dcrat | 7ce014130df8d99965f8c896db3ea92a587baff8b60b10c72a24be5f031cb32b

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7ce014130df8d99965f8c896db3ea92a587baff8b60b10c72a24be5f031cb32b.exe
Size

1.3MB
MD5

9b7c6f59f22fb89264216ba57778d72d
SHA1

2d7b35edb85831da881ca9a86b9e6390ba1b10d2
SHA256

7ce014130df8d99965f8c896db3ea92a587baff8b60b10c72a24be5f031cb32b
SHA512

bbea0be8feb664b5ce517816607c5ecd75e6c718738253e97a088b1eff2af40c8e7ecfec0c79b402162c3145f97c49f51024d361a9c6621a3b62565becc61ffa
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2592	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2592	schtasks.exe	34

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000018710-12.dat	dcrat
behavioral1/memory/2696-13-0x0000000000B30000-0x0000000000C40000-memory.dmp	dcrat
behavioral1/memory/1584-150-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/1900-506-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2752	powershell.exe
2716	powershell.exe
2556	powershell.exe
2560	powershell.exe
2848	powershell.exe
2628	powershell.exe
408	powershell.exe
752	powershell.exe
2012	powershell.exe
1372	powershell.exe
3012	powershell.exe
2836	powershell.exe
2824	powershell.exe
2732	powershell.exe
2212	powershell.exe
2820	powershell.exe
2792	powershell.exe
612	powershell.exe
2644	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2696	DllCommonsvc.exe
1584	csrss.exe
2732	csrss.exe
2608	csrss.exe
1144	csrss.exe
2104	csrss.exe
2540	csrss.exe
1900	csrss.exe
776	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2580	cmd.exe
2580	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
28	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\nl-NL\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\System32\nl-NL\6ccacd8608530f	DllCommonsvc.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\SIGNUP\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\SIGNUP\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\en-US\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\fr-FR\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\en-US\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\en-US\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\ja-JP\dwm.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_MSIL\UIAutomationTypes\3.0.0.0__31bf3856ad364e35\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_MSIL\UIAutomationTypes\3.0.0.0__31bf3856ad364e35\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7ce014130df8d99965f8c896db3ea92a587baff8b60b10c72a24be5f031cb32b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2812	schtasks.exe
2084	schtasks.exe
3024	schtasks.exe
2036	schtasks.exe
2372	schtasks.exe
3020	schtasks.exe
848	schtasks.exe
1288	schtasks.exe
2184	schtasks.exe
1796	schtasks.exe
1044	schtasks.exe
1576	schtasks.exe
2416	schtasks.exe
1444	schtasks.exe
792	schtasks.exe
2708	schtasks.exe
2864	schtasks.exe
1612	schtasks.exe
2448	schtasks.exe
560	schtasks.exe
1956	schtasks.exe
1480	schtasks.exe
3000	schtasks.exe
2428	schtasks.exe
2132	schtasks.exe
2788	schtasks.exe
3004	schtasks.exe
2032	schtasks.exe
1620	schtasks.exe
1244	schtasks.exe
1556	schtasks.exe
2348	schtasks.exe
2108	schtasks.exe
2312	schtasks.exe
1520	schtasks.exe
1836	schtasks.exe
1728	schtasks.exe
752	schtasks.exe
1084	schtasks.exe
592	schtasks.exe
2236	schtasks.exe
2260	schtasks.exe
832	schtasks.exe
872	schtasks.exe
2320	schtasks.exe
2396	schtasks.exe
1864	schtasks.exe
552	schtasks.exe
2892	schtasks.exe
1964	schtasks.exe
1996	schtasks.exe
988	schtasks.exe
2268	schtasks.exe
1448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2696	DllCommonsvc.exe
2696	DllCommonsvc.exe
2696	DllCommonsvc.exe
2824	powershell.exe
2732	powershell.exe
2848	powershell.exe
2012	powershell.exe
2836	powershell.exe
2644	powershell.exe
2628	powershell.exe
2752	powershell.exe
2212	powershell.exe
612	powershell.exe
2560	powershell.exe
408	powershell.exe
1372	powershell.exe
2820	powershell.exe
752	powershell.exe
3012	powershell.exe
2556	powershell.exe
2792	powershell.exe
2716	powershell.exe
1584	csrss.exe
2732	csrss.exe
2608	csrss.exe
1144	csrss.exe
2104	csrss.exe
2540	csrss.exe
1900	csrss.exe
776	csrss.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	DllCommonsvc.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	1584	csrss.exe
Token: SeDebugPrivilege	2732	csrss.exe
Token: SeDebugPrivilege	2608	csrss.exe
Token: SeDebugPrivilege	1144	csrss.exe
Token: SeDebugPrivilege	2104	csrss.exe
Token: SeDebugPrivilege	2540	csrss.exe
Token: SeDebugPrivilege	1900	csrss.exe
Token: SeDebugPrivilege	776	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2868	2380	JaffaCakes118_7ce014130df8d99965f8c896db3ea92a587baff8b60b10c72a24be5f031cb32b.exe	30
PID 2380 wrote to memory of 2868	2380	JaffaCakes118_7ce014130df8d99965f8c896db3ea92a587baff8b60b10c72a24be5f031cb32b.exe	30
PID 2380 wrote to memory of 2868	2380	JaffaCakes118_7ce014130df8d99965f8c896db3ea92a587baff8b60b10c72a24be5f031cb32b.exe	30
PID 2380 wrote to memory of 2868	2380	JaffaCakes118_7ce014130df8d99965f8c896db3ea92a587baff8b60b10c72a24be5f031cb32b.exe	30
PID 2868 wrote to memory of 2580	2868	WScript.exe	31
PID 2868 wrote to memory of 2580	2868	WScript.exe	31
PID 2868 wrote to memory of 2580	2868	WScript.exe	31
PID 2868 wrote to memory of 2580	2868	WScript.exe	31
PID 2580 wrote to memory of 2696	2580	cmd.exe	33
PID 2580 wrote to memory of 2696	2580	cmd.exe	33
PID 2580 wrote to memory of 2696	2580	cmd.exe	33
PID 2580 wrote to memory of 2696	2580	cmd.exe	33
PID 2696 wrote to memory of 3012	2696	DllCommonsvc.exe	89
PID 2696 wrote to memory of 3012	2696	DllCommonsvc.exe	89
PID 2696 wrote to memory of 3012	2696	DllCommonsvc.exe	89
PID 2696 wrote to memory of 2836	2696	DllCommonsvc.exe	90
PID 2696 wrote to memory of 2836	2696	DllCommonsvc.exe	90
PID 2696 wrote to memory of 2836	2696	DllCommonsvc.exe	90
PID 2696 wrote to memory of 2824	2696	DllCommonsvc.exe	91
PID 2696 wrote to memory of 2824	2696	DllCommonsvc.exe	91
PID 2696 wrote to memory of 2824	2696	DllCommonsvc.exe	91
PID 2696 wrote to memory of 2732	2696	DllCommonsvc.exe	92
PID 2696 wrote to memory of 2732	2696	DllCommonsvc.exe	92
PID 2696 wrote to memory of 2732	2696	DllCommonsvc.exe	92
PID 2696 wrote to memory of 2848	2696	DllCommonsvc.exe	93
PID 2696 wrote to memory of 2848	2696	DllCommonsvc.exe	93
PID 2696 wrote to memory of 2848	2696	DllCommonsvc.exe	93
PID 2696 wrote to memory of 2012	2696	DllCommonsvc.exe	94
PID 2696 wrote to memory of 2012	2696	DllCommonsvc.exe	94
PID 2696 wrote to memory of 2012	2696	DllCommonsvc.exe	94
PID 2696 wrote to memory of 2752	2696	DllCommonsvc.exe	95
PID 2696 wrote to memory of 2752	2696	DllCommonsvc.exe	95
PID 2696 wrote to memory of 2752	2696	DllCommonsvc.exe	95
PID 2696 wrote to memory of 2820	2696	DllCommonsvc.exe	96
PID 2696 wrote to memory of 2820	2696	DllCommonsvc.exe	96
PID 2696 wrote to memory of 2820	2696	DllCommonsvc.exe	96
PID 2696 wrote to memory of 2716	2696	DllCommonsvc.exe	97
PID 2696 wrote to memory of 2716	2696	DllCommonsvc.exe	97
PID 2696 wrote to memory of 2716	2696	DllCommonsvc.exe	97
PID 2696 wrote to memory of 2628	2696	DllCommonsvc.exe	98
PID 2696 wrote to memory of 2628	2696	DllCommonsvc.exe	98
PID 2696 wrote to memory of 2628	2696	DllCommonsvc.exe	98
PID 2696 wrote to memory of 1372	2696	DllCommonsvc.exe	106
PID 2696 wrote to memory of 1372	2696	DllCommonsvc.exe	106
PID 2696 wrote to memory of 1372	2696	DllCommonsvc.exe	106
PID 2696 wrote to memory of 2560	2696	DllCommonsvc.exe	111
PID 2696 wrote to memory of 2560	2696	DllCommonsvc.exe	111
PID 2696 wrote to memory of 2560	2696	DllCommonsvc.exe	111
PID 2696 wrote to memory of 2212	2696	DllCommonsvc.exe	112
PID 2696 wrote to memory of 2212	2696	DllCommonsvc.exe	112
PID 2696 wrote to memory of 2212	2696	DllCommonsvc.exe	112
PID 2696 wrote to memory of 2556	2696	DllCommonsvc.exe	113
PID 2696 wrote to memory of 2556	2696	DllCommonsvc.exe	113
PID 2696 wrote to memory of 2556	2696	DllCommonsvc.exe	113
PID 2696 wrote to memory of 2644	2696	DllCommonsvc.exe	114
PID 2696 wrote to memory of 2644	2696	DllCommonsvc.exe	114
PID 2696 wrote to memory of 2644	2696	DllCommonsvc.exe	114
PID 2696 wrote to memory of 612	2696	DllCommonsvc.exe	115
PID 2696 wrote to memory of 612	2696	DllCommonsvc.exe	115
PID 2696 wrote to memory of 612	2696	DllCommonsvc.exe	115
PID 2696 wrote to memory of 752	2696	DllCommonsvc.exe	116
PID 2696 wrote to memory of 752	2696	DllCommonsvc.exe	116
PID 2696 wrote to memory of 752	2696	DllCommonsvc.exe	116
PID 2696 wrote to memory of 2792	2696	DllCommonsvc.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce014130df8d99965f8c896db3ea92a587baff8b60b10c72a24be5f031cb32b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7ce014130df8d99965f8c896db3ea92a587baff8b60b10c72a24be5f031cb32b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Downloads\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\en-US\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\nl-NL\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_MSIL\UIAutomationTypes\3.0.0.0__31bf3856ad364e35\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UODwa2Fb6j.bat"
        5⤵
        
        PID:780
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:844
      - C:\Users\Admin\Cookies\csrss.exe
        
        "C:\Users\Admin\Cookies\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        7⤵
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2836
        
        C:\Users\Admin\Cookies\csrss.exe
        
        "C:\Users\Admin\Cookies\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"
        9⤵
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2760
        
        C:\Users\Admin\Cookies\csrss.exe
        
        "C:\Users\Admin\Cookies\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
        11⤵
        
        PID:1444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1148
        
        C:\Users\Admin\Cookies\csrss.exe
        
        "C:\Users\Admin\Cookies\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"
        13⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2580
        
        C:\Users\Admin\Cookies\csrss.exe
        
        "C:\Users\Admin\Cookies\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
        15⤵
        
        PID:632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2392
        
        C:\Users\Admin\Cookies\csrss.exe
        
        "C:\Users\Admin\Cookies\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        17⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1008
        
        C:\Users\Admin\Cookies\csrss.exe
        
        "C:\Users\Admin\Cookies\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
        19⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2524
        
        C:\Users\Admin\Cookies\csrss.exe
        
        "C:\Users\Admin\Cookies\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Downloads\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\en-US\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\en-US\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\en-US\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\nl-NL\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\SIGNUP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Links\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Links\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Links\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Downloads\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default\Downloads\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Cookies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\fr-FR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\assembly\GAC_MSIL\UIAutomationTypes\3.0.0.0__31bf3856ad364e35\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_MSIL\UIAutomationTypes\3.0.0.0__31bf3856ad364e35\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\assembly\GAC_MSIL\UIAutomationTypes\3.0.0.0__31bf3856ad364e35\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d002d991fb805a4f5673784fa38ae4fa

SHA1
3433f7418bb185cdfd05ae7ac1af8f51b4568e98

SHA256
4ccdc67773fb84e233d1cacb51dac1cf34fd8ab5180ef4a6f069dbada5d42097

SHA512
b19b3128aa7339abe4c427b815a876bcf5bb6ce9e532545909cc0a232b3d448cea53de815073471af4994cf679c7a25caa4a5eeaaaefb17407ed40873f2b6ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fea3561b5504b6990bcb347266ee42ab

SHA1
9cf403f7d503021f133ddb50b1dd7b1a2b146dcc

SHA256
4491abe24fa51bbafda2290321d8eaee5c4519a0e42092a5b28b7c5876df4964

SHA512
4c418451ed88406462b7e43dd12a7dbcadccf3493ad5cb22a0deaab3d9e4a873a626065301cd6296942d9d66dbc3330f0ab8ffe41feca5e852c7600e1ce119a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6be7d940a10a93bdfabe915ec89ee5a5

SHA1
18a7b244579a8f4064477923679f88367b848992

SHA256
7b704b85dc67d4924826c05171813aedba02f222b67688c09f55878824a6c317

SHA512
abd89668e09d6e70d8b87ec3290e7164b4501684cd476092261b361c70dd44f766ff0ad260f1799cbdf7c606d074183d4676dfca593e4ea23fa98330d6725e75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fddeb55993a278e5152fc0db2717927c

SHA1
b1ccaecddab147ca2a27cb2597e05475c98e17d7

SHA256
a1b4842504280689dbb999207b03f67a93ef9ad771d4ef45d0ca63b5b00ef298

SHA512
789b6b6d6ad349f0e0f5ef0e62bc9f99ca15ab0d3e610bc8b878b58dc744b0c7896df783b089eb3d5490fe50f58b4d6f2178a3db376d3e8c72e73594783ffecc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddd6b95ca346b2a14b95029672d2e547

SHA1
e4bac360cd31dd4d215a480cddc474420934eb43

SHA256
bf5e7400a45695ee06d7b72ee271160035a97d924238f7d426db2b286ae7bbe1

SHA512
401e1f0e6bfcbdad03642e16052edfd9a651e3ed98fd8ed5b52099e121aaed3f5794bc6a0d4e5d4d8da4e3b0aac2a6cc5e22591d5fa46d4b3c10f0cd2958ae4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c453d995b8f14f1be3abf6b6e543182

SHA1
af4d489a6f77e5aa4e73f841f2ddaf5e1a73c2a5

SHA256
066515d0962aaa067330e346524bbb66a1844340cb182d5b4a239b5a6c3eb479

SHA512
2aa4ef805db4794dc8d6032bf79ed7eb7ae4a89b288115311a43d7e7d1729ac261e5972b8360e4f69fa6d3101e31fa30ecbf41703785dc523fae4cf32c007863

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
197B

MD5
dd08daef325dacd1bd8e539c9ff8554a

SHA1
70da6bb7751dfd03c6f6cb17089f185c6d2504fd

SHA256
fd59c8d9324bfe1119727ea8140089e9f4a9e77ac9daf86e4b9aabcacfaddfe2

SHA512
a7844e7f1d3ce009f6667d1c2ef0bd58dd95f6798e3c7ebae391f8ac60679b6467d42317c9bec7260378f51e509644d58660b22bfa55208d087697991ec18029

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7D6C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat

Filesize
197B

MD5
b4cfdd600542e61996b2bafa579aeb9f

SHA1
f188395840c6758a4f45fccc7dcf9c0ea44bd82a

SHA256
7857cea2b9e1d9e02c97585d1f2bcb33ead24879ea06d3ba1e3bf254139cb9db

SHA512
1ff2a0258794bf61a6a557d4d2424c9c46bc6b38f4fb3d12d9a4cc6cbf5ccb6a01f0a0072e15d9b4840e02ebda74e9b4bb7cf03aa81acc8fd94dc34733e63dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7D7E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UODwa2Fb6j.bat

Filesize
197B

MD5
de308304c4c554ea6d82640744577b74

SHA1
5fb9614c26b5cfb0b200669240abe6d6cfe9d6d0

SHA256
ebf4269b5aef4a9a38c870cfcf58cd1d8c7e19f7b6db9482ef20bff325005a72

SHA512
76c9a60789e21f39f2201f26b0b9a726bc851975227fa0319ae1729177a780bec80d3b05a5ef74d32a0f07523a18d03b9cd70d43592c1486c79b7f714f227242

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

Filesize
197B

MD5
b07fdda47ff31bdd95438032a0a08d45

SHA1
8c79f12cba924f0118ffc50eea3b3fe4cd2b48d3

SHA256
4abc6704a6725861c2acda9710593bd5f4922125f4a345e076a9397d458914c5

SHA512
b14ee342a8aa0a3b097a9460fae60e2aca58423804aebef7026c5978044fa776e0d0c383e1f037bc307db795ec3a4614f65f7c33589569eecd064dabe474a610

Download Submit
C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat

Filesize
197B

MD5
085ef24ae306bfd11299f88fe5835b91

SHA1
3085d5dcc48f60659f9b93df9d778f2298581925

SHA256
008e32038f1b56b55a224dfa544835f99f58a069c8200058b87f4d324ce073a3

SHA512
21f253af11fd35951cb3026d87e16f701fbf6438aa42c9494282b75cc7d786be0f050dbd37dcad450550c54dd92d36500281af3779a7563c1aa47b30d39f422b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

Filesize
197B

MD5
45b19c57d5fb46ecc9c6520a9c9c0cd7

SHA1
9fda0da533f2a9290bd0f7de4787fa9ff15f409f

SHA256
a928db91b0704b2242c68ff04c1d6d0b6e22c065ee75d31becccaa97ccbf3e6f

SHA512
b880cf804eafd23cf5bb6c7f22b2d1023efa18175f31c17819c6372e54d062c73bd1f98618d2bc890356484f8349c27951325dda700ed4f2483b2699f13a78ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat

Filesize
197B

MD5
18334cb0807c1e0c6c7aca8b4f9f4d28

SHA1
8050b46af2bbd73513e359e6900e228286cda715

SHA256
c18b5bc2253d11c5517ce17915b910c09dbecf1026fe41cbbcd90707ac342e9a

SHA512
7e667686f88c494b1fd4de29f68f4835f3027f30969dac05dd4d8fc456473a9b1b4b7987c6ee266580b7348312d457011669ed8f37c8f024505034e0bd5bb1df

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
197B

MD5
d373223695de3e376b8bf5c14392111a

SHA1
36f2f24999d35d599bba4c08368d6fd47470dd36

SHA256
6bef29566a64f83441e68b8ed9ceca709f7454dc864ef119345dff40dbbe4ca4

SHA512
e90f5ddfb780e0828951550fe488db0148cbf01f50f73a3fcc64f78cc39d945e8b02f25d6ebdc91a4cb85ca40671bce5473d1b4225b2db0989deacacc1dbd07d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
321da33e3da0019fe05e1c14e50360c3

SHA1
814d329acb7b69b7ee2afbd2ab52aec157efd4dc

SHA256
88e4f776e9f03133097240d3e75a7414b31eac99396972ddf61d3d24f2af487f

SHA512
a09b93266c418403e9f43a4bbabf3d3e97c0b33e2882d0fc9e47a5d6c10b3eabe064cb4b7f95ef5ed0a832f3df53bba489d204896d4c88ff561113f881876e96

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1584-150-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/1900-506-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2540-446-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2696-13-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/2696-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2696-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2696-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2696-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2732-81-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2732-209-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2824-82-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download