dcrat | 693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02-11-2024 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873.exe
Size

1.3MB
MD5

390d1d57616f0996af066220986e7c87
SHA1

a1ee19735496eb3b187d8968f2cbb7e66f30003c
SHA256

693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873
SHA512

45f2626f628372c5efba357c6e59cab8716d5c87121985075b860831c0dda24fec6f74b2e66d657d5fa1f3991a31069e2dd3609014fd4b033e94136cfbb9e794
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	3012	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3012	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/files/0x0008000000015d79-12.dat	dcrat
behavioral1/memory/2784-13-0x0000000000E90000-0x0000000000FA0000-memory.dmp	dcrat
behavioral1/memory/2952-120-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/1640-179-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/1708-239-0x0000000000C00000-0x0000000000D10000-memory.dmp	dcrat
behavioral1/memory/1936-359-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/3016-419-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	Process
1416	powershell.exe
2440	powershell.exe
2092	powershell.exe
876	powershell.exe
2284	powershell.exe
2000	powershell.exe
2488	powershell.exe
1588	powershell.exe
2088	powershell.exe
1992	powershell.exe
1616	powershell.exe
1648	powershell.exe
1504	powershell.exe
328	powershell.exe
2604	powershell.exe

Executes dropped EXE 10 IoCs

Processes:

DllCommonsvc.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	Process
2784	DllCommonsvc.exe
2952	dllhost.exe
1640	dllhost.exe
1708	dllhost.exe
1696	dllhost.exe
1936	dllhost.exe
3016	dllhost.exe
2364	dllhost.exe
1748	dllhost.exe
1744	dllhost.exe

Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid	Process
2304	cmd.exe
2304	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

Processes:

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\fonts\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Visualizations\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

Processes:

DllCommonsvc.exe

description	ioc	Process
File created	C:\Windows\Boot\Fonts\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873.exeWScript.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

pid	Process
1808	schtasks.exe
2904	schtasks.exe
936	schtasks.exe
1556	schtasks.exe
2200	schtasks.exe
2320	schtasks.exe
1800	schtasks.exe
3060	schtasks.exe
1560	schtasks.exe
1720	schtasks.exe
2704	schtasks.exe
2940	schtasks.exe
444	schtasks.exe
2580	schtasks.exe
1432	schtasks.exe
1664	schtasks.exe
2364	schtasks.exe
1836	schtasks.exe
1500	schtasks.exe
2388	schtasks.exe
2724	schtasks.exe
628	schtasks.exe
1152	schtasks.exe
2936	schtasks.exe
2040	schtasks.exe
1236	schtasks.exe
2988	schtasks.exe
2540	schtasks.exe
1636	schtasks.exe
1932	schtasks.exe
1020	schtasks.exe
1344	schtasks.exe
2720	schtasks.exe
2216	schtasks.exe
2792	schtasks.exe
352	schtasks.exe
1756	schtasks.exe
1348	schtasks.exe
2060	schtasks.exe
2804	schtasks.exe
1960	schtasks.exe
2248	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exedllhost.exe

pid	Process
2784	DllCommonsvc.exe
2284	powershell.exe
1648	powershell.exe
328	powershell.exe
1616	powershell.exe
876	powershell.exe
2488	powershell.exe
1588	powershell.exe
2092	powershell.exe
2604	powershell.exe
2440	powershell.exe
1504	powershell.exe
1416	powershell.exe
2088	powershell.exe
1992	powershell.exe
2000	powershell.exe
2952	dllhost.exe
1640	dllhost.exe
1708	dllhost.exe
1696	dllhost.exe
1936	dllhost.exe
3016	dllhost.exe
2364	dllhost.exe
1748	dllhost.exe
1744	dllhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

description	pid	Process
Token: SeDebugPrivilege	2784	DllCommonsvc.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2952	dllhost.exe
Token: SeDebugPrivilege	1640	dllhost.exe
Token: SeDebugPrivilege	1708	dllhost.exe
Token: SeDebugPrivilege	1696	dllhost.exe
Token: SeDebugPrivilege	1936	dllhost.exe
Token: SeDebugPrivilege	3016	dllhost.exe
Token: SeDebugPrivilege	2364	dllhost.exe
Token: SeDebugPrivilege	1748	dllhost.exe
Token: SeDebugPrivilege	1744	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873.exeWScript.execmd.exeDllCommonsvc.execmd.exe

description	pid	Process	procid_target
PID 2644 wrote to memory of 2340	2644	693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873.exe	30
PID 2644 wrote to memory of 2340	2644	693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873.exe	30
PID 2644 wrote to memory of 2340	2644	693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873.exe	30
PID 2644 wrote to memory of 2340	2644	693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873.exe	30
PID 2340 wrote to memory of 2304	2340	WScript.exe	31
PID 2340 wrote to memory of 2304	2340	WScript.exe	31
PID 2340 wrote to memory of 2304	2340	WScript.exe	31
PID 2340 wrote to memory of 2304	2340	WScript.exe	31
PID 2304 wrote to memory of 2784	2304	cmd.exe	33
PID 2304 wrote to memory of 2784	2304	cmd.exe	33
PID 2304 wrote to memory of 2784	2304	cmd.exe	33
PID 2304 wrote to memory of 2784	2304	cmd.exe	33
PID 2784 wrote to memory of 2604	2784	DllCommonsvc.exe	77
PID 2784 wrote to memory of 2604	2784	DllCommonsvc.exe	77
PID 2784 wrote to memory of 2604	2784	DllCommonsvc.exe	77
PID 2784 wrote to memory of 2088	2784	DllCommonsvc.exe	78
PID 2784 wrote to memory of 2088	2784	DllCommonsvc.exe	78
PID 2784 wrote to memory of 2088	2784	DllCommonsvc.exe	78
PID 2784 wrote to memory of 2284	2784	DllCommonsvc.exe	79
PID 2784 wrote to memory of 2284	2784	DllCommonsvc.exe	79
PID 2784 wrote to memory of 2284	2784	DllCommonsvc.exe	79
PID 2784 wrote to memory of 2440	2784	DllCommonsvc.exe	80
PID 2784 wrote to memory of 2440	2784	DllCommonsvc.exe	80
PID 2784 wrote to memory of 2440	2784	DllCommonsvc.exe	80
PID 2784 wrote to memory of 2000	2784	DllCommonsvc.exe	81
PID 2784 wrote to memory of 2000	2784	DllCommonsvc.exe	81
PID 2784 wrote to memory of 2000	2784	DllCommonsvc.exe	81
PID 2784 wrote to memory of 1416	2784	DllCommonsvc.exe	82
PID 2784 wrote to memory of 1416	2784	DllCommonsvc.exe	82
PID 2784 wrote to memory of 1416	2784	DllCommonsvc.exe	82
PID 2784 wrote to memory of 1992	2784	DllCommonsvc.exe	83
PID 2784 wrote to memory of 1992	2784	DllCommonsvc.exe	83
PID 2784 wrote to memory of 1992	2784	DllCommonsvc.exe	83
PID 2784 wrote to memory of 2488	2784	DllCommonsvc.exe	84
PID 2784 wrote to memory of 2488	2784	DllCommonsvc.exe	84
PID 2784 wrote to memory of 2488	2784	DllCommonsvc.exe	84
PID 2784 wrote to memory of 2092	2784	DllCommonsvc.exe	85
PID 2784 wrote to memory of 2092	2784	DllCommonsvc.exe	85
PID 2784 wrote to memory of 2092	2784	DllCommonsvc.exe	85
PID 2784 wrote to memory of 1588	2784	DllCommonsvc.exe	86
PID 2784 wrote to memory of 1588	2784	DllCommonsvc.exe	86
PID 2784 wrote to memory of 1588	2784	DllCommonsvc.exe	86
PID 2784 wrote to memory of 1616	2784	DllCommonsvc.exe	87
PID 2784 wrote to memory of 1616	2784	DllCommonsvc.exe	87
PID 2784 wrote to memory of 1616	2784	DllCommonsvc.exe	87
PID 2784 wrote to memory of 1648	2784	DllCommonsvc.exe	88
PID 2784 wrote to memory of 1648	2784	DllCommonsvc.exe	88
PID 2784 wrote to memory of 1648	2784	DllCommonsvc.exe	88
PID 2784 wrote to memory of 876	2784	DllCommonsvc.exe	89
PID 2784 wrote to memory of 876	2784	DllCommonsvc.exe	89
PID 2784 wrote to memory of 876	2784	DllCommonsvc.exe	89
PID 2784 wrote to memory of 1504	2784	DllCommonsvc.exe	90
PID 2784 wrote to memory of 1504	2784	DllCommonsvc.exe	90
PID 2784 wrote to memory of 1504	2784	DllCommonsvc.exe	90
PID 2784 wrote to memory of 328	2784	DllCommonsvc.exe	91
PID 2784 wrote to memory of 328	2784	DllCommonsvc.exe	91
PID 2784 wrote to memory of 328	2784	DllCommonsvc.exe	91
PID 2784 wrote to memory of 2476	2784	DllCommonsvc.exe	100
PID 2784 wrote to memory of 2476	2784	DllCommonsvc.exe	100
PID 2784 wrote to memory of 2476	2784	DllCommonsvc.exe	100
PID 2476 wrote to memory of 1772	2476	cmd.exe	109
PID 2476 wrote to memory of 1772	2476	cmd.exe	109
PID 2476 wrote to memory of 1772	2476	cmd.exe	109
PID 2476 wrote to memory of 2952	2476	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873.exe
"C:\Users\Admin\AppData\Local\Temp\693114f9c001918f29f7a33dbcfe202a2922cfa4785c0456ae717f95163c5873.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Visualizations\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xn3mOt0seI.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2476
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1772
      - C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"
        7⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2860
        
        C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"
        9⤵
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2872
        
        C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"
        11⤵
        
        PID:972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:292
        
        C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat"
        13⤵
        
        PID:1240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2952
        
        C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"
        15⤵
        
        PID:1416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:824
        
        C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat"
        17⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1152
        
        C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        19⤵
        
        PID:3028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2700
        
        C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        21⤵
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3060
        
        C:\Program Files (x86)\Windows Portable Devices\dllhost.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft Help\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Mozilla Firefox\fonts\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\Visualizations\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Setup\State\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77acdb5a7bca15890166bdc8ac455420

SHA1
df609c33cbea1cabf5faeab2a9e7d792b439851f

SHA256
a8bd185a0d2e5bdd7bb5212015e2222e96fc14ea16d265f6cbc22755223ef1bd

SHA512
757bb9113a14e0971affa2bfb632298cc9d97e966b7dd0cc642e31e5df3a5b1dbf1a04c17d705b599ac79ad045b7a976ed44046190bacc6ed54d0acfb72b5d17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03a5c030716ca6d90cd82c192b586ce4

SHA1
af1f4b8f5044ed55cba47118cbad024883c1a4fa

SHA256
d693c4389d12ffef0484a8bd8a671b7145f2b2afdc817502673801be525b118d

SHA512
2d8c34e531a3f390c94446e7c4e38c5dfe80b902bb275fa346278f03e463ab6aecfeacf571dfb64e0d6702f9381ef5d95093d50a05f7099ad587bc25f3515c31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44f71fb52decc46ed896117193b2b272

SHA1
5dbdcf027e3023c65e29ccf67ea94cd7952a0958

SHA256
0895891ac8c0f26e996e03df3b6163da4102de98ff8506129ed9b9c7616b237a

SHA512
e45cc232057a1e8dfecd289b53085eeaedd917e28bbb4e6142e335b848f2363889b51a153bbedc051d9cd6c85f8a82fa8fcc6adbc5166805a2e861dfc0a242c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4439480efa8823d75ded3435cd8eb02

SHA1
f73e28384860fead385deb2bee442ee8b6966d68

SHA256
361786715b628f2d9a6d039a9935be71cee621ffa8bdb5b063b1270b5b3ab730

SHA512
25d0afd24d330525dd4d588e9fa0367a70543886ab9bff433bce46f08f10ddf96fa5f224ef1ee7a5b48f604dcb1cf1f9174a94485ca18eb451c2358b1058ae7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
933127fbf2211c8ab623834beb65c236

SHA1
b93c92ffc4abc53b943823384644efbec1aa7f05

SHA256
ebfa577529ba444cb0ccca84e796b8ad551e6de7612c6b440549e979e5d3e87e

SHA512
b54795080ee7db90a461fb167fd3838d4b19f0b3cebc1eaacce28af7561e4df9e6b7ff7ff74ef8589bf5f5eb26ccf5d20e9684e95f9459b161bdcffcd82aabcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7aaaab62d908da197588d5984799892d

SHA1
0ab39443547176f7b185391eec3d4a3b3c5919e6

SHA256
199700f9f4b125c7b4dad4090333e544e8852544b980b49cabd1ad72ae727793

SHA512
185b87b94418db5d8c7845569925e3f4b524779a36faad0721e806869b0fae1e632359c9ff9cd8d46f9d99032aadbc668fd24fed672003bea8d7b7d6bfdcfdc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f05c6b94134cbd0261022a57019cd98

SHA1
b6925138d73f949676fc98869e5722dd2a040ae9

SHA256
e0526451d316c948315a83d778324ee7ab222b85b614d242e55fdf744f0af7e7

SHA512
b784c141fb085c3b11e0636b61af53c19026528eebcc02ca0bc804a21eee645c1f96674879b6cfb3d0aa7bcc05cf23de389a1c17f26f9c2f1361394e42944a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat

Filesize
224B

MD5
0fb3424670b0b9d748f145afcf3ed9fb

SHA1
e4135a9be89ee86cdb3d80346ca2ac23c9f834f5

SHA256
2eb33bfcaa6f97cef320f44e5761af3b981daf8d992cb076a403b04a3f417362

SHA512
fd2d190397c6f7ecf781897eaf0b30f6e166c99e08243096b078de5a4542e4f09a51c693af8d29c19234c22a85b3e317b1b9fab308dd70b7cd1c0f0511de8ee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat

Filesize
224B

MD5
f6974cc03d0a473aef1c1b4ba6cf63b2

SHA1
744fef427c1b0db0e0888ada3c1ea9a431dee3a8

SHA256
5715364062e547492aa4bf641fe89159b1920df8522bf47f7c8189cefdd6e311

SHA512
d924102b7de760b36b1230c124df51840945ca246d1cde5daa4aaf223670c563ce5a7ccf85da9fa84db49b5489c9ec6bdda70a0ae4ab35d8b422f636f6847a59

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat

Filesize
224B

MD5
9598338bdcfaa1201e08cdd8f0931481

SHA1
9df4a5e9cfa89a9d2423a325f692b617ef4994c0

SHA256
9edc37224032176be585818d0165b51f4892d86142c141059fc39ba507b19ab8

SHA512
57dddf286ece4e01d195470b63aa6e4180bfcadd86a55ce4089af82c926a52c3d0f8d0de730891da6a883f77c63148230b032209bfe03d309c4ead7ba3970b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFDB2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat

Filesize
224B

MD5
12c3c516c09e0614a7a0b1924e9d6298

SHA1
534a9ab15c81f48c9efd7a880bee937b18b5bd6f

SHA256
5c384ea3eb9098e091946f4182476915aa54fdb6b0976fe0e9e52efdb68e798b

SHA512
c25d6c3fb733d74b784109a94054059a0455b2c5c818df4ae1c72c1fc5250397c17aba188c0f6b6a490498b66820ac3f1c4501d0ad6762962377f9243234c7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
224B

MD5
ed14adbc8094860d36c50c4439aaa9f1

SHA1
5366b35c0299e21dfc2a656281bfee8e9b3d61a4

SHA256
e7cf793e435dc5922b12515a883790bd6f516a2a3ad4751a66ddf0dcf4aeb62c

SHA512
36360cd3a07a43a58cfec5f1e6d667247e8141dd7871edb3ea01d8c9311888df1fbf24b1f5d20e59876d4153118f6c2adff3f579c4dfc09f9c93a679c2c8769a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFDC5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

Filesize
224B

MD5
bf85cf69f9046b4dd3bf2baf6dcc3d78

SHA1
c1d713106d71e8b46bf75b15247fdd5175d0bfcf

SHA256
79e3057121d28dba1d40bd02a3742b6a3ed1197c5cf8e832cfa5e80945817106

SHA512
0102c164775fc1b02d22718dbb2c8bda023ccbecb2ebe21b70b52784c3d94ba1bc4bfc9bc9db46edb5359ccc729c3511e2783679cd008dde579ce9d91ae6bb79

Download Submit
C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat

Filesize
224B

MD5
21642e34bd05fa5f0e332e587b335892

SHA1
b615d78b876b60b1dab02610dfe0366ea6f9995a

SHA256
cb3e140e73b396c400e3e85d4e7ffb7c5e6ada490d3ece5fe4e8ee2e7168f34b

SHA512
fe9f959186dc1930e70f4223144a042ad6b892f4876e185ade0929d2718bc91ab89b161e48c3b4eea26c248d254385231704ac35ebce8ffbc936cacd11348c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat

Filesize
224B

MD5
fecbbd4baf4feb8d1a91cbf97b584609

SHA1
9e19b6917a8591b4d14263dbe7d7144ac00e7167

SHA256
4e4e4d235cdf45a8d7204bdaa6b69f23fc3428287a018388ca26f66a5f9eab14

SHA512
2779acae1d497ae8d9f989739fdf285a052fec5ed6d036a91a702a2ed631903f269cf335a94c7521bcfbed08d576b34841d3b0dc264f760bae3be19cb93a4a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xn3mOt0seI.bat

Filesize
224B

MD5
c20b60b9a4a1007037224157d0d8e750

SHA1
308449cb1a1623674cac9a97f3484e4fb5245398

SHA256
764ee4062f7134db3ef14340d906f5b482585acdecb03d1da4ad0f4c0f399bb2

SHA512
16972254c6da8eea98998659ea9901d7c8d9ed1422cae35c2e8f976d1a55138e8e605259cb296f3a60191be4fe40bb98f9552e29659c5f0b20103bb103b765e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7b2cc5a2ffb652bf1edab93a482192f6

SHA1
8c5112fdb340282f3bf01ba6804379b8aa1aae74

SHA256
a8a73866b1d6ed9e321dd5dc03d0f205d4f2bfb9db2f8202de3291b002d704e6

SHA512
a875ce5efd9cda63c0ecdeb96dff3a90507cdb61ea10a83767b59fd8eb3727c910c268b21efff88a8fc8605d100f56563a438574382e32c571d79d381232f963

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1640-179-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1696-299-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1708-239-0x0000000000C00000-0x0000000000D10000-memory.dmp

Filesize
1.1MB

Download
memory/1936-359-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/2284-54-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2284-55-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2784-17-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2784-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2784-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2784-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2784-13-0x0000000000E90000-0x0000000000FA0000-memory.dmp

Filesize
1.1MB

Download
memory/2952-120-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/3016-419-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download