dcrat | aaf0e6330b5dc1eb7f2303711c67d53809fd73ed60e0fc0e933eee2c56488aab

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_aaf0e6330b5dc1eb7f2303711c67d53809fd73ed60e0fc0e933eee2c56488aab.exe
Size

1.3MB
MD5

eb6f471e2955cb6fcc7911ed5011b64c
SHA1

ead7e1930877495ed9df197935c861c88c43d226
SHA256

aaf0e6330b5dc1eb7f2303711c67d53809fd73ed60e0fc0e933eee2c56488aab
SHA512

afd5caabedfde391c79c755c26c166801b5ef8dc6c1de390af377e37425f43bbbe88eff81ed9c25c9e90ac97778680b6ed1a31fa5741595e2208b91024c82d6b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2668	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019397-12.dat	dcrat
behavioral1/memory/2856-13-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/1624-148-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/1192-564-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/896-625-0x0000000000C90000-0x0000000000DA0000-memory.dmp	dcrat
behavioral1/memory/1696-685-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2276	powershell.exe
2548	powershell.exe
2580	powershell.exe
2780	powershell.exe
2656	powershell.exe
2688	powershell.exe
2692	powershell.exe
2676	powershell.exe
1536	powershell.exe
2948	powershell.exe
2572	powershell.exe
2636	powershell.exe
2564	powershell.exe
2612	powershell.exe
2800	powershell.exe
2144	powershell.exe
2932	powershell.exe
2672	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2856	DllCommonsvc.exe
1624	spoolsv.exe
2360	spoolsv.exe
1940	spoolsv.exe
2928	spoolsv.exe
2212	spoolsv.exe
584	spoolsv.exe
1548	spoolsv.exe
1192	spoolsv.exe
896	spoolsv.exe
1696	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	cmd.exe
2708	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
25	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\fr-FR\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\fr-FR\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\system\56085415360792	DllCommonsvc.exe
File created	C:\Windows\Media\Garden\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Garden\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\Panther\UnattendGC\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\UnattendGC\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aaf0e6330b5dc1eb7f2303711c67d53809fd73ed60e0fc0e933eee2c56488aab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1280	schtasks.exe
1724	schtasks.exe
1700	schtasks.exe
3048	schtasks.exe
2052	schtasks.exe
1860	schtasks.exe
1712	schtasks.exe
1504	schtasks.exe
1792	schtasks.exe
1308	schtasks.exe
1716	schtasks.exe
2528	schtasks.exe
2888	schtasks.exe
2588	schtasks.exe
840	schtasks.exe
2352	schtasks.exe
376	schtasks.exe
780	schtasks.exe
2412	schtasks.exe
888	schtasks.exe
1476	schtasks.exe
2100	schtasks.exe
1652	schtasks.exe
848	schtasks.exe
1780	schtasks.exe
3004	schtasks.exe
1088	schtasks.exe
584	schtasks.exe
280	schtasks.exe
1192	schtasks.exe
2984	schtasks.exe
2728	schtasks.exe
1324	schtasks.exe
1372	schtasks.exe
2516	schtasks.exe
2844	schtasks.exe
2120	schtasks.exe
2768	schtasks.exe
2200	schtasks.exe
1592	schtasks.exe
1892	schtasks.exe
2492	schtasks.exe
2060	schtasks.exe
1704	schtasks.exe
2192	schtasks.exe
308	schtasks.exe
1384	schtasks.exe
1052	schtasks.exe
2204	schtasks.exe
2916	schtasks.exe
288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2856	DllCommonsvc.exe
2800	powershell.exe
2780	powershell.exe
2548	powershell.exe
2656	powershell.exe
1536	powershell.exe
2276	powershell.exe
2676	powershell.exe
2688	powershell.exe
2692	powershell.exe
2144	powershell.exe
2564	powershell.exe
2580	powershell.exe
2636	powershell.exe
2948	powershell.exe
2672	powershell.exe
2932	powershell.exe
2572	powershell.exe
2612	powershell.exe
1624	spoolsv.exe
2360	spoolsv.exe
1940	spoolsv.exe
2928	spoolsv.exe
2212	spoolsv.exe
584	spoolsv.exe
1548	spoolsv.exe
1192	spoolsv.exe
896	spoolsv.exe
1696	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2856	DllCommonsvc.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	1624	spoolsv.exe
Token: SeDebugPrivilege	2360	spoolsv.exe
Token: SeDebugPrivilege	1940	spoolsv.exe
Token: SeDebugPrivilege	2928	spoolsv.exe
Token: SeDebugPrivilege	2212	spoolsv.exe
Token: SeDebugPrivilege	584	spoolsv.exe
Token: SeDebugPrivilege	1548	spoolsv.exe
Token: SeDebugPrivilege	1192	spoolsv.exe
Token: SeDebugPrivilege	896	spoolsv.exe
Token: SeDebugPrivilege	1696	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2948	2656	JaffaCakes118_aaf0e6330b5dc1eb7f2303711c67d53809fd73ed60e0fc0e933eee2c56488aab.exe	30
PID 2656 wrote to memory of 2948	2656	JaffaCakes118_aaf0e6330b5dc1eb7f2303711c67d53809fd73ed60e0fc0e933eee2c56488aab.exe	30
PID 2656 wrote to memory of 2948	2656	JaffaCakes118_aaf0e6330b5dc1eb7f2303711c67d53809fd73ed60e0fc0e933eee2c56488aab.exe	30
PID 2656 wrote to memory of 2948	2656	JaffaCakes118_aaf0e6330b5dc1eb7f2303711c67d53809fd73ed60e0fc0e933eee2c56488aab.exe	30
PID 2948 wrote to memory of 2708	2948	WScript.exe	31
PID 2948 wrote to memory of 2708	2948	WScript.exe	31
PID 2948 wrote to memory of 2708	2948	WScript.exe	31
PID 2948 wrote to memory of 2708	2948	WScript.exe	31
PID 2708 wrote to memory of 2856	2708	cmd.exe	33
PID 2708 wrote to memory of 2856	2708	cmd.exe	33
PID 2708 wrote to memory of 2856	2708	cmd.exe	33
PID 2708 wrote to memory of 2856	2708	cmd.exe	33
PID 2856 wrote to memory of 2800	2856	DllCommonsvc.exe	86
PID 2856 wrote to memory of 2800	2856	DllCommonsvc.exe	86
PID 2856 wrote to memory of 2800	2856	DllCommonsvc.exe	86
PID 2856 wrote to memory of 2676	2856	DllCommonsvc.exe	87
PID 2856 wrote to memory of 2676	2856	DllCommonsvc.exe	87
PID 2856 wrote to memory of 2676	2856	DllCommonsvc.exe	87
PID 2856 wrote to memory of 2144	2856	DllCommonsvc.exe	88
PID 2856 wrote to memory of 2144	2856	DllCommonsvc.exe	88
PID 2856 wrote to memory of 2144	2856	DllCommonsvc.exe	88
PID 2856 wrote to memory of 2780	2856	DllCommonsvc.exe	89
PID 2856 wrote to memory of 2780	2856	DllCommonsvc.exe	89
PID 2856 wrote to memory of 2780	2856	DllCommonsvc.exe	89
PID 2856 wrote to memory of 2656	2856	DllCommonsvc.exe	90
PID 2856 wrote to memory of 2656	2856	DllCommonsvc.exe	90
PID 2856 wrote to memory of 2656	2856	DllCommonsvc.exe	90
PID 2856 wrote to memory of 2688	2856	DllCommonsvc.exe	91
PID 2856 wrote to memory of 2688	2856	DllCommonsvc.exe	91
PID 2856 wrote to memory of 2688	2856	DllCommonsvc.exe	91
PID 2856 wrote to memory of 2932	2856	DllCommonsvc.exe	92
PID 2856 wrote to memory of 2932	2856	DllCommonsvc.exe	92
PID 2856 wrote to memory of 2932	2856	DllCommonsvc.exe	92
PID 2856 wrote to memory of 2672	2856	DllCommonsvc.exe	93
PID 2856 wrote to memory of 2672	2856	DllCommonsvc.exe	93
PID 2856 wrote to memory of 2672	2856	DllCommonsvc.exe	93
PID 2856 wrote to memory of 2276	2856	DllCommonsvc.exe	94
PID 2856 wrote to memory of 2276	2856	DllCommonsvc.exe	94
PID 2856 wrote to memory of 2276	2856	DllCommonsvc.exe	94
PID 2856 wrote to memory of 2692	2856	DllCommonsvc.exe	95
PID 2856 wrote to memory of 2692	2856	DllCommonsvc.exe	95
PID 2856 wrote to memory of 2692	2856	DllCommonsvc.exe	95
PID 2856 wrote to memory of 1536	2856	DllCommonsvc.exe	96
PID 2856 wrote to memory of 1536	2856	DllCommonsvc.exe	96
PID 2856 wrote to memory of 1536	2856	DllCommonsvc.exe	96
PID 2856 wrote to memory of 2948	2856	DllCommonsvc.exe	97
PID 2856 wrote to memory of 2948	2856	DllCommonsvc.exe	97
PID 2856 wrote to memory of 2948	2856	DllCommonsvc.exe	97
PID 2856 wrote to memory of 2636	2856	DllCommonsvc.exe	98
PID 2856 wrote to memory of 2636	2856	DllCommonsvc.exe	98
PID 2856 wrote to memory of 2636	2856	DllCommonsvc.exe	98
PID 2856 wrote to memory of 2572	2856	DllCommonsvc.exe	99
PID 2856 wrote to memory of 2572	2856	DllCommonsvc.exe	99
PID 2856 wrote to memory of 2572	2856	DllCommonsvc.exe	99
PID 2856 wrote to memory of 2548	2856	DllCommonsvc.exe	100
PID 2856 wrote to memory of 2548	2856	DllCommonsvc.exe	100
PID 2856 wrote to memory of 2548	2856	DllCommonsvc.exe	100
PID 2856 wrote to memory of 2564	2856	DllCommonsvc.exe	101
PID 2856 wrote to memory of 2564	2856	DllCommonsvc.exe	101
PID 2856 wrote to memory of 2564	2856	DllCommonsvc.exe	101
PID 2856 wrote to memory of 2580	2856	DllCommonsvc.exe	102
PID 2856 wrote to memory of 2580	2856	DllCommonsvc.exe	102
PID 2856 wrote to memory of 2580	2856	DllCommonsvc.exe	102
PID 2856 wrote to memory of 2612	2856	DllCommonsvc.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaf0e6330b5dc1eb7f2303711c67d53809fd73ed60e0fc0e933eee2c56488aab.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aaf0e6330b5dc1eb7f2303711c67d53809fd73ed60e0fc0e933eee2c56488aab.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Garden\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHxTOCez5H.bat"
        5⤵
        
        PID:1676
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2764
      - C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
        7⤵
        
        PID:2304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2460
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"
        9⤵
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1216
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
        11⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1076
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat"
        13⤵
        
        PID:1956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2632
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        15⤵
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2676
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        17⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1756
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
        19⤵
        
        PID:912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:288
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
        21⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:448
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"
        23⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1348
        
        C:\MSOCache\All Users\spoolsv.exe
        
        "C:\MSOCache\All Users\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat"
        25⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\fr-FR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\system\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Public\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Public\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Garden\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Media\Garden\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Garden\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\UnattendGC\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\UnattendGC\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1536684ecadafe6fa7b6056085e1f2df

SHA1
9504be17153ab383df9804ddad69a7025526d8c2

SHA256
01f630fa54cb88f698903a208398dd4fb32b7980d79fdab416d8c7bb02dce5f6

SHA512
507561b4187e0d1c99406112a9b1bfeb48a918793f2c140ebe35c0263f9008b1578c5909e9dc971644e63895966740ebf1b3e75d168fb3fd54a6719fd8f1208f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ded50f9d7559fae9ac8a18696c15fbe

SHA1
bcb65ec2737dd2c688538e09cccd5a70569bc8d9

SHA256
51262c14a0eabd0323951ca7d40e8186464701cf55f4dfd084bff3f004dd9897

SHA512
c49d8c6fdb3e50ec82a9b6b3c09a5f9b8919659485334f81b3d13e47f064329825f745b0f56472a297afc989c337d749f09b14e28660ae6e68c1fab189395405

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
774cbf9182fcacd4786454ffe882835b

SHA1
f0d598e0233a77d6e34286e2ac0a82dc73331a62

SHA256
e8c3fa9d345d6ea0a7e56eeb51046ba23aef34fd926bca26d52c5571171f951d

SHA512
7c64a40efea3b7223915c7ad177019ae4aca2a82565e5403e9830bd300121c6bfab04ec05803d3154619029421b0429d5df71d5084f35f70e672068b0ec9c904

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cfa3b2df4105615ebe177a2f405354a

SHA1
924ff35685598ed4ea00abb58b8612261265e230

SHA256
c9cb7f150274ddbf551f7af8dfec02b02075f9a6b9d85e74b3de6f7bc29bc96d

SHA512
01a15075d98931dff0d4bc716801e176461608d1f6800eb8682800831e10e2609b19ebc1dcb6a0dd01b0745142b7b9294fe74a7c9394989dc9bb3c7bd09554f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
315cc0751ff987e5eef67eef7b6bb733

SHA1
2dc6339c529f86e6b15e03618c795fd824e940e3

SHA256
d49c714dbd7422027ca9b528241f9248ad358eec713f91b9200269e105c9abb5

SHA512
f785791ecfb1cf35fddbf62aac01a1ccf35b24493945d55d51025aa9a91258e941eb7bf679da58e5a68a10cc6bdcddbcb5843ffb7cfc80334eca9a9908c2e176

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adcbe3ee175d495ec1b5cc807bff83e7

SHA1
8c08c3be4c9f45da172ecc1d78de0f6545f6ad04

SHA256
7ed68eee00f09f632799a701e3075e3078255402e211b1293f34bdb7d4baa8c9

SHA512
18db5314612cbab69f04d248bd5d2bb33fcf45fde1f7547aea1798c17f4fda5e6ae522fbf2a204038f226be8579f2d61e122ee0f6c035e72bc80e31d891d0333

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0b011767e3c1ccee88c16875b3983c5

SHA1
beda45b1d97beb83a6e712e15c8ff4749069c846

SHA256
acf8ea6f00e7d1d7b5f17db2d187b8283d7f70069f229bd983548f990a9aa210

SHA512
ee8761d4f7e125da51bae47b2de9f66d29b1cc55fdfe246805f1e2726d4a7bc23f3cb41e39575aaf9048b5493bc45224f0ceba29e2b2e28fc36505bbcafe627b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adf43a05c3d069b8e7c3ed47ab5ff5ea

SHA1
2a7956eaa0f2a8c848519f85a75a89478a2107e7

SHA256
0d97c20447cfb455eb800804e2567def004602987d193fc2cabe31866aed72c8

SHA512
79fa39cf91066d93e0c5675e9637d5b0012754f3f8a269a9810cd03dacd0b5e913829b029786e11aeedf6361416d4064a385609b734cd19ba5a7b05d4509a3bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d75f9a71f0da02289c60fdbc38bb0011

SHA1
c6d46dee4cff9e58df74c48cecd58b2221bb2e1c

SHA256
992e207d490f8528bc85ae935ca037c2f7fff1eb4327ff4fb7dc419850f49420

SHA512
77703623758515f41bf5c7f3a3b377b821043ba42bd5bcd28795656bde6d84c0b0c900e30900cd6d89d41ed2ea2abcd1d3932ea6a7f509ad933666423cae1629

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
198B

MD5
1d55113f7a326dbb4af10b3281e1ef44

SHA1
7a90bfc16f187c1d2bb862d073df1680fd06011c

SHA256
481221c09b5ecb2fcde7d93fc09d1153cc95d28a9125e8de6e9860dafaf35251

SHA512
55ba587c174caf3b560d1ab32938967e8aec31f65f481a6174133fd048621668eba36fccc08ee77093ec4fec73348e44a2ccf1620eed93ed5803e8f4164d3c96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab66E0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat

Filesize
198B

MD5
da4a1f594abf8303df8df4a85f8d4d61

SHA1
66f34d6b16ec61d37f54fa21bca17d7d76214368

SHA256
7b54554dbeb4fbc05806a24661d08f0ecc3f5b32607d85e4b5cdb93ec62460a9

SHA512
d0dcfb60da8a4386d4c0bf82788b99abc3171f52f17b8cbab8878eca2f7f3677555b3c29801c89201c749caa6fa085d36ab7639c197d41c352137d32e54a9350

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat

Filesize
198B

MD5
428657c04a4874f8f6ffa9089e8794fc

SHA1
e30a8ef7a652bdf9b3b777bf651fd7b43afaf868

SHA256
640dfdf96f3dd2eaa9a4e5caedd5e12ce522871c0690f9f412170de9dfaa3fa9

SHA512
7f5f0fbcea7c8896b9ce447e0e92b83cdc5b02b8ad20039039f83d333eebdd2ca6996ce65d243f06cbdd937364239a7af4a42dffbfd3fdee6953ef491f68caba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6702.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iPSx7mMsuZ.bat

Filesize
198B

MD5
45c7b283e30bde55325d63f3eeefd715

SHA1
324d57588db39b97dac9ee5ca99745e2ae9b9431

SHA256
7da692886791e44a1978410b7bc22d03b6fb8d0679baac331591a66dc852dffa

SHA512
0b4aa74533697b103352ca3c04dbe1c0780c96d1590f78389aff5e77fc564ddab725e091f1e0ec49a9f4cc88d923ff813fb4dd40e5e36eb9142afad517af6a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

Filesize
198B

MD5
16179b7d8b8125bdf7eabc4d4cc3c711

SHA1
c437ea7b3d6c19528f3869858d78e9c5a8b6c0ef

SHA256
e6c6396f95fef61fbd0d1127508050632bf5af005269d2724669dd259368b082

SHA512
64260c987cafa7aca7b7510e260da4b215490bb486e7212439b5d2c9388c29002bca73247df337fd13b9e724970e59edf5d7e3af303a80c0f5e31e7ef5d07d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
198B

MD5
c683ae16302b5663df86b019bc4835e8

SHA1
e969701f78cfc40c58dc83dd9e61c5b6a6f21944

SHA256
f57eb747c344ae1b06f882106be0f79f93977f31d36d8fa83bb4818cd2bb3f92

SHA512
530f8db9b2e00ef9ed2bdb7e6c648093cb3c6c9c7505e1887060a94e17162f558cd759ee7727232e80b8a8fed2a1eaa3074aa6f6a070494b1304040ecb69f058

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHxTOCez5H.bat

Filesize
198B

MD5
a3fbf9feb64561b1403c4bf994b1e51b

SHA1
e07a2feffd8708652e404d5d605f2c113aaa8a63

SHA256
52368d2c818dcd37f275c85f8857cf887f63119738cf40fe813196bf2b40a55f

SHA512
4e8f8e2387ad4419a4ea0c597b028bbf37cf7c56e9c8362c7912a0718abfe97b310ed1d1b9263cbe9e6dc57f046204463bd4ca1eaa16e8f3af8d8fa1fb2635c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

Filesize
198B

MD5
2d74dcede7985fb39cf20e9a28bdfc3a

SHA1
d084afe8712ad7868f8de12b614501519788547b

SHA256
fcea9e46834c16527ba0e427af4c44f1a2d595b2de3b6838fefbd624b0dcab51

SHA512
996001fced3dbb26779645621a60a4626126913d043b3beed7eb41e53c43d07b9443be872abb707b13deee3ffef0c2e5ce6d8a03480b3928c93a0d055727a1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdW26R6SPG.bat

Filesize
198B

MD5
94fe60a62c3edeb64d452ac6d1737c7e

SHA1
4ff876a10c16c37b8194dc2b8245eaa020074a17

SHA256
a6e5f9b2533dac5b8b50e12ac7fa8e30506b554958ea1d8ed9606be370209b52

SHA512
24a333f938ce64204b99e59c7ab24fa5199c89adff547d49b9f19f5de9c1f34d68cb67b0c333a5d68b4fbef6993eb009457dfde529bcf5ebb82c44d3f0e52c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat

Filesize
198B

MD5
ecdde36449f9acb945a4d4dacc3fec26

SHA1
8ffb73badf1e55134e0b11a1aff90e3000de7ac7

SHA256
c4a04a59e4822d80e57aeb9011cc7ac85d25a2f02b224a875594ca606b154310

SHA512
a6cb61ca8faed5f7c7138f8d247bf9c782f96a4192ae90d2faeae8e8f8d4c1ce7554044381a0d6d342b1a0b532a5c7a3ac7f41039aa8600bf7c0a87b8f5a69e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

Filesize
198B

MD5
3b91b955c12336a5d22640fdb4cae62f

SHA1
e2626fd1136ec4b6f65e44d24f49b55fab157a3e

SHA256
0d1d94de1bece305dfc6e01c87ca3ea275172d8fc70c44ae07d5ec3e754a5bb5

SHA512
78e5f60ac4650c51bc7aeabb1967005b705d0813644d18b6acee157f5e0a2840e940f5d3929de54e331281169ce6bd01588975729ed9c075d065a4b3a9c9473b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
31dde3bfb657d82a70628ec8951bd03b

SHA1
ccfe9fdadb6edf249f626b34122d2052c6b8e461

SHA256
9b12d8be1764309e85213d4489efcaf67528404ba899ac5fd58f685d0069acdd

SHA512
e0b8ab48d9a35dfeb550083f33b23f45f084a37ed39cae214bf1d11b33b2be265ea5556f2e1801f4337df954f11e588a80f453281e161625ec9fdd3fafab2e5a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/584-445-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/896-625-0x0000000000C90000-0x0000000000DA0000-memory.dmp

Filesize
1.1MB

Download
memory/1192-565-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/1192-564-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1624-148-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/1624-149-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/1696-685-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/1940-267-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2800-65-0x000000001B6E0000-0x000000001B9C2000-memory.dmp

Filesize
2.9MB

Download
memory/2800-70-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2856-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2856-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2856-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2856-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2856-13-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download