote to memory of 1424	2788	DllCommonsvc.exe	95
PID 2788 wrote to memory of 3036	2788	DllCommonsvc.exe	96
PID 2788 wrote to memory of 3036	2788	DllCommonsvc.exe	96
PID 2788 wrote to memory of 3036	2788	DllCommonsvc.exe	96
PID 2788 wrote to memory of 2100	2788	DllCommonsvc.exe	98
PID 2788 wrote to memory of 2100	2788	DllCommonsvc.exe	98
PID 2788 wrote to memory of 2100	2788	DllCommonsvc.exe	98
PID 2788 wrote to memory of 2888	2788	DllCommonsvc.exe	99
PID 2788 wrote to memory of 2888	2788	DllCommonsvc.exe	99
PID 2788 wrote to memory of 2888	2788	DllCommonsvc.exe	99
PID 2788 wrote to memory of 2728	2788	DllCommonsvc.exe	100
PID 2788 wrote to memory of 2728	2788	DllCommonsvc.exe	100
PID 2788 wrote to memory of 2728	2788	DllCommonsvc.exe	100
PID 2788 wrote to memory of 2684	2788	DllCommonsvc.exe	101
PID 2788 wrote to memory of 2684	2788	DllCommonsvc.exe	101
PID 2788 wrote to memory of 2684	2788	DllCommonsvc.exe	101
PID 2788 wrote to memory of 2588	2788	DllCommonsvc.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c510dbb0f9d0043c4b60e4f4c407e34e329ea035aed402bd5710d239c1cadcd8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c510dbb0f9d0043c4b60e4f4c407e34e329ea035aed402bd5710d239c1cadcd8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\fr-FR\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"
        6⤵
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2360
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
        8⤵
        
        PID:816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:852
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        10⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1344
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"
        12⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1948
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        14⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1672
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
        16⤵
        
        PID:2400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2416
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        18⤵
        
        PID:1540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2168
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
        20⤵
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2340
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
        22⤵
        
        PID:2644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:800
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
        24⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2764
        
        C:\providercommon\lsm.exe
        
        "C:\providercommon\lsm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\L2Schemas\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\L2Schemas\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1daf03fdcf6aaf5d22223470523a87ec

SHA1
ba00c6ebdf684f7e80ba8f887caa73326514a063

SHA256
dcb7eba09ab471ca4a867b2876957b8b0a6c14d84b983d71cfe0a680afd87c73

SHA512
00bd52d8e99a7af7728b7cba51e9e97dacc33c10bf0111486a758318f66817b861930b0759e4621ea568b7d72e64ffbaaa8abacfa9750606d4fac10de378e634

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdf4fe08ab5084630b981a675552a2ac

SHA1
69394daaf290c979cc77d5b41312b9532242fca3

SHA256
7d494c8e27c3d21d621699ff689ad7e1d847106ea49ecbbfad03030f02b7b3f7

SHA512
b47ab5329229621a14bd2c8cef88367c0c5c68b1c44b5907f3169c3d3aa09d84a6fd7ef56c1defc92ac645ef8f498e393777952f10845fccfa32e6d2d59fe75b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67dece501ab330987d66a92bc9239054

SHA1
51947b93c5e994d47f51020548981857a1a20a62

SHA256
c4d75f5170fbc8cfb29a3ce14c3f339383a638d9f8fba0aefed8549f7885066b

SHA512
1268f196ff3f79175b8db1cf389665d7c692c4e49776a4852736a0ab6af271f4e19c472ea50ef30ab4742f09b34b191278431464be8181ad21b20c1a5a199893

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf8c3fccd383c498636555ff210d9a6f

SHA1
d70efb2d213a7c3d14cd9c18172d7092d037b9c7

SHA256
3c06186d1135be342b9c2b2c7a84a736d782b4ea8b84ce5aa2ca27214797bbc5

SHA512
1c594d98d867057ddebeac9ab0143c6d572639989f084bb3eb7f83844d1fafc4b85be67a959b9b9a80e8bcac9fb66f97ae3e1a60a2e5759e5896162eb1c9eb05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1773c19513c471f834cbc52e86c03341

SHA1
b03a656010c9b07d2bb6eac1aa07e25540bf9f51

SHA256
04644dbf300fdba8d5b17eb5a91d4242fbbc3291ef461318bfa2ccd8e2321390

SHA512
d21448cdc3acfc7886e00164e5408990f59b9536cbeb8333d42aaf7dd4785d9c2351f5177e51a15a9e121e9162714b792f57de794fad4ef6f41d1f437143415b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a86a5587c18afe05389dc530d460879

SHA1
04abc472dc274b8b840401046cc73f9e15fd0f30

SHA256
249834aafaf144a1c7c83940b583851cffdafe8100afc91438320b1a6860ffcf

SHA512
10ea4aca61aa8087e61cf956b4eec278f8261b4989420d001b69ca3287c2717ea3af1066e3c4ed34a660b87d409d72194ebc7e4f78490872c60ec90aa71f6fa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6537c508c6507d574d880210c89eef76

SHA1
2d66d7088a633b781d634d45f9d670bf69c8d602

SHA256
e28f4e74782362678cd71e01ee17e78d826c85399711be375c2ed715c51f493e

SHA512
3da7b4bcc17c6938c26d0034d446af0bc7eed62d0aae003be1fd32b2a86b01566692f377e9edb9b7672bb450cd11d19a83364d15b53b6603775046ad468456e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7241fdff3d0a7c84a7ae01716459383

SHA1
9ce5f6100edfa7241a46415b60feaf02757d2d34

SHA256
b99060214eb25b7225214172ef98ff5bcc76cc9d1d629a128de3b494ffba9831

SHA512
c07d8183e0fbf70a5e19372afeb076848daa56d0ad59249b4f12ee1ce42746380a0eda8452f72555b74b2aa334926ee1831d00b4f164a00530511c11af7db513

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36dd034707e99026f5f73f2953567e97

SHA1
0adf619098f41fc571856d5de400b95d01bb0fc8

SHA256
b16f73e9b9c2b48346edbbc0155c7a0288e7f2df29b3ab3c9473a1bc8e279b12

SHA512
84d1a9a06de29ac5b563b878f6c14d54c976b69dc5e56989008b0a068caca25011dc5abd951f87d8d0657746ebd7aadc5cd115ad2c39788633fa361a1d00d7fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

Filesize
190B

MD5
aa0a11ac68d4dbc1a9495246a95df6d3

SHA1
3ea72a39ce2b057cd1d29a13f9c57fdd673b9101

SHA256
10ee80a33583007979989e0d36438e6c651070d6f0fca5c6391dd1ffb7b5e38e

SHA512
40035ef84423fe9381d1b5f3aeefab29d88ab3f42bf540bb4e00b25eddadaf0b6c937a930c6173acb63b453e80df77c659f61003bf03609c19d4de3b59c16117

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1F17.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

Filesize
190B

MD5
286aa2769c1e8e331e9f43d3b6193198

SHA1
331197009327c9d8e7b5936007dcd20aea60dc5b

SHA256
fcaf2fd46924b51a856b340add0b12c6e6f1d2060c54db81b02069b5131be2ea

SHA512
00bfca8e1a854698bf7c76d9611d04a0d93c615746308be9f08247051cf21887d01de3f9d75972e64b19df11fdaebad595881f38e87fb5e20a8a3c21fcab719e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
190B

MD5
26fe4adb97af3493b9c720e8ddb98288

SHA1
10334509686b2003637f47d73a3e01fb0026d99e

SHA256
987a35fcaf53d956f4b48669e5f96ef35c069e9eb4a4675b6e343fec8e69fd50

SHA512
f9fc7ae2e84941ee9042efe48d1db0d3f2ffab731b20a69958ea4a266f6b70db16b4ce8fe18ebc5eb7390143d79819fef59ad8642b9cd980fe5a36afd69e2620

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

Filesize
190B

MD5
8ebae100af1a31169673eed6af699715

SHA1
be7e86bd32276d7940e39aca5f20c1a06134e5f5

SHA256
5ade713d7519241e3aa7348a07fa1fc6c88832f3b9fe78d15bd46ba31979636c

SHA512
a3e405128afbf57ee414c59fa82dd13ea2b38ce05926247f598cad44d6857bf6e7a30660e0cff3516ca1f7d30a33e2a83ac40b45fee3b69a976d2d775966ccdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
190B

MD5
e79a765ca3de4b314d038a56282c8a81

SHA1
62a10cf0fa64a3fc30a499e0f76473118e889d74

SHA256
8eb6ce6212c2c618117d1f591c37a07641d6ac4b74e06083d75214ad7b97ad06

SHA512
91e54d77f62e386d0d3d7265457b5b6cbbcf8db426515899945b5a15c92ce46953cd3f2c5b5bbbbbe2aaf34f010d3f4c295d7c654f45b0cc65c87829a59e531a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1F29.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

Filesize
190B

MD5
d1d08fde0aee87d6a9559650749ce463

SHA1
ed14f82a0b01d2e892002d38f216eb0b8ce475a6

SHA256
834d35e3675e91c2ad1b622507064cb053bf2d5fa76933c8b73b052a060a6a81

SHA512
14d39ae848d6bcebbc576cb5ef5f1f9f52a9ce6994b7d7254b4825de3a726bca542112d904c8a8ddff534802922479a9921674be24277a6a0e0907671e961b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

Filesize
190B

MD5
2b8d19e909fc7037f930a1628369af8d

SHA1
c2e90d729b93b7ff377411e182ab54f39d7db4db

SHA256
aece513199778f3c064551bccf1948a768526ea50a8c632b903249a7a75cbf93

SHA512
b9c3a3b21038678c74fc713391d15472cc0e87fdb0056e3666ffd5b9dbf7f5ac74ba0326057ce44856be0fd02489142cb5a508f8a6d5cad22e741bc6bf6cee6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat

Filesize
190B

MD5
13f27cb4a1fdd3611bcedb28d2fedbdb

SHA1
0acbbd7dedfe161416c60019706ef04d26cff067

SHA256
593c08b4ee5533bdce5672f5f5a58daf6a36911e698b02499c4d346b81f0f8d0

SHA512
4bcc162d7ab07ad5328168e9fc7d10dea4897d0f1a8c9ae9eed40bf3ea19b490428b0bc9df0a0aa087bf1f0083df276b9d48259ba09ceeed5d138f2a31a66de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
190B

MD5
256cd570e76ee7c2a58243fdfc8b30d3

SHA1
eff6459cacf90048b8adc7490ec89096ae7b3bb2

SHA256
15916e6e9e51963a816fd31f5244cf9264ec5effb2a1b137c7ea7f2a43869460

SHA512
7b80f1ea8d2989207ddac8357fe3fdd850c49cc6a560d1330fa61299a3eb07a9ceaae2ea392184a0b6c63fcbf74c1e2b0fa793cfe6b901224d197892a2bea885

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat

Filesize
190B

MD5
9d7f7b2b084a65d081e8f1812b45c090

SHA1
f209c622cb27888ec063aa7f39ce7be577f6a4a4

SHA256
36efdba1fbb99d336ba3c5998c783509820774e4fa501f9145aebde5fe796587

SHA512
3771938670d015f040e286ce8e37b267af07f41131c8b63955f6ce4ed6d98dc03a8a3944fe2dfcf68d0d89d79f0f881167217821545147f1d63b3f710e1056a2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
833f0a4ae8f3282cec3d251156bef317

SHA1
91c82271918b70601d0993474c3606638d314d5c

SHA256
8f9fc94f36782790cf0c4d0fcc874e3ff1df755120a6e445492c562622dc2bb5

SHA512
dbfa138db13f7c08f1c1e68c84f6531a67f2228bc3b261d8e8d4bbd40a1f8dd01b768f29412ec92847ee88a5b58376dbafe99eb66a9c6c5f8891061929c9aabc

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/320-442-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/1256-202-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/1256-203-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1324-562-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/1656-382-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2100-82-0x0000000002630000-0x0000000002638000-memory.dmp

Filesize
32KB

Download
memory/2100-81-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/2588-83-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2588-56-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/2704-322-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2768-502-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-16-0x0000000000930000-0x000000000093C000-memory.dmp

Filesize
48KB

Download
memory/2788-14-0x00000000008F0000-0x0000000000902000-memory.dmp

Filesize
72KB

Download
memory/2788-13-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-15-0x0000000000920000-0x000000000092C000-memory.dmp

Filesize
48KB

Download
memory/2788-17-0x0000000000900000-0x000000000090C000-memory.dmp

Filesize
48KB

Download
memory/2948-740-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download