dcrat | b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3

Analysis

max time kernel
122s
max time network
156s
platform
windows7_x64
resource
win7-20230824-en
resource tags

arch:x64arch:x86image:win7-20230824-enlocale:en-usos:windows7-x64system
submitted
27/08/2023, 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3_JC.exe
Size

1.3MB
MD5

397f5c91fd7cafc22c3fe28bc8fe675a
SHA1

02e127ae9c5a55e9b48731a3d47220cdb056f3eb
SHA256

b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3
SHA512

fdb348e8d451e68f59c02c57dcc788e486f7244211687b854463768961c50bd70fad6e5e0e2e66dd3c42666fa6d04fcf1014e3dd356011eeaba4a6a7031bf311
SSDEEP

24576:dA1MqYjjU6kS6e5jB/n4L6JXWutEcPO6KhepiKnG/hnPrdSkl+j9aTw1OquD:d4dK756e5VgL6JXWutEcLmesKG/hQzj4

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 64 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2576	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2576	schtasks.exe	36

DCRat payload 21 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a000000012023-3.dat	dcrat
behavioral1/files/0x000a000000012023-6.dat	dcrat
behavioral1/files/0x000a000000012023-5.dat	dcrat
behavioral1/files/0x000a000000012023-9.dat	dcrat
behavioral1/files/0x0008000000015e8a-22.dat	dcrat
behavioral1/files/0x0008000000015e8a-25.dat	dcrat
behavioral1/files/0x0008000000015e8a-24.dat	dcrat
behavioral1/files/0x0008000000015e8a-23.dat	dcrat
behavioral1/memory/2680-28-0x0000000000D70000-0x0000000000E46000-memory.dmp	dcrat
behavioral1/memory/2680-29-0x000000001AF60000-0x000000001AFE0000-memory.dmp	dcrat
behavioral1/files/0x0006000000016cec-35.dat	dcrat
behavioral1/files/0x0008000000015e8a-51.dat	dcrat
behavioral1/memory/1968-52-0x0000000000E70000-0x0000000000F46000-memory.dmp	dcrat
behavioral1/memory/1968-54-0x000000001AE40000-0x000000001AEC0000-memory.dmp	dcrat
behavioral1/files/0x0006000000016d7d-61.dat	dcrat
behavioral1/files/0x0008000000015e8a-73.dat	dcrat
behavioral1/files/0x0008000000015e8a-87.dat	dcrat
behavioral1/files/0x0007000000018b7c-123.dat	dcrat
behavioral1/files/0x0007000000018b7c-124.dat	dcrat
behavioral1/memory/1400-125-0x0000000000CD0000-0x0000000000DA6000-memory.dmp	dcrat
behavioral1/memory/1400-127-0x000000001B020000-0x000000001B0A0000-memory.dmp	dcrat

Executes dropped EXE 6 IoCs

pid	Process
2232	prikol.exe
2680	agentServer.exe
1968	agentServer.exe
2168	agentServer.exe
1080	agentServer.exe
1400	WMIADAP.exe

Loads dropped DLL 3 IoCs

pid	Process
2160	b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3_JC.exe
2788	cmd.exe
2788	cmd.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\agentServer.exe	agentServer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\agentServer.exe	agentServer.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\System.exe	agentServer.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\dwm.exe	agentServer.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsass.exe	agentServer.exe
File created	C:\Program Files\DVD Maker\de-DE\smss.exe	agentServer.exe
File created	C:\Program Files\DVD Maker\de-DE\69ddcba757bf72	agentServer.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\dwm.exe	agentServer.exe
File created	C:\Program Files\Windows Journal\Templates\5940a34987c991	agentServer.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\6203df4a6bafc7	agentServer.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\886983d96e3d3e	agentServer.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\a9d4305ae12582	agentServer.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\27d1bcfc3c54e0	agentServer.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\6cb0b6c459d5d3	agentServer.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe	agentServer.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\69ddcba757bf72	agentServer.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\6cb0b6c459d5d3	agentServer.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\dwm.exe	agentServer.exe
File created	C:\Program Files\Windows Journal\Templates\dllhost.exe	agentServer.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\csrss.exe	agentServer.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\winlogon.exe	agentServer.exe
File created	C:\Windows\LiveKernelReports\cc11b995f2a76d	agentServer.exe
File created	C:\Windows\L2Schemas\winlogon.exe	agentServer.exe
File created	C:\Windows\L2Schemas\cc11b995f2a76d	agentServer.exe
File created	C:\Windows\CSC\v2.0.6\lsm.exe	agentServer.exe
File created	C:\Windows\Media\Raga\winlogon.exe	agentServer.exe
File created	C:\Windows\Media\Raga\cc11b995f2a76d	agentServer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2992	schtasks.exe
2356	schtasks.exe
1948	schtasks.exe
2144	schtasks.exe
2680	schtasks.exe
2280	schtasks.exe
2192	schtasks.exe
524	schtasks.exe
2852	schtasks.exe
2432	schtasks.exe
2912	schtasks.exe
2908	schtasks.exe
544	schtasks.exe
1516	schtasks.exe
2532	schtasks.exe
1152	schtasks.exe
2852	schtasks.exe
2776	schtasks.exe
1964	schtasks.exe
2352	schtasks.exe
2884	schtasks.exe
964	schtasks.exe
1748	schtasks.exe
892	schtasks.exe
2024	schtasks.exe
1704	schtasks.exe
1216	schtasks.exe
2892	schtasks.exe
1944	schtasks.exe
2200	schtasks.exe
2968	schtasks.exe
2628	schtasks.exe
2552	schtasks.exe
1156	schtasks.exe
2332	schtasks.exe
432	schtasks.exe
1736	schtasks.exe
1664	schtasks.exe
1696	schtasks.exe
2096	schtasks.exe
2308	schtasks.exe
2232	schtasks.exe
2660	schtasks.exe
2880	schtasks.exe
1640	schtasks.exe
2880	schtasks.exe
2828	schtasks.exe
932	schtasks.exe
576	schtasks.exe
1452	schtasks.exe
1540	schtasks.exe
928	schtasks.exe
924	schtasks.exe
2696	schtasks.exe
1916	schtasks.exe
524	schtasks.exe
1944	schtasks.exe
1352	schtasks.exe
1076	schtasks.exe
2624	schtasks.exe
1148	schtasks.exe
1928	schtasks.exe
1576	schtasks.exe
1332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
2680	agentServer.exe
2680	agentServer.exe
2680	agentServer.exe
1968	agentServer.exe
2168	agentServer.exe
1080	agentServer.exe
1400	WMIADAP.exe
1400	WMIADAP.exe
1400	WMIADAP.exe
1400	WMIADAP.exe
1400	WMIADAP.exe
1400	WMIADAP.exe
1400	WMIADAP.exe
1400	WMIADAP.exe
1400	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	agentServer.exe
Token: SeDebugPrivilege	1968	agentServer.exe
Token: SeDebugPrivilege	2168	agentServer.exe
Token: SeDebugPrivilege	1080	agentServer.exe
Token: SeDebugPrivilege	1400	WMIADAP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2156	DllHost.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2232	2160	b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3_JC.exe	28
PID 2160 wrote to memory of 2232	2160	b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3_JC.exe	28
PID 2160 wrote to memory of 2232	2160	b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3_JC.exe	28
PID 2160 wrote to memory of 2232	2160	b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3_JC.exe	28
PID 2232 wrote to memory of 1992	2232	prikol.exe	30
PID 2232 wrote to memory of 1992	2232	prikol.exe	30
PID 2232 wrote to memory of 1992	2232	prikol.exe	30
PID 2232 wrote to memory of 1992	2232	prikol.exe	30
PID 1992 wrote to memory of 2788	1992	WScript.exe	32
PID 1992 wrote to memory of 2788	1992	WScript.exe	32
PID 1992 wrote to memory of 2788	1992	WScript.exe	32
PID 1992 wrote to memory of 2788	1992	WScript.exe	32
PID 2788 wrote to memory of 2680	2788	cmd.exe	34
PID 2788 wrote to memory of 2680	2788	cmd.exe	34
PID 2788 wrote to memory of 2680	2788	cmd.exe	34
PID 2788 wrote to memory of 2680	2788	cmd.exe	34
PID 2680 wrote to memory of 2064	2680	agentServer.exe	58
PID 2680 wrote to memory of 2064	2680	agentServer.exe	58
PID 2680 wrote to memory of 2064	2680	agentServer.exe	58
PID 2064 wrote to memory of 828	2064	cmd.exe	60
PID 2064 wrote to memory of 828	2064	cmd.exe	60
PID 2064 wrote to memory of 828	2064	cmd.exe	60
PID 2064 wrote to memory of 1968	2064	cmd.exe	61
PID 2064 wrote to memory of 1968	2064	cmd.exe	61
PID 2064 wrote to memory of 1968	2064	cmd.exe	61
PID 1968 wrote to memory of 2168	1968	agentServer.exe	86
PID 1968 wrote to memory of 2168	1968	agentServer.exe	86
PID 1968 wrote to memory of 2168	1968	agentServer.exe	86
PID 2168 wrote to memory of 1960	2168	agentServer.exe	93
PID 2168 wrote to memory of 1960	2168	agentServer.exe	93
PID 2168 wrote to memory of 1960	2168	agentServer.exe	93
PID 1960 wrote to memory of 1724	1960	cmd.exe	95
PID 1960 wrote to memory of 1724	1960	cmd.exe	95
PID 1960 wrote to memory of 1724	1960	cmd.exe	95
PID 1960 wrote to memory of 1080	1960	cmd.exe	96
PID 1960 wrote to memory of 1080	1960	cmd.exe	96
PID 1960 wrote to memory of 1080	1960	cmd.exe	96
PID 1080 wrote to memory of 1892	1080	agentServer.exe	139
PID 1080 wrote to memory of 1892	1080	agentServer.exe	139
PID 1080 wrote to memory of 1892	1080	agentServer.exe	139
PID 1892 wrote to memory of 2160	1892	cmd.exe	141
PID 1892 wrote to memory of 2160	1892	cmd.exe	141
PID 1892 wrote to memory of 2160	1892	cmd.exe	141
PID 1892 wrote to memory of 1400	1892	cmd.exe	142
PID 1892 wrote to memory of 1400	1892	cmd.exe	142
PID 1892 wrote to memory of 1400	1892	cmd.exe	142

C:\Users\Admin\AppData\Local\Temp\b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3_JC.exe
"C:\Users\Admin\AppData\Local\Temp\b134e4e5d74eb1a5ddd66625837b44ed6d23fbac004bbaae91ece785b7c574e3_JC.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Users\Admin\AppData\Local\Temp\prikol.exe
  "C:\Users\Admin\AppData\Local\Temp\prikol.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\comhostDhcpcommon\2tGgrQ6HpW.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\comhostDhcpcommon\V15q6MjWRY5zvqjkxpp.bat" "
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\comhostDhcpcommon\agentServer.exe
        
        "C:\comhostDhcpcommon\agentServer.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NbtcMstWWX.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:828
        
        C:\comhostDhcpcommon\agentServer.exe
        
        "C:\comhostDhcpcommon\agentServer.exe"
        7⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\comhostDhcpcommon\agentServer.exe
        
        "C:\comhostDhcpcommon\agentServer.exe"
        8⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oInhkeZCvT.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1724
        
        C:\comhostDhcpcommon\agentServer.exe
        
        "C:\comhostDhcpcommon\agentServer.exe"
        10⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FB4nbrz0Ud.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2160
        
        C:\Users\Default\SendTo\WMIADAP.exe
        
        "C:\Users\Default\SendTo\WMIADAP.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentServera" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\agentServer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentServer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\agentServer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentServera" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\agentServer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\comhostDhcpcommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\comhostDhcpcommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\comhostDhcpcommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\da44eba2-42d1-11ee-99bc-edb7b952c7e3\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\da44eba2-42d1-11ee-99bc-edb7b952c7e3\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Recovery\da44eba2-42d1-11ee-99bc-edb7b952c7e3\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\L2Schemas\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\L2Schemas\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\L2Schemas\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\comhostDhcpcommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\comhostDhcpcommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\comhostDhcpcommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentServera" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\agentServer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentServer" /sc ONLOGON /tr "'C:\Users\Default User\agentServer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "agentServera" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\agentServer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\comhostDhcpcommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\comhostDhcpcommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\comhostDhcpcommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Media\Raga\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Media\Raga\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Raga\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\comhostDhcpcommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\comhostDhcpcommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\comhostDhcpcommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\da44eba2-42d1-11ee-99bc-edb7b952c7e3\wininit.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\da44eba2-42d1-11ee-99bc-edb7b952c7e3\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\da44eba2-42d1-11ee-99bc-edb7b952c7e3\wininit.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\winlogon.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\winlogon.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Windows\LiveKernelReports\winlogon.exe'" /rl HIGHEST /f
1⤵
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsass.exe'" /f
1⤵
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsass.exe'" /rl HIGHEST /f
1⤵
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\lsass.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Recent\csrss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\WMIADAP.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\SendTo\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Users\Default\SendTo\WMIADAP.exe'" /rl HIGHEST /f
1⤵
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\smss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /f
1⤵
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Creates scheduled task(s)
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\WmiPrvSE.exe'" /f
1⤵
- Creates scheduled task(s)
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Reader 9.0\Resource\dwm.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\Users\Admin\AppData\Local\Temp\FB4nbrz0Ud.bat

Filesize
200B

MD5
0509215178694a6318c1636ed6a28077

SHA1
3fc2a7b320ba68fcbc348b4dbc60c5d6f394bbe2

SHA256
67593fbe7fe4afc2e4af568810fca513568891b412faa39eeb59512c646a1b00

SHA512
eaacdee96d3fa10406adeb4a79e78668f66ffe7c3c64976b3f1d9a3ce98c5463d87681c3ebb5e00b784e420ba1b9839ed0b766c13c8244e2f9120881bb254def

Download Submit
C:\Users\Admin\AppData\Local\Temp\NbtcMstWWX.bat

Filesize
201B

MD5
ceba174dd7ab71257544173b144c33a1

SHA1
c8429dc711ce83644974f7c3ab570c4ada71c9ea

SHA256
b602486640d61f6aa722821af4a84b03bce0411a9a0ad7b1393188ba016e42e8

SHA512
d3bf9c3ce7946b71056606506394d807b8718f19d7ba6b5e8435aa40960734efad1b516131fde81933112d2df0982b631deb400deb39c36f61346d283dae51da

Download Submit
C:\Users\Admin\AppData\Local\Temp\krasivye-kartinki-pandy-na-rabochij-stol-26.jpg

Filesize
355KB

MD5
0726b75ceb8ff437a917cc3e2ab8480d

SHA1
f010247cbc857e00cc8d4cee6794f3d6d81c4772

SHA256
55d61d7537d4ba7b1b5f915c3d1200951f952d373c50294bd3c752e968d45fbc

SHA512
4faeb7ce7e811116bf5f82584f397c275fca8ab714a26e32f8b81b449aa08eb1f9a865988d2eeff09441d0df835b885ebf6ac1389a86e16d7fcd7cc59251efb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oInhkeZCvT.bat

Filesize
201B

MD5
4c8202da7001d92f57e140f461b6dbd6

SHA1
cc62caad963047b9a1e72d7dfd652acac2e33e84

SHA256
e8f87e16def37191da096e537fc1ab464720ae7928ee5d571ccd219bf693bb1e

SHA512
c2c291c2b6d2c08f9da0810f5097b9728601b597f067b649d9b8d35799b4c5ea2299bcee632bbe484146e0d7807518625b4865deb80698e29f3bfbe957a0fcbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\prikol.exe

Filesize
1.1MB

MD5
1df91d3d9db8d531d84c3090af0c5399

SHA1
d5289bf48dc32630219ca3fb50b9509e40a61d82

SHA256
a6e63a37391179fcb2b624a4e3a12a2d59fcd2479b79d8e0d117facd0b6b4948

SHA512
85762e86d9aeb7d8360af01405e90fd5a06c1b5f53c5c913b1a2d025361bed7e3bb8cfca05e23c3ae87fe9fec8073e4687d5700d88b29adaa027186186288979

Download Submit
C:\Users\Admin\AppData\Local\Temp\prikol.exe

Filesize
1.1MB

MD5
1df91d3d9db8d531d84c3090af0c5399

SHA1
d5289bf48dc32630219ca3fb50b9509e40a61d82

SHA256
a6e63a37391179fcb2b624a4e3a12a2d59fcd2479b79d8e0d117facd0b6b4948

SHA512
85762e86d9aeb7d8360af01405e90fd5a06c1b5f53c5c913b1a2d025361bed7e3bb8cfca05e23c3ae87fe9fec8073e4687d5700d88b29adaa027186186288979

Download Submit
C:\Users\Admin\AppData\Local\Temp\prikol.exe

Filesize
1.1MB

MD5
1df91d3d9db8d531d84c3090af0c5399

SHA1
d5289bf48dc32630219ca3fb50b9509e40a61d82

SHA256
a6e63a37391179fcb2b624a4e3a12a2d59fcd2479b79d8e0d117facd0b6b4948

SHA512
85762e86d9aeb7d8360af01405e90fd5a06c1b5f53c5c913b1a2d025361bed7e3bb8cfca05e23c3ae87fe9fec8073e4687d5700d88b29adaa027186186288979

Download Submit
C:\Users\Default User\6203df4a6bafc7

Filesize
797B

MD5
2d9751127de3100abf6b0f8edf50fd75

SHA1
bfc19a17ed5d607b6d164d2ef452720a59ad58e7

SHA256
e7189d75418d211bcd31cd83ad9e7c3fa7311fc0d2997e95eb1240173871eca0

SHA512
0d74a2055051c132dc9e65a192b9b04734e397e72fc313727c235ae6512fefed9f1ff210b028bc4f4b79989bcf323304da138f59430e50dfddba97682d162254

Download Submit
C:\Users\Default User\lsass.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\WMIADAP.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\Users\Default\SendTo\WMIADAP.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\comhostDhcpcommon\2tGgrQ6HpW.vbe

Filesize
213B

MD5
c0dbb672804e81ed5bdc6ae50ec4b16a

SHA1
df8bfc820f8de52ce8293395446991e5e5c43125

SHA256
3a91849c1602a6fd0556663ea487f01d64fe4828f619ed5eb3f13c67c20dd905

SHA512
6546e2c5c95f5bab69f7664cd4a0850a55554a1394a3dfe8252d048227df6ca8f0aec034f5954dbfc8eaf2137e642970364f71c1a5be5d5a68b6e5c32858f9e7

Download Submit
C:\comhostDhcpcommon\V15q6MjWRY5zvqjkxpp.bat

Filesize
38B

MD5
9daeb83018f1b30f4911748df09b9fa5

SHA1
6162370200b2c9e65620291d6ff114236492824e

SHA256
c85b773f45f51d07874769ea344f153f63709b38f04cfc4180a7791392dcd5bb

SHA512
1ec027262ba1aca607e00d00afb4cff5f471f39fb76760a1ac7af1437bd23814f0cb1ef8cad2211db104772ba02501812ba8e96f41ee3e0da56a7aac3ef5bced

Download Submit
C:\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
C:\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
\Users\Admin\AppData\Local\Temp\prikol.exe

Filesize
1.1MB

MD5
1df91d3d9db8d531d84c3090af0c5399

SHA1
d5289bf48dc32630219ca3fb50b9509e40a61d82

SHA256
a6e63a37391179fcb2b624a4e3a12a2d59fcd2479b79d8e0d117facd0b6b4948

SHA512
85762e86d9aeb7d8360af01405e90fd5a06c1b5f53c5c913b1a2d025361bed7e3bb8cfca05e23c3ae87fe9fec8073e4687d5700d88b29adaa027186186288979

Download Submit
\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
\comhostDhcpcommon\agentServer.exe

Filesize
829KB

MD5
9bc17f902aa42e14e3942b2895bbcd50

SHA1
a9ae75b0ec339a7fbbde2dc67fbf3639fdf046c2

SHA256
6133eab082730a37822829c47341c6f0d4dfd8fcec990e9d1a29067dcb32421b

SHA512
a9b0918cb2add3fd507b38d929b1dff8f433020fa885f2b76c79d8bd8e471d4baa6df7f8d1f3a09397d7d10c03b2f49c4870646d6225d0e22de0806ae5a9de46

Download Submit
memory/1080-88-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/1080-122-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/1400-125-0x0000000000CD0000-0x0000000000DA6000-memory.dmp

Filesize
856KB

Download
memory/1400-127-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download
memory/1400-126-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/1400-128-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/1400-129-0x000000001B020000-0x000000001B0A0000-memory.dmp

Filesize
512KB

Download
memory/1968-54-0x000000001AE40000-0x000000001AEC0000-memory.dmp

Filesize
512KB

Download
memory/1968-53-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/1968-76-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/1968-52-0x0000000000E70000-0x0000000000F46000-memory.dmp

Filesize
856KB

Download
memory/2156-18-0x0000000000160000-0x0000000000162000-memory.dmp

Filesize
8KB

Download
memory/2156-19-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2156-32-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2160-17-0x0000000002B10000-0x0000000002B12000-memory.dmp

Filesize
8KB

Download
memory/2168-86-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2168-75-0x0000000000DE0000-0x0000000000E60000-memory.dmp

Filesize
512KB

Download
memory/2168-74-0x000007FEF4A00000-0x000007FEF53EC000-memory.dmp

Filesize
9.9MB

Download
memory/2680-27-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download
memory/2680-28-0x0000000000D70000-0x0000000000E46000-memory.dmp

Filesize
856KB

Download
memory/2680-29-0x000000001AF60000-0x000000001AFE0000-memory.dmp

Filesize
512KB

Download
memory/2680-50-0x000007FEF53F0000-0x000007FEF5DDC000-memory.dmp

Filesize
9.9MB

Download