dcrat | 5c874d770273a6fedfdb3ca90992314cd2b3d6da7695ad3ccbeffd1945298eae

Analysis

max time kernel
144s
max time network
139s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c874d770273a6fedfdb3ca90992314cd2b3d6da7695ad3ccbeffd1945298eae.exe
Size

1.3MB
MD5

7ba87ff52d5177e45b6ca0d5ce0ff97c
SHA1

6a3de82618858585df4de7e0ab79d5479f6489b7
SHA256

5c874d770273a6fedfdb3ca90992314cd2b3d6da7695ad3ccbeffd1945298eae
SHA512

d2be7a45ac4af9cb35f24463090f142d83f7f51bb9ed0ba592cd11529bbd5d887150df15a9bb3f3e1c9dc79361b88d21824eee7ad9b85fd6c2cd07a4ba8f8306
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2800	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016af7-12.dat	dcrat
behavioral1/memory/2632-13-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/1120-133-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/2140-192-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/2952-252-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/1220-313-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/2740-432-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/628-492-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/1464-552-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/2192-671-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/2472-731-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
976	powershell.exe
1748	powershell.exe
352	powershell.exe
328	powershell.exe
1940	powershell.exe
2340	powershell.exe
1612	powershell.exe
304	powershell.exe
1672	powershell.exe
1580	powershell.exe
1680	powershell.exe
2572	powershell.exe
600	powershell.exe
1944	powershell.exe
872	powershell.exe
2596	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2632	DllCommonsvc.exe
1120	dllhost.exe
2140	dllhost.exe
2952	dllhost.exe
1220	dllhost.exe
484	dllhost.exe
2740	dllhost.exe
628	dllhost.exe
1464	dllhost.exe
1816	dllhost.exe
2192	dllhost.exe
2472	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2252	cmd.exe
2252	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Common\it-IT\taskhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5c874d770273a6fedfdb3ca90992314cd2b3d6da7695ad3ccbeffd1945298eae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2956	schtasks.exe
1704	schtasks.exe
2584	schtasks.exe
2888	schtasks.exe
2840	schtasks.exe
2796	schtasks.exe
2200	schtasks.exe
2348	schtasks.exe
1340	schtasks.exe
2704	schtasks.exe
1176	schtasks.exe
1732	schtasks.exe
1720	schtasks.exe
560	schtasks.exe
2732	schtasks.exe
3024	schtasks.exe
1300	schtasks.exe
2728	schtasks.exe
1912	schtasks.exe
632	schtasks.exe
796	schtasks.exe
1804	schtasks.exe
2540	schtasks.exe
956	schtasks.exe
2360	schtasks.exe
1408	schtasks.exe
832	schtasks.exe
1660	schtasks.exe
1596	schtasks.exe
688	schtasks.exe
2096	schtasks.exe
2688	schtasks.exe
2016	schtasks.exe
2132	schtasks.exe
3044	schtasks.exe
3056	schtasks.exe
2520	schtasks.exe
1652	schtasks.exe
828	schtasks.exe
3032	schtasks.exe
2504	schtasks.exe
2424	schtasks.exe
2884	schtasks.exe
2900	schtasks.exe
1356	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2632	DllCommonsvc.exe
2632	DllCommonsvc.exe
2632	DllCommonsvc.exe
328	powershell.exe
976	powershell.exe
1672	powershell.exe
1748	powershell.exe
2572	powershell.exe
352	powershell.exe
1944	powershell.exe
2596	powershell.exe
1680	powershell.exe
304	powershell.exe
872	powershell.exe
1940	powershell.exe
2340	powershell.exe
1612	powershell.exe
600	powershell.exe
1580	powershell.exe
1120	dllhost.exe
2140	dllhost.exe
2952	dllhost.exe
1220	dllhost.exe
484	dllhost.exe
2740	dllhost.exe
628	dllhost.exe
1464	dllhost.exe
1816	dllhost.exe
2192	dllhost.exe
2472	dllhost.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	DllCommonsvc.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1120	dllhost.exe
Token: SeDebugPrivilege	2140	dllhost.exe
Token: SeDebugPrivilege	2952	dllhost.exe
Token: SeDebugPrivilege	1220	dllhost.exe
Token: SeDebugPrivilege	484	dllhost.exe
Token: SeDebugPrivilege	2740	dllhost.exe
Token: SeDebugPrivilege	628	dllhost.exe
Token: SeDebugPrivilege	1464	dllhost.exe
Token: SeDebugPrivilege	1816	dllhost.exe
Token: SeDebugPrivilege	2192	dllhost.exe
Token: SeDebugPrivilege	2472	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 2248	1220	5c874d770273a6fedfdb3ca90992314cd2b3d6da7695ad3ccbeffd1945298eae.exe	30
PID 1220 wrote to memory of 2248	1220	5c874d770273a6fedfdb3ca90992314cd2b3d6da7695ad3ccbeffd1945298eae.exe	30
PID 1220 wrote to memory of 2248	1220	5c874d770273a6fedfdb3ca90992314cd2b3d6da7695ad3ccbeffd1945298eae.exe	30
PID 1220 wrote to memory of 2248	1220	5c874d770273a6fedfdb3ca90992314cd2b3d6da7695ad3ccbeffd1945298eae.exe	30
PID 2248 wrote to memory of 2252	2248	WScript.exe	31
PID 2248 wrote to memory of 2252	2248	WScript.exe	31
PID 2248 wrote to memory of 2252	2248	WScript.exe	31
PID 2248 wrote to memory of 2252	2248	WScript.exe	31
PID 2252 wrote to memory of 2632	2252	cmd.exe	33
PID 2252 wrote to memory of 2632	2252	cmd.exe	33
PID 2252 wrote to memory of 2632	2252	cmd.exe	33
PID 2252 wrote to memory of 2632	2252	cmd.exe	33
PID 2632 wrote to memory of 600	2632	DllCommonsvc.exe	80
PID 2632 wrote to memory of 600	2632	DllCommonsvc.exe	80
PID 2632 wrote to memory of 600	2632	DllCommonsvc.exe	80
PID 2632 wrote to memory of 976	2632	DllCommonsvc.exe	81
PID 2632 wrote to memory of 976	2632	DllCommonsvc.exe	81
PID 2632 wrote to memory of 976	2632	DllCommonsvc.exe	81
PID 2632 wrote to memory of 304	2632	DllCommonsvc.exe	82
PID 2632 wrote to memory of 304	2632	DllCommonsvc.exe	82
PID 2632 wrote to memory of 304	2632	DllCommonsvc.exe	82
PID 2632 wrote to memory of 328	2632	DllCommonsvc.exe	83
PID 2632 wrote to memory of 328	2632	DllCommonsvc.exe	83
PID 2632 wrote to memory of 328	2632	DllCommonsvc.exe	83
PID 2632 wrote to memory of 1672	2632	DllCommonsvc.exe	84
PID 2632 wrote to memory of 1672	2632	DllCommonsvc.exe	84
PID 2632 wrote to memory of 1672	2632	DllCommonsvc.exe	84
PID 2632 wrote to memory of 1944	2632	DllCommonsvc.exe	85
PID 2632 wrote to memory of 1944	2632	DllCommonsvc.exe	85
PID 2632 wrote to memory of 1944	2632	DllCommonsvc.exe	85
PID 2632 wrote to memory of 1748	2632	DllCommonsvc.exe	86
PID 2632 wrote to memory of 1748	2632	DllCommonsvc.exe	86
PID 2632 wrote to memory of 1748	2632	DllCommonsvc.exe	86
PID 2632 wrote to memory of 872	2632	DllCommonsvc.exe	88
PID 2632 wrote to memory of 872	2632	DllCommonsvc.exe	88
PID 2632 wrote to memory of 872	2632	DllCommonsvc.exe	88
PID 2632 wrote to memory of 1940	2632	DllCommonsvc.exe	90
PID 2632 wrote to memory of 1940	2632	DllCommonsvc.exe	90
PID 2632 wrote to memory of 1940	2632	DllCommonsvc.exe	90
PID 2632 wrote to memory of 1580	2632	DllCommonsvc.exe	94
PID 2632 wrote to memory of 1580	2632	DllCommonsvc.exe	94
PID 2632 wrote to memory of 1580	2632	DllCommonsvc.exe	94
PID 2632 wrote to memory of 352	2632	DllCommonsvc.exe	95
PID 2632 wrote to memory of 352	2632	DllCommonsvc.exe	95
PID 2632 wrote to memory of 352	2632	DllCommonsvc.exe	95
PID 2632 wrote to memory of 1680	2632	DllCommonsvc.exe	96
PID 2632 wrote to memory of 1680	2632	DllCommonsvc.exe	96
PID 2632 wrote to memory of 1680	2632	DllCommonsvc.exe	96
PID 2632 wrote to memory of 2572	2632	DllCommonsvc.exe	97
PID 2632 wrote to memory of 2572	2632	DllCommonsvc.exe	97
PID 2632 wrote to memory of 2572	2632	DllCommonsvc.exe	97
PID 2632 wrote to memory of 1612	2632	DllCommonsvc.exe	98
PID 2632 wrote to memory of 1612	2632	DllCommonsvc.exe	98
PID 2632 wrote to memory of 1612	2632	DllCommonsvc.exe	98
PID 2632 wrote to memory of 2340	2632	DllCommonsvc.exe	99
PID 2632 wrote to memory of 2340	2632	DllCommonsvc.exe	99
PID 2632 wrote to memory of 2340	2632	DllCommonsvc.exe	99
PID 2632 wrote to memory of 2596	2632	DllCommonsvc.exe	100
PID 2632 wrote to memory of 2596	2632	DllCommonsvc.exe	100
PID 2632 wrote to memory of 2596	2632	DllCommonsvc.exe	100
PID 2632 wrote to memory of 2844	2632	DllCommonsvc.exe	112
PID 2632 wrote to memory of 2844	2632	DllCommonsvc.exe	112
PID 2632 wrote to memory of 2844	2632	DllCommonsvc.exe	112
PID 2844 wrote to memory of 2884	2844	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\5c874d770273a6fedfdb3ca90992314cd2b3d6da7695ad3ccbeffd1945298eae.exe
"C:\Users\Admin\AppData\Local\Temp\5c874d770273a6fedfdb3ca90992314cd2b3d6da7695ad3ccbeffd1945298eae.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0KGsCHCwju.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2884
      - C:\MSOCache\All Users\dllhost.exe
        
        "C:\MSOCache\All Users\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
        7⤵
        
        PID:688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2416
        
        C:\MSOCache\All Users\dllhost.exe
        
        "C:\MSOCache\All Users\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat"
        9⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2704
        
        C:\MSOCache\All Users\dllhost.exe
        
        "C:\MSOCache\All Users\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
        11⤵
        
        PID:1616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2184
        
        C:\MSOCache\All Users\dllhost.exe
        
        "C:\MSOCache\All Users\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"
        13⤵
        
        PID:952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1728
        
        C:\MSOCache\All Users\dllhost.exe
        
        "C:\MSOCache\All Users\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
        15⤵
        
        PID:1904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:884
        
        C:\MSOCache\All Users\dllhost.exe
        
        "C:\MSOCache\All Users\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat"
        17⤵
        
        PID:600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2588
        
        C:\MSOCache\All Users\dllhost.exe
        
        "C:\MSOCache\All Users\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
        19⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1008
        
        C:\MSOCache\All Users\dllhost.exe
        
        "C:\MSOCache\All Users\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"
        21⤵
        
        PID:980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1944
        
        C:\MSOCache\All Users\dllhost.exe
        
        "C:\MSOCache\All Users\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"
        23⤵
        
        PID:1080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3068
        
        C:\MSOCache\All Users\dllhost.exe
        
        "C:\MSOCache\All Users\dllhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
        25⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:288
        
        C:\MSOCache\All Users\dllhost.exe
        
        "C:\MSOCache\All Users\dllhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Searches\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Searches\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99c228d4cb46d580559624e67111aecf

SHA1
0e9f397fbb052025f0a43c05c5b6ffa88de90c38

SHA256
ff7f8024599bc46f0c547fa50ed3ecc28ec877a868318bd3da828fc67a4d55c3

SHA512
ed28eba017dffab416319f849723519fb7026c320ba2f017431699cd3b041fcaef5cb91f9ab61a198c18497959eb7103d4646f864b2cf231862697fe21360e91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d39985f59d8a8649f6c20ac08d76e894

SHA1
c65db36145b36424f41d4ee34ae07d8980c60969

SHA256
4519d85b464370ceedb509bdfcf9f9bdab435893376a81f796333044f34d7bdf

SHA512
bd13bd0ab718fded92dee86bdeb1c6d18e008fe20212f978f2bc9a49ad600da028ca8dbf38260ed71f33e5d3313afcfd11587dd09ff9033bd53cf79247696a76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
251e5110c1f0d05261f6942b85dfad1e

SHA1
05df62fb42c0cf39015115abbfd707bb5e6b5e79

SHA256
cb06c67da2d41ddd3c33d790837b49b6819610c61d2b389346ab03f95c09affe

SHA512
f69c07bf2ae5c947481d0baca0d6ffbd56f8f824ef4ef4cb610ba1f37e0da2916ff276a4347beab88ff319a8ad9407071c2bdb4a9dcbfc2f72d5835b85ff91a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4a5c2567d7e9198948209bf456afdab

SHA1
7af17d4ef6eea6d672c6120447fc325415a51ee2

SHA256
ea094d2f420a379975c8abe5a49ccb9f339cd7db52bd48bc25b2ed5b8f0a651f

SHA512
c2ac1c7a5177573ddda356577832d7150f1f0f32d57c465460284e085c9226d20a2b954feabc2edfa4560a2768f832b4b885bd807ef189d5681eef628092317d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bf080abb06b1065e7135aaca18f8b39

SHA1
0635808fc7cc0a4db3934452cd408a652626c7b7

SHA256
48317da78955f6a123829f25b07b27d3f896f51cc086006752672947b5dae35e

SHA512
25ff23c1d38e4cdbd8de0b45413e07dc24cb1280f3b75b258536d3a6946643e16b8cd066dd39f2dd0bd25d0a0411e273986a2809f21ed253b3f3f72efb9cba5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a1e1e341b42f8b5b25aae8e5950399a

SHA1
93ee9760fa4a5dcbd79f3a08dc0ba1078f05693d

SHA256
a0759b9e88a9972653fd44cc5510d03c3f1f87b591fb83e6195fedcc21abfa58

SHA512
5c46a8a09588c6baa417f966e5d317701f18ba235f2a28b201280c98fd35115f4b6ad09bb57b87270cf5d35503ca12902e50c9841a88e620b39022c045beaee8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3178e81fa77ebd8842f877a81a42f652

SHA1
c4739d9b3447e370f6023bf41b6920a477556ee5

SHA256
3cf767a96771dc42351c1d0f2984ed7ddc5491b7f0c1a8cabbdc79c2d1b56495

SHA512
d5f9c10169fc00faa9482a5583b02a328ef36a0c84ab8d851f9cbf6ce4d3becfdef4e90c7cab24f6d96d75ff67e83f7439185a295d48629e78d9c9276e19458d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e2130fb94ecf9233e240648d1ef7daf

SHA1
a6eb12b50e91a3e28a96695b6403a5a3036082a0

SHA256
242bbd61cbc42a1c957a1b665a096eb31483a80abb977590446474d48cf5067a

SHA512
0b63c8a919518ba48a776c13e903e5dd21fbfa3d7bbb330c09dcc1ea7c6383b8c25b8765ea6459943656c07ecf479aff8b4633575f9abc5a95e0d07ed10535d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
569ef74719f23f470cc17518cebe9bbf

SHA1
c49ff34909b01c475917cbec9a835eb29956460f

SHA256
103bfd300eb34c112880114369e012ef315766775afc2f098735de3db2a24313

SHA512
93826bd97e778214106ddafd7e10be49fa692b1185130a21b641d0bbb5e81c547193f96d7dd3dbb2486eb6d6243c7aa8a7765bd9accde90fb7ffa0a802f68b47

Download Submit
C:\Users\Admin\AppData\Local\Temp\0KGsCHCwju.bat

Filesize
198B

MD5
2b00c41fc04ba7a7a7190d64736ff814

SHA1
1516062da106a816111015cfbd86fefa922e0b26

SHA256
1e0514326b9d71304acb4d9955cedf2c662440ed409abf813c6ebc5931dca79c

SHA512
6e9aff971122de2df71a257ae07adbf12f78c47e664aef5e956004abcd943b95207b644dd2b5cd83984e3e8ab3cfac87465396461e5074838918db560c3ac439

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat

Filesize
198B

MD5
40a40f8f6f6034369df01d0bc0850137

SHA1
03c4ed82dbd78f523752973f97176ba4fde6ffa2

SHA256
eb29b3ce0980a8b2be1282f8bca7108c05d2880a396ad9a312be547958c50c1a

SHA512
c802e0fe60a1479ae212100df0d7c8612aa1a333543448e82b4d9621d5084eb8cd9808fe5baf89ed1ad10678391cc5f5bcdfa6fa641aba735b773f2af22e3036

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat

Filesize
198B

MD5
d02c452effc97ea3de3837521574a646

SHA1
0d214449103c61e67b45272dc77f683623bb03ad

SHA256
ea5cc16de6b399fb6731462d2fa445523fa4cbf6dca1be642da089b33f98963c

SHA512
e9935d250f7f359352055ff7d722225a9c84592b390b94571df8d874be83d9c57d173e37436aec9d76d952642dbf131d386b61161bc5fc697fdc869b52bb9cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6x2cfOw3ED.bat

Filesize
198B

MD5
4f8a0ab6a8547a15f49cbb0b5afdc2b2

SHA1
91b3bf533b00ce0b900a1c3b6e5ea122e78cddd6

SHA256
93b32c81106a902353267132b8f2c125dace6e6dbbe49010be80398dea953c62

SHA512
71be7624d037c3db8713e18ac4d87d395a78d29df22f61f09450cc5bad223455513983ffd84b286b6e231ee23e8a56a1b05a4ec7b15936e5c877a2dcfba95883

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

Filesize
198B

MD5
521806870d31ed375ace00cebac5779c

SHA1
53dce129a83d635fe0364ae69f9fd6d52c50d3fa

SHA256
6a12712ccd590fafeda5b63b61370a425b946c88c75931a46b24a80c04eacb96

SHA512
94948c9a0fcbcd6d46689f3bf6a20bffd678e4865a2a1c1d78115fc96a04ea6099455c48f96d3aecedcf0b56ee2d82744a8065a89540fd66400ddbd278b23d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1306.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1338.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

Filesize
198B

MD5
a724f4a077783630c66bface1c0f2219

SHA1
12cc8d4db45663992d41a9b34d53d7f34a34bf9b

SHA256
c87f41ce3ff3a76307c87b2f88cbf4c29f836ea8b9b2e3140733b639111d7760

SHA512
e4c5a3cebd1185cb7f011c08bbf398f3f5879faaeaec65340202122cfc439113ea9f16b31259477988a667c7793c7db83f0060fca9553f6bcbb8862caf9c6c02

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZHEG9SYztW.bat

Filesize
198B

MD5
9ae1458abb0f633d5253f1c23dd89cc3

SHA1
4ce8654b2ff1b64add7f357e998db8fb97b44672

SHA256
6957fd6c2986ea244014e384934b24c30ccd4e5f9701f3614aa93cc5ad1730fd

SHA512
f6ae26b94a1587424889c6cb9868104cb4ed62e01b9abc162dbe0b30b6f63d64825c02171e707faabd71727a28c9ad96395ef7d99ebf1fc5e31f50f8ef7cbdcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat

Filesize
198B

MD5
4bbb4525d5c3d5cf8f264301aac23977

SHA1
8ab27fae1062a7707a7ffcd799493a0e4bf2627f

SHA256
56c8f6fde00177646defbb970931366bc262f0c6193c6766365abb09a034a894

SHA512
720fe80f9ff4e44a11ab09fe37edeb29c4e3be1dda2990cb9e91f982716573990d8316c5cc5f8a870d008e5ebc40bbb8c12490c9aaeb2cad4ae708715075b463

Download Submit
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat

Filesize
198B

MD5
4390de9b675a85ac6319207f75ff7329

SHA1
7a654a127f11e5c73953fec4dcf4fbb74915bc66

SHA256
e073aea1dcc9554a83a2cad5a9b86b822297d60cfabd0f7437d105affb5a13e9

SHA512
8689183ff7fcca878d85733f5ab91bcfc28de103b3804eaa4aa2bbb6731120c87fb7765adb536f7a98a1333f78527c57b848957c08c63ff91d20b93f8cfcd94b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat

Filesize
198B

MD5
361e41fec752d1938ca0ef603f18e528

SHA1
0ba376d18115c60c268640098b91f2ddcc745543

SHA256
c30ff8199b44714a427a108b7f1aecbf267f7ef3e6a028db9e01bdbd846962d1

SHA512
0b6c170cdda19c9a47a12c4be7e2f680597a82a5c3b7f098e0076684fd30829c6c4024e77ff7824b2349226f21af5205612bde21e61e27369bbc4111ed5acbf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat

Filesize
198B

MD5
93c98f93179d458f91bddcab1ea4c5e5

SHA1
a24e0bbacecbf9bb599c87c45d941175479f350d

SHA256
aee05ca7a2338547845f13c65867af9bf225be0925d23e5165bae4cd9ed8eafd

SHA512
b58aefde1879d4e1700b243db9c3c9c2efec1a1e3e91bc8d3db6ff91b8c577934f7475f05c9213e842cfe73c7da799939ffc1131e3fdcc929c9be10647cd84c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
375d52ebbf7a53b0bdab1691af2ac50a

SHA1
4bcd8b6eb8f425d269c64957485e33e26e25b8fe

SHA256
31795d901b1adfc03b2f3d6fc36f0fa07356b4a59634521b6d183e9418e3a7fc

SHA512
991f7c16924ae1ef049965a6926738e172e57ab01673c21e2a5b99f61aab174e2bda7ccee0d788838448ef572396644f2121128357ba4ce89ed4e7a3119d912a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/328-64-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/328-65-0x00000000020F0000-0x00000000020F8000-memory.dmp

Filesize
32KB

Download
memory/628-492-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/1120-133-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/1220-313-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/1464-552-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/2140-192-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/2192-671-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/2472-731-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2632-17-0x0000000000710000-0x000000000071C000-memory.dmp

Filesize
48KB

Download
memory/2632-16-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2632-15-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/2632-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2632-13-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/2740-432-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2952-253-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2952-252-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download