dcrat | d36ded0639ead2a353383079e81c8fc0e708406881e79b9ed6af02d7aa27b4f3

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d36ded0639ead2a353383079e81c8fc0e708406881e79b9ed6af02d7aa27b4f3.exe
Size

1.3MB
MD5

64f6398391ad11ec5f688e7bf576e165
SHA1

ee8ca37ea2a9b2648b02f1b1ee283ca82adafdbe
SHA256

d36ded0639ead2a353383079e81c8fc0e708406881e79b9ed6af02d7aa27b4f3
SHA512

7ff8f7e4dee96517613934e9be937ae4f0dc368d465d4552b5306dfca25dc53f4f045d26e8f33180b20c572362fab711cf0e5cc1f22294a1742869c181172d68
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2116	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2116	schtasks.exe	33

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000019326-12.dat	dcrat
behavioral1/memory/2820-13-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/2208-88-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/548-189-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat
behavioral1/memory/1748-249-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/1856-309-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/928-369-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/2124-489-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/2964-549-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2756	powershell.exe
2580	powershell.exe
796	powershell.exe
2148	powershell.exe
2772	powershell.exe
2924	powershell.exe
2748	powershell.exe
1856	powershell.exe
572	powershell.exe
2788	powershell.exe
2476	powershell.exe
2484	powershell.exe
1596	powershell.exe
1704	powershell.exe
1508	powershell.exe
1980	powershell.exe
2904	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2820	DllCommonsvc.exe
2208	winlogon.exe
548	winlogon.exe
1748	winlogon.exe
1856	winlogon.exe
928	winlogon.exe
2172	winlogon.exe
2124	winlogon.exe
2964	winlogon.exe
2260	winlogon.exe
3008	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	cmd.exe
2932	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\en-US\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d36ded0639ead2a353383079e81c8fc0e708406881e79b9ed6af02d7aa27b4f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3024	schtasks.exe
2368	schtasks.exe
1712	schtasks.exe
2428	schtasks.exe
2420	schtasks.exe
2100	schtasks.exe
1684	schtasks.exe
2412	schtasks.exe
2660	schtasks.exe
1644	schtasks.exe
1624	schtasks.exe
1844	schtasks.exe
1732	schtasks.exe
2032	schtasks.exe
2964	schtasks.exe
824	schtasks.exe
2128	schtasks.exe
1672	schtasks.exe
2856	schtasks.exe
2292	schtasks.exe
1400	schtasks.exe
2316	schtasks.exe
760	schtasks.exe
2528	schtasks.exe
3032	schtasks.exe
1532	schtasks.exe
2560	schtasks.exe
2636	schtasks.exe
568	schtasks.exe
2404	schtasks.exe
1432	schtasks.exe
2752	schtasks.exe
3028	schtasks.exe
1976	schtasks.exe
2232	schtasks.exe
2508	schtasks.exe
1008	schtasks.exe
2000	schtasks.exe
2708	schtasks.exe
2888	schtasks.exe
1168	schtasks.exe
1056	schtasks.exe
968	schtasks.exe
1784	schtasks.exe
612	schtasks.exe
1564	schtasks.exe
1664	schtasks.exe
2152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2820	DllCommonsvc.exe
2788	powershell.exe
1980	powershell.exe
2772	powershell.exe
2748	powershell.exe
2148	powershell.exe
2924	powershell.exe
2904	powershell.exe
2580	powershell.exe
2476	powershell.exe
2756	powershell.exe
1704	powershell.exe
1508	powershell.exe
796	powershell.exe
572	powershell.exe
1596	powershell.exe
1856	powershell.exe
2484	powershell.exe
2208	winlogon.exe
548	winlogon.exe
1748	winlogon.exe
1856	winlogon.exe
928	winlogon.exe
2172	winlogon.exe
2124	winlogon.exe
2964	winlogon.exe
2260	winlogon.exe
3008	winlogon.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	DllCommonsvc.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2208	winlogon.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	548	winlogon.exe
Token: SeDebugPrivilege	1748	winlogon.exe
Token: SeDebugPrivilege	1856	winlogon.exe
Token: SeDebugPrivilege	928	winlogon.exe
Token: SeDebugPrivilege	2172	winlogon.exe
Token: SeDebugPrivilege	2124	winlogon.exe
Token: SeDebugPrivilege	2964	winlogon.exe
Token: SeDebugPrivilege	2260	winlogon.exe
Token: SeDebugPrivilege	3008	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 2924	572	JaffaCakes118_d36ded0639ead2a353383079e81c8fc0e708406881e79b9ed6af02d7aa27b4f3.exe	29
PID 572 wrote to memory of 2924	572	JaffaCakes118_d36ded0639ead2a353383079e81c8fc0e708406881e79b9ed6af02d7aa27b4f3.exe	29
PID 572 wrote to memory of 2924	572	JaffaCakes118_d36ded0639ead2a353383079e81c8fc0e708406881e79b9ed6af02d7aa27b4f3.exe	29
PID 572 wrote to memory of 2924	572	JaffaCakes118_d36ded0639ead2a353383079e81c8fc0e708406881e79b9ed6af02d7aa27b4f3.exe	29
PID 2924 wrote to memory of 2932	2924	WScript.exe	30
PID 2924 wrote to memory of 2932	2924	WScript.exe	30
PID 2924 wrote to memory of 2932	2924	WScript.exe	30
PID 2924 wrote to memory of 2932	2924	WScript.exe	30
PID 2932 wrote to memory of 2820	2932	cmd.exe	32
PID 2932 wrote to memory of 2820	2932	cmd.exe	32
PID 2932 wrote to memory of 2820	2932	cmd.exe	32
PID 2932 wrote to memory of 2820	2932	cmd.exe	32
PID 2820 wrote to memory of 2580	2820	DllCommonsvc.exe	82
PID 2820 wrote to memory of 2580	2820	DllCommonsvc.exe	82
PID 2820 wrote to memory of 2580	2820	DllCommonsvc.exe	82
PID 2820 wrote to memory of 2748	2820	DllCommonsvc.exe	84
PID 2820 wrote to memory of 2748	2820	DllCommonsvc.exe	84
PID 2820 wrote to memory of 2748	2820	DllCommonsvc.exe	84
PID 2820 wrote to memory of 1980	2820	DllCommonsvc.exe	85
PID 2820 wrote to memory of 1980	2820	DllCommonsvc.exe	85
PID 2820 wrote to memory of 1980	2820	DllCommonsvc.exe	85
PID 2820 wrote to memory of 1596	2820	DllCommonsvc.exe	88
PID 2820 wrote to memory of 1596	2820	DllCommonsvc.exe	88
PID 2820 wrote to memory of 1596	2820	DllCommonsvc.exe	88
PID 2820 wrote to memory of 1704	2820	DllCommonsvc.exe	89
PID 2820 wrote to memory of 1704	2820	DllCommonsvc.exe	89
PID 2820 wrote to memory of 1704	2820	DllCommonsvc.exe	89
PID 2820 wrote to memory of 1856	2820	DllCommonsvc.exe	90
PID 2820 wrote to memory of 1856	2820	DllCommonsvc.exe	90
PID 2820 wrote to memory of 1856	2820	DllCommonsvc.exe	90
PID 2820 wrote to memory of 2148	2820	DllCommonsvc.exe	92
PID 2820 wrote to memory of 2148	2820	DllCommonsvc.exe	92
PID 2820 wrote to memory of 2148	2820	DllCommonsvc.exe	92
PID 2820 wrote to memory of 1508	2820	DllCommonsvc.exe	93
PID 2820 wrote to memory of 1508	2820	DllCommonsvc.exe	93
PID 2820 wrote to memory of 1508	2820	DllCommonsvc.exe	93
PID 2820 wrote to memory of 2756	2820	DllCommonsvc.exe	94
PID 2820 wrote to memory of 2756	2820	DllCommonsvc.exe	94
PID 2820 wrote to memory of 2756	2820	DllCommonsvc.exe	94
PID 2820 wrote to memory of 2484	2820	DllCommonsvc.exe	95
PID 2820 wrote to memory of 2484	2820	DllCommonsvc.exe	95
PID 2820 wrote to memory of 2484	2820	DllCommonsvc.exe	95
PID 2820 wrote to memory of 572	2820	DllCommonsvc.exe	96
PID 2820 wrote to memory of 572	2820	DllCommonsvc.exe	96
PID 2820 wrote to memory of 572	2820	DllCommonsvc.exe	96
PID 2820 wrote to memory of 796	2820	DllCommonsvc.exe	97
PID 2820 wrote to memory of 796	2820	DllCommonsvc.exe	97
PID 2820 wrote to memory of 796	2820	DllCommonsvc.exe	97
PID 2820 wrote to memory of 2476	2820	DllCommonsvc.exe	100
PID 2820 wrote to memory of 2476	2820	DllCommonsvc.exe	100
PID 2820 wrote to memory of 2476	2820	DllCommonsvc.exe	100
PID 2820 wrote to memory of 2904	2820	DllCommonsvc.exe	101
PID 2820 wrote to memory of 2904	2820	DllCommonsvc.exe	101
PID 2820 wrote to memory of 2904	2820	DllCommonsvc.exe	101
PID 2820 wrote to memory of 2924	2820	DllCommonsvc.exe	102
PID 2820 wrote to memory of 2924	2820	DllCommonsvc.exe	102
PID 2820 wrote to memory of 2924	2820	DllCommonsvc.exe	102
PID 2820 wrote to memory of 2788	2820	DllCommonsvc.exe	103
PID 2820 wrote to memory of 2788	2820	DllCommonsvc.exe	103
PID 2820 wrote to memory of 2788	2820	DllCommonsvc.exe	103
PID 2820 wrote to memory of 2772	2820	DllCommonsvc.exe	104
PID 2820 wrote to memory of 2772	2820	DllCommonsvc.exe	104
PID 2820 wrote to memory of 2772	2820	DllCommonsvc.exe	104
PID 2820 wrote to memory of 2208	2820	DllCommonsvc.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d36ded0639ead2a353383079e81c8fc0e708406881e79b9ed6af02d7aa27b4f3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d36ded0639ead2a353383079e81c8fc0e708406881e79b9ed6af02d7aa27b4f3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\en-US\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Users\All Users\Favorites\winlogon.exe
        
        "C:\Users\All Users\Favorites\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
        6⤵
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2488
        
        C:\Users\All Users\Favorites\winlogon.exe
        
        "C:\Users\All Users\Favorites\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat"
        8⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2968
        
        C:\Users\All Users\Favorites\winlogon.exe
        
        "C:\Users\All Users\Favorites\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"
        10⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:952
        
        C:\Users\All Users\Favorites\winlogon.exe
        
        "C:\Users\All Users\Favorites\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
        12⤵
        
        PID:2432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:860
        
        C:\Users\All Users\Favorites\winlogon.exe
        
        "C:\Users\All Users\Favorites\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
        14⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2472
        
        C:\Users\All Users\Favorites\winlogon.exe
        
        "C:\Users\All Users\Favorites\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat"
        16⤵
        
        PID:1060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2780
        
        C:\Users\All Users\Favorites\winlogon.exe
        
        "C:\Users\All Users\Favorites\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
        18⤵
        
        PID:328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1856
        
        C:\Users\All Users\Favorites\winlogon.exe
        
        "C:\Users\All Users\Favorites\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"
        20⤵
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2388
        
        C:\Users\All Users\Favorites\winlogon.exe
        
        "C:\Users\All Users\Favorites\winlogon.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"
        22⤵
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2100
        
        C:\Users\All Users\Favorites\winlogon.exe
        
        "C:\Users\All Users\Favorites\winlogon.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\TableTextService\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1405139a2366f303295c80eb48dd40ab

SHA1
8dd4ce18256239a9be3122ef28d87674cb34214c

SHA256
91e8f91c962aaecb822dbacaf92c049fda714f3f374af55ce318e5d6373906f8

SHA512
3734194047c9dd702813342f1ad7e9a5f957eec4f0983887a1b1ccb25fee5e7505f36d26d44fbcba1ec9fb44d1459c33ae29dc705264b8acfdca021aa1f167bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6411b3d02c9df50d3d643fe38e8a0a10

SHA1
4bb28964b8afe7e1ec18a823ae139f6a9ac0be15

SHA256
15407872751b34a4ee07b3ba737b96e257f88cacc9ce5da20e5838175245601f

SHA512
bb3e6f044839024d78002715673f77125c3da8f16d31c4dd811bc52d05f92e3ead3b5a4701059de161e21a235785208f37f66f95ded3fc579f7cad419d0a5de9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c65586a5af5f0a1f9f6ba39a107655a

SHA1
be58d08ffd0020e115784a1b06dae0f62fd04477

SHA256
9692587f216d0dde8239b28edcf2916685f8c31bf6e4c05e8134040978088d12

SHA512
740750454ffa212dba8f0d6da23302e5ba77337eea427c26bfba91be156da0ef9f0fc60a4acb0d7eed7c24c4640b4d6f7168b689f0f7d9aaed47a8813a446ce8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6e639563dd22abe46dc72e90c6b31a0

SHA1
2d0d48313ba817f7fdec92cb760990c97670ca61

SHA256
7d22a6d068be1554ce337bdeaed4ed4925b017eb99aefbdd74d6d62dc928b2e0

SHA512
b2802276658082200bf6d8460dc0304dd5396aa44b1347f799cb2ebceb1de998c739a3b1e612ed49e99252b23768f2e81f2e598f99ffb487e58849b6be139d3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0810d3651cb5a48e787632bfcea37238

SHA1
2c7843aabe3ef56086f7ff0cb742d5ba5887c576

SHA256
b724d37f66f07cc40a300795f7e458bad46123881a797bd5496e80b9377b835f

SHA512
2983344b361c0c67c344e7a77f98c02889ddbbafae6dae284393897d64c4430432b45575349f21c77fc0756afa0118b9d57635d0f5279430af91790e38a71e7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d72456877f51109504b4ca16df807cb8

SHA1
983c7ea27a9aee3a4bc6ccef91d4dfb7fd4514d8

SHA256
30fca7e6248c35bf10a5a02215e5971325ee984a706344d5e4c61a60345fbe4f

SHA512
c9a3faaaa542cd97e397b53f6ba2fd1e38cac33f8cc35e28ba7b5d4589bab352dc038cb62103455177c96258e8d8a68efa1ab84115473db281c843244a648573

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d359a864e3f47654ada9ea78d91fe16a

SHA1
f7eb0ae94f29b8060d5229d228398c5f5025d78d

SHA256
e48017432b30bf50fbc3fd0b6822a1e0fd6360af2675215757df11fb5ba0d287

SHA512
c1fe679d4263680c7d79e7bd1dc063c2d8026a42029761742815ea53efa70f35252551c48a5646332d64be86028e0682ef128a3ea4f4decda400510ecc65e40e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
605d3435aec35f824880487976bd5c4b

SHA1
73e37d8661be508d12cc85f88b93f90c3a1c2347

SHA256
ca1c68c15494eed92de7766b12b7e672411652b9088e1278ca917772beddb4a9

SHA512
14dd53dc207936f20be1080bdf6463e3bc49dcbd2062d42dbb960e4791980898c9b4db042a74303d5f2d73d959c80d309f38e42cc47fcdcd2847b9b367d3b138

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat

Filesize
206B

MD5
618ba8dded6f89074218db182b426fb5

SHA1
8efab1395905c4f3b8cbac2460ff24a7e53d3d8f

SHA256
71d6792196a329238c0f631415fa397a851e5c70180f83742556ca43f74204cc

SHA512
5a34333a470cac5f959e065a6a9fe5fd949c372929f920c39de19ee2697fe9c7a94cfe38c6d79e5b7cf283133b20a8f9c8044b26004b28ccc382567a0c08422c

Download Submit
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

Filesize
206B

MD5
b383c81a7e6d06fd01af528eff4f250e

SHA1
ad52c3ed5225a56b02217288197b7b4931d9f8a7

SHA256
97b9cd77ecf184d2dad0e900e760fe58c4895adb16d096c4d885bd9579fc9d89

SHA512
1850fe5160b2ffb490c9332500dc85f88a767225677e7afc42f053cda31bbe70a08b0afd27aa6562a4c41fe46c5e9b4ed5ab8b95118f581b6c930955f21499ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat

Filesize
206B

MD5
aa532b28834da5d3e19b0f2c4897e9e1

SHA1
044c7eb8c1eea5f664c16d5a3aa13ecaff9adbd6

SHA256
ea56f6daa080443011d2d7979abe7ab70c62a7513b4fa4970d2a865200564b60

SHA512
0504176d1d04c3cdb388680dd957f63e19fff36493f35a3859075a3f2b43b58a7c97f2d94106118bc55ff1bd566ca4f3c6586a30380bffb871730af3f65258bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB981.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat

Filesize
206B

MD5
302fda2af96de9e7c2a1b6a6cadd6498

SHA1
d5171fba9ed92899e7afeffb77a984b5602427c3

SHA256
79a435e816b01c9fb0cefc3de3958b244f40d61fc57df151c75081e008b4e056

SHA512
df690d3fca275f62ae606724e815e381242842fca7a30acd640eba62ed55ad80f80f5af999953691963604635a1c48cc359978ff4a8786c03a45df934b481ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpZgFYZT4y.bat

Filesize
206B

MD5
8800dd98278e2a504eba6691a010cc8d

SHA1
502dfef64c2fe62ae719540987b1590636686a84

SHA256
a505984dd03597988db55057333bc7151db729258bac7c80b29273cf19db0fc5

SHA512
82cdce5afc1e59a4846b9b56d93067a0d2df8daaf88cd3759bd4c295497eb70a1dcf6935c41fe279fc468ea63a3065a4316993dfa949e631c3e3817448db7ec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

Filesize
206B

MD5
23a59dab1758985f3ab4e62388f9303c

SHA1
c33f8ec9400bb4010068b943aa9bd0c597674e1a

SHA256
335e328fe351ab8609ae430572134578974c61431e6405cc29b98cd1fb36b161

SHA512
7878100b7c470bc75182fffbd2fa029003418bc59f8db4c93341773685acbfbb069e9db10c10b8c189d9280726f28aa1650a9980dc888e1d0c584bb77eb1fb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA01.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

Filesize
206B

MD5
4825e304383853b61344aabbf914734b

SHA1
e500dadfe7e8268c48f0766f3b46f5ad2f0f4297

SHA256
fb5ae20a14ffb4a65dd274ed915ea71d925c809728c57109b19f4207433abb8e

SHA512
1f20597dfc1f51440764b7eabbffddf3043b879375d09b7eaf77fea85a0083aabf81b4ba19c849add8d56a5686acc3a654741aae009625d42b0dfc5b084190ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\sodlpYYBfa.bat

Filesize
206B

MD5
a7a5ef36d30bc250ff03d238e04a394e

SHA1
8d69efcb02036a142d46c98f3444c543c2723813

SHA256
e4b2f48aa478c159365da1c448eec794b4b2b9f46e6fbfaea4e294fefab5b41f

SHA512
bf14ec42e4281d277ccd4b47390602b0048b2bbe50010ca61bde4225be81064d91fc22a246e08554c8dc7f1c61fed6887789c03f796f97db9f880afd61c52caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

Filesize
206B

MD5
75f1f60898fa45a1fb329f63bcc6b1fe

SHA1
dd15f68b4166a6e3883a5d6bab8492e7152fdc41

SHA256
fca323963b2bb0c3244616f0e7c38e1532b876dead78d7386b5d3dcf45f00ad9

SHA512
1ddf3e40380dce0005a0fe160872bc50619556ee4b66a4e82e68d8042a02ba45f2ca607c9352873596bef93d892aad2407d1f374740bb35e8e5e94a62074d945

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
40a8150b6710a850d2a45d7570e3ba61

SHA1
223a7b1c096370aab970c47557830fde9de30a4f

SHA256
f73f0a679f4ecf8cd8a50f6e071a80b3de6c29fb87960f5cb0b615a78a0002bc

SHA512
1a5a598762377920ebc09873926aa153abbde4435599031f9e233cdce34eb6008db9e6577a0edfd799391502c2b7f42e322d7a75fb2789998069632d8293b392

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/548-189-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/928-369-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/1748-249-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/1856-309-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/1980-71-0x0000000002490000-0x0000000002498000-memory.dmp

Filesize
32KB

Download
memory/2124-489-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2172-429-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2208-88-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2748-68-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2820-17-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/2820-16-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2820-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2820-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2820-13-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/2964-549-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download