dcrat | 6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe
Size

1.3MB
MD5

597145f6c6d0a2c648cef94239127d66
SHA1

de75fe961729970e6980f817c452400ceb96c7e4
SHA256

6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2
SHA512

1b7b90ee65ce37f1ea3a960d5babf951e29984d4e4211ff4a8de273aad565d7dcba73de638a763a9544da4c53476eeb4cc565be8d97c463a474a08e50d63a13e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2716	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2716	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000195c5-10.dat	dcrat
behavioral1/memory/2088-13-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/2348-136-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/284-195-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/1932-255-0x0000000000C00000-0x0000000000D10000-memory.dmp	dcrat
behavioral1/memory/1800-315-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3040	powershell.exe
1856	powershell.exe
2452	powershell.exe
1520	powershell.exe
1404	powershell.exe
1800	powershell.exe
1860	powershell.exe
1968	powershell.exe
1008	powershell.exe
1528	powershell.exe
1256	powershell.exe
1676	powershell.exe
1592	powershell.exe
572	powershell.exe
2320	powershell.exe
2388	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2088	DllCommonsvc.exe
2348	spoolsv.exe
284	spoolsv.exe
1932	spoolsv.exe
1800	spoolsv.exe
2616	spoolsv.exe
2536	spoolsv.exe
2160	spoolsv.exe
2484	spoolsv.exe
2432	spoolsv.exe
2244	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
1544	cmd.exe
1544	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\lsm.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Offline Web Pages\System.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2204	schtasks.exe
1948	schtasks.exe
2376	schtasks.exe
408	schtasks.exe
2200	schtasks.exe
2700	schtasks.exe
2732	schtasks.exe
1348	schtasks.exe
2888	schtasks.exe
2796	schtasks.exe
396	schtasks.exe
3000	schtasks.exe
1764	schtasks.exe
1788	schtasks.exe
1440	schtasks.exe
2172	schtasks.exe
832	schtasks.exe
1108	schtasks.exe
816	schtasks.exe
1988	schtasks.exe
2024	schtasks.exe
2928	schtasks.exe
2924	schtasks.exe
968	schtasks.exe
1400	schtasks.exe
1652	schtasks.exe
2724	schtasks.exe
2556	schtasks.exe
2904	schtasks.exe
1364	schtasks.exe
1548	schtasks.exe
1796	schtasks.exe
2256	schtasks.exe
1048	schtasks.exe
2808	schtasks.exe
2632	schtasks.exe
2648	schtasks.exe
2140	schtasks.exe
2416	schtasks.exe
1468	schtasks.exe
3004	schtasks.exe
2860	schtasks.exe
1880	schtasks.exe
1204	schtasks.exe
1476	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2088	DllCommonsvc.exe
2088	DllCommonsvc.exe
2088	DllCommonsvc.exe
1008	powershell.exe
1256	powershell.exe
2452	powershell.exe
2320	powershell.exe
3040	powershell.exe
1860	powershell.exe
1520	powershell.exe
1528	powershell.exe
572	powershell.exe
1592	powershell.exe
1968	powershell.exe
1404	powershell.exe
2388	powershell.exe
1676	powershell.exe
1856	powershell.exe
1800	powershell.exe
2348	spoolsv.exe
284	spoolsv.exe
1932	spoolsv.exe
1800	spoolsv.exe
2616	spoolsv.exe
2536	spoolsv.exe
2160	spoolsv.exe
2484	spoolsv.exe
2432	spoolsv.exe
2244	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	DllCommonsvc.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2348	spoolsv.exe
Token: SeDebugPrivilege	284	spoolsv.exe
Token: SeDebugPrivilege	1932	spoolsv.exe
Token: SeDebugPrivilege	1800	spoolsv.exe
Token: SeDebugPrivilege	2616	spoolsv.exe
Token: SeDebugPrivilege	2536	spoolsv.exe
Token: SeDebugPrivilege	2160	spoolsv.exe
Token: SeDebugPrivilege	2484	spoolsv.exe
Token: SeDebugPrivilege	2432	spoolsv.exe
Token: SeDebugPrivilege	2244	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1552	1448	6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe	31
PID 1448 wrote to memory of 1552	1448	6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe	31
PID 1448 wrote to memory of 1552	1448	6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe	31
PID 1448 wrote to memory of 1552	1448	6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe	31
PID 1552 wrote to memory of 1544	1552	WScript.exe	32
PID 1552 wrote to memory of 1544	1552	WScript.exe	32
PID 1552 wrote to memory of 1544	1552	WScript.exe	32
PID 1552 wrote to memory of 1544	1552	WScript.exe	32
PID 1544 wrote to memory of 2088	1544	cmd.exe	34
PID 1544 wrote to memory of 2088	1544	cmd.exe	34
PID 1544 wrote to memory of 2088	1544	cmd.exe	34
PID 1544 wrote to memory of 2088	1544	cmd.exe	34
PID 2088 wrote to memory of 1256	2088	DllCommonsvc.exe	81
PID 2088 wrote to memory of 1256	2088	DllCommonsvc.exe	81
PID 2088 wrote to memory of 1256	2088	DllCommonsvc.exe	81
PID 2088 wrote to memory of 1008	2088	DllCommonsvc.exe	82
PID 2088 wrote to memory of 1008	2088	DllCommonsvc.exe	82
PID 2088 wrote to memory of 1008	2088	DllCommonsvc.exe	82
PID 2088 wrote to memory of 1856	2088	DllCommonsvc.exe	84
PID 2088 wrote to memory of 1856	2088	DllCommonsvc.exe	84
PID 2088 wrote to memory of 1856	2088	DllCommonsvc.exe	84
PID 2088 wrote to memory of 1860	2088	DllCommonsvc.exe	85
PID 2088 wrote to memory of 1860	2088	DllCommonsvc.exe	85
PID 2088 wrote to memory of 1860	2088	DllCommonsvc.exe	85
PID 2088 wrote to memory of 1800	2088	DllCommonsvc.exe	86
PID 2088 wrote to memory of 1800	2088	DllCommonsvc.exe	86
PID 2088 wrote to memory of 1800	2088	DllCommonsvc.exe	86
PID 2088 wrote to memory of 3040	2088	DllCommonsvc.exe	87
PID 2088 wrote to memory of 3040	2088	DllCommonsvc.exe	87
PID 2088 wrote to memory of 3040	2088	DllCommonsvc.exe	87
PID 2088 wrote to memory of 2452	2088	DllCommonsvc.exe	89
PID 2088 wrote to memory of 2452	2088	DllCommonsvc.exe	89
PID 2088 wrote to memory of 2452	2088	DllCommonsvc.exe	89
PID 2088 wrote to memory of 2388	2088	DllCommonsvc.exe	90
PID 2088 wrote to memory of 2388	2088	DllCommonsvc.exe	90
PID 2088 wrote to memory of 2388	2088	DllCommonsvc.exe	90
PID 2088 wrote to memory of 1520	2088	DllCommonsvc.exe	92
PID 2088 wrote to memory of 1520	2088	DllCommonsvc.exe	92
PID 2088 wrote to memory of 1520	2088	DllCommonsvc.exe	92
PID 2088 wrote to memory of 1528	2088	DllCommonsvc.exe	94
PID 2088 wrote to memory of 1528	2088	DllCommonsvc.exe	94
PID 2088 wrote to memory of 1528	2088	DllCommonsvc.exe	94
PID 2088 wrote to memory of 2320	2088	DllCommonsvc.exe	97
PID 2088 wrote to memory of 2320	2088	DllCommonsvc.exe	97
PID 2088 wrote to memory of 2320	2088	DllCommonsvc.exe	97
PID 2088 wrote to memory of 572	2088	DllCommonsvc.exe	98
PID 2088 wrote to memory of 572	2088	DllCommonsvc.exe	98
PID 2088 wrote to memory of 572	2088	DllCommonsvc.exe	98
PID 2088 wrote to memory of 1404	2088	DllCommonsvc.exe	99
PID 2088 wrote to memory of 1404	2088	DllCommonsvc.exe	99
PID 2088 wrote to memory of 1404	2088	DllCommonsvc.exe	99
PID 2088 wrote to memory of 1968	2088	DllCommonsvc.exe	100
PID 2088 wrote to memory of 1968	2088	DllCommonsvc.exe	100
PID 2088 wrote to memory of 1968	2088	DllCommonsvc.exe	100
PID 2088 wrote to memory of 1592	2088	DllCommonsvc.exe	101
PID 2088 wrote to memory of 1592	2088	DllCommonsvc.exe	101
PID 2088 wrote to memory of 1592	2088	DllCommonsvc.exe	101
PID 2088 wrote to memory of 1676	2088	DllCommonsvc.exe	102
PID 2088 wrote to memory of 1676	2088	DllCommonsvc.exe	102
PID 2088 wrote to memory of 1676	2088	DllCommonsvc.exe	102
PID 2088 wrote to memory of 2084	2088	DllCommonsvc.exe	107
PID 2088 wrote to memory of 2084	2088	DllCommonsvc.exe	107
PID 2088 wrote to memory of 2084	2088	DllCommonsvc.exe	107
PID 2084 wrote to memory of 2344	2084	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe
"C:\Users\Admin\AppData\Local\Temp\6509eaeadebb1d825eb80469017139173ff1b89e84006b0514ef6417ecab9db2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1544
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v2LCy8Ckdu.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2344
      - C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        7⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1840
        
        C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat"
        9⤵
        
        PID:976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1200
        
        C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat"
        11⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2564
        
        C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
        13⤵
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3044
        
        C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat"
        15⤵
        
        PID:1200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1520
        
        C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat"
        17⤵
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1576
        
        C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"
        19⤵
        
        PID:996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1364
        
        C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"
        21⤵
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1608
        
        C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        23⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3068
        
        C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
        25⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Offline Web Pages\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58a071091f448fd0f09d56c1244b8f57

SHA1
627a717d025d0fc57d52b9b1d99698f4b65b4815

SHA256
75e2cdf37645cf22537c9c1d4e9408c86f31ca0f9fed3e8f757ddd35274bd96e

SHA512
2ea30bf422596395c1beca3d362613a1a8081cb80cc05438c4568b4b6622b7c88107f072b656a1bf94383f292614839dc6b15714f8dfd61237d029a35e071e70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
488dd9316bb7c81ba62075c6fcce8a92

SHA1
d3f637df8c5c45c6ac2a81e18553a1374804dea0

SHA256
18ad67c9dfae12baa577349b7d9b66c8226c1710e397e15942ef88c40826bff4

SHA512
7a7bf5f4616b5d027defb34f23641acba405e429e253bfcee54ae4c56ebaac81d35ff53a8b215604723be30ae8344da3b7bc71509cd27a7d9405f729e98d1332

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5c54c866b7baec6d4b0da62001e1dbc

SHA1
636eb2ae3d9a4256ac1a300630d45e3e8c281ff4

SHA256
deae340a87b895c63143d08d3fc9866d7bd0a52807b4cb94755730eb7e78a4cb

SHA512
18daac76962af811aeb3cfbe347559766bf25c266d54bb3e5e544c065947e51edfccc8545588de25325e8b11950685b13b54dbcd3f399d29a1054b3b6e03ced0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65904942e414da0e72560eb627642748

SHA1
42f222bea4af0de890cf587c4495b2d7ab38386b

SHA256
27c672e8db9809dff3a4697b0c95d828deaab8dc144180af780c426fd7769be7

SHA512
1e176b967761909078e1c1e824dfeb99cbaa8877b88c4a70cc37e472577d50c73850f4da0bc850a9db66ed462bd09202cf1a956798dc0d9c535dcfb9fa7637af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3de4bdef43f56ad84a6922e1b3cbf449

SHA1
799199ee8911b94ca991035352190e5e36e1a8ff

SHA256
e25f4c58d38cff5edad70935e49340ce3d9561d9359551465f078ed07ce4ec33

SHA512
9829900b72ef8e183e1b1f574bd768b4834e669434827cdec977d8ab091b4cf36c7d2216eec18f783ae419861d513300482385cf12dc7e488e6a14e13a124440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
538b038fcd275f5eb85552114430b841

SHA1
61dc0934d18e52c462638aa16b94af0bc21f14ba

SHA256
f23f79054cd38af29ca530346479314104b5a8c0b22eef35725b5a39b5f28d12

SHA512
200788e716297ebbbc76645b0be81967105cf66f65af79647567437afd5165bc0b21a5ec55596d3ab6392b2026156a166e05f79d91216833ecd404f010eeda9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edce077b766c51881794db049201832b

SHA1
cdcdb2ba4fba1c86a645294756d296cfef335d98

SHA256
cc40795d027b62a8e5fce544fea9ea2234c27e5d4dfb15410a8997bb538c01b7

SHA512
0b852c90b490fb53bb0d8ab01ba68c2c9a96f8488bc5312cc08cb49a434c20f666d55a0ad6d337249d07d9c5afc402b72880523a3d376ca4da44febc49cacc7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19aad536577b4caa8961dc13e3ef9029

SHA1
c9710fa4e2631960ab9e3fdd1bacb583fa957cfe

SHA256
26a4f5be546be9173a98e83b4a7ba11838f7d3865f90a053982b9ba5cf05d4ae

SHA512
7ffd81f515002ad1ddf1ba2ecdc916f73ab89f60d32653b1a5ea8c992d817e33452a138cf602e08f2ee81efdab8bca0defa868c19f7a16b3bdb86e0f94bd47ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8df62c9af2f3d9d73593e7fde72c830

SHA1
98a9bf437f64e3f7b57a270c6808fa0b83f8ff2f

SHA256
5425ad673d14f859cca2d30ea7de3628d23755f2895f86f54fa20ea9349d2f32

SHA512
0115586aee480774d568212ec47fe5e5941d9093219fe9e884554b3a838cb612981588dffc1c98ed0633e279b46e368ac67b68266a9eaf22372e0315c45887d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat

Filesize
220B

MD5
0faa86f29a9fc12ce0f4dbc7ff7321d0

SHA1
5e038d71c796fb0ccab571c670c1eca1f605b1b6

SHA256
b87875cd420828390d306d9159c7ad11c962f86ffbcd8e674f0efb39fe5530e4

SHA512
d2cdf124cf61aacf84e47e13a71287df2c021b649dd4c6c8f92dd784ce9f6e7d30a3f52eae8cd49e51643088f3ada9d90369df60e55787c504a19fc486daaf9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat

Filesize
220B

MD5
3cc500cd06e8c389b125dd4845db09b9

SHA1
08f8ace1a9d01af6770bef268c08bae4c152502d

SHA256
cabd65498eacb7c2c0a33e885473cb9158629c188e21dbde9ff7b1c542e97b32

SHA512
aeb9bdfefd964aec839af4698f14725c661e9fc644a2f3b42cc6f3c33c634f581986c8618ef60e7ee8a0666ff17958662667b699d6638d9692075f1f150bb859

Download Submit
C:\Users\Admin\AppData\Local\Temp\CSN9cxKiet.bat

Filesize
220B

MD5
8800f9e8516db0317c558a50a2d3a132

SHA1
9bb27b76dc5eccedd97327eeeb699b9dfb772957

SHA256
9947609cf846a362120cdf762bf3abc165e9fa96296121efcbe653a60cb2aa50

SHA512
9087e0869a95947667c092469734a0756e39d5107bcbfb149ea8425d9fcde3f0f2e6bd898bf5b16b1cf6fab89e5b76d8cb3f79e24f3760ffce9e76452eb3f0ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab30D2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
220B

MD5
c9a5ee40351165b2b74e83282136d8cb

SHA1
0b04ffc333d90f90a0bf8f69421ce9517358a6d5

SHA256
41472f11f4a72eee60dba81a327068ddfe030112bb0c7ce801267e2d1d4aad6a

SHA512
c0446e509f81a823bbbf1846d65451a39f54f7efd75519150a6b4d9b92cf6561d7e45fc5432940b72a74c8a9c82c76cd3d411c850359d10c08656ac7392f807c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar30E5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat

Filesize
220B

MD5
32157687b721216719fb47f886caedc0

SHA1
29b5b55489ceb13b68969617424a9a70d4e52aa8

SHA256
8bc845c32b94cc1af4e111c731d55d86fa5acd9df897f22f96a546952c470854

SHA512
a0b567307050b21c272a67bb4f7676bc79be79c0eee280dbdf930e2e93f90d1b2330e75a4ac4d8b1b3cdaa14bff9145460a6c999562fbd1df746e6cf511bbf14

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat

Filesize
220B

MD5
4757269af5eaf860c86f495d6c9467d5

SHA1
c9806307a8e02b73bda9a4c3bbb1e38c20f872c4

SHA256
5eadeb8689e11e215351397108dff9b09b6e9cf541de3175f93626d3a1ebc345

SHA512
696224fc8ae02a5460755d3cf9d73f4ac42d45ca00a13fa3ff01ad872c7fe68c73a2675b2b97c8032559b06a3ed2bca514777dfbd4bd5e50853b88235f22566c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

Filesize
220B

MD5
011e2d5d56cea7f08fcc18e2eb844221

SHA1
4182b4997b09fbfe90c6c3d29811782a94707c4d

SHA256
4ffdc6a7a38f976e9dc4d6c924e3043aa56ce0985d95af86a0a0b9696386ae73

SHA512
41edcbbfa039b301c0505aad624bf31cc75e6017e0f76509c60e5ef37c784d3f4f4230695775dd5cbaa59c0b478af95e97970a49b05578fc2fe1826b65937d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\sJ59Arupck.bat

Filesize
220B

MD5
f0f11d45e48613a2e9b0644ca3dde6a8

SHA1
616b5b0cd7837ac748e8f3345799070d687c98ff

SHA256
8bc39a22279cfb05037cfdfa7a37d45e3637937342bfb5f421f716dd92df87f9

SHA512
4485fee29df580042386548b3d5a453e4970c69c7c4a2062b617b3a7e8e9dccf70d191325c09f31eba37ba47f96a835557fc5c541091f4c46e6a2cd488cdf6fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\v2LCy8Ckdu.bat

Filesize
220B

MD5
70c4d4b86291b7ec1c13cc3b25dddfa7

SHA1
312d39eb2cd1e9e145f68873bb586139f4f36f92

SHA256
c15830b4408f48d65c8fc9eb74b2ae4ece405d6a7c86db724e14d9f3dafda555

SHA512
46c51101cc45b838db59bf6dd994d8d33cd8cc62f69e2485a936fa3061533367238efb3a8cb068ff721d27361379d2e2f7beebef9bcb22fb74b46cbea21b84bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
220B

MD5
0972b9773f96e0193d8e2795dfcb6a4b

SHA1
ba7b78a5a419333b0016a81de3cd2fff695730f3

SHA256
c28f1b98420767960a9ed433e4760e562a787ba3e927023810a59a167731e663

SHA512
24f0b9c1a3680b4540fa785e6be7d368d3860e4d1343d253f8fbe28a081af557b4fda1374ddeb6702c870e151d3f06565f299b9b912c096a148e9c8c80e7787b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat

Filesize
220B

MD5
3ad2cb7c9a8f3a732067e04d64c9e453

SHA1
61ad4143e7c7095ce1a404bb6772ad537ce9a9d2

SHA256
815b053bd4a9bde498e88c743357139246b290ae90df9d145c34c0230d1c0ca7

SHA512
0598a74aefd58277d919c987c5fd41da182166b641b44bb9b1ba8d7f59f74f8559b0ab1e6206adb75a46db86e1d70f593c13597e9a2d04d85c10ad1592790dd6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
07a199147e9e0237a3a18e6118933fa4

SHA1
341587275fb13f713709c4be60d3c0f15cc57397

SHA256
fd46c01fe90fdc174669a953c35f8b67f545b66364f48e0856030a5a3d306e68

SHA512
c3b6ff002b19ed09397e5f011b2c85a59392a6d11c47eb726283bb9b0b867ac6594fe03e09336b665392174a3396988f2a71d91f6dcafece117dca9ab682cd3c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/284-195-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/1008-61-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1008-67-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1800-316-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1800-315-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/1932-255-0x0000000000C00000-0x0000000000D10000-memory.dmp

Filesize
1.1MB

Download
memory/2088-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2088-14-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2088-13-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2088-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2088-17-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2348-136-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download