dcrat | 42d9eefada6282866bad2e0824bd0435ea162b4b26694f6d88e86df489a177b0

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42d9eefada6282866bad2e0824bd0435ea162b4b26694f6d88e86df489a177b0.exe
Size

1.3MB
MD5

3379f2c2d287293574611336ae57e21f
SHA1

4aae938147b9d8d225bb615918b90ad6272a251b
SHA256

42d9eefada6282866bad2e0824bd0435ea162b4b26694f6d88e86df489a177b0
SHA512

61b60919a6337d544958dd187fb0acc17abfe1706da255e7ea85e926607d62c22cceddc22404ad4d3446335d05499e3f5b1affdf3fcaa8add89e045c6689e66b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2964	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2964	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019377-9.dat	dcrat
behavioral1/memory/1916-13-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat
behavioral1/memory/3004-56-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/memory/3768-201-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/2976-262-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2440-323-0x0000000000A20000-0x0000000000B30000-memory.dmp	dcrat
behavioral1/memory/2092-383-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/1040-443-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/1708-564-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/2944-683-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2352	powershell.exe
824	powershell.exe
1256	powershell.exe
1904	powershell.exe
2008	powershell.exe
1688	powershell.exe
1588	powershell.exe
2128	powershell.exe
2428	powershell.exe
1036	powershell.exe
1320	powershell.exe
1684	powershell.exe
1940	powershell.exe
2080	powershell.exe
1932	powershell.exe
2072	powershell.exe
2600	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1916	DllCommonsvc.exe
3004	audiodg.exe
3768	audiodg.exe
2976	audiodg.exe
2440	audiodg.exe
2092	audiodg.exe
1040	audiodg.exe
984	audiodg.exe
1708	audiodg.exe
2116	audiodg.exe
2944	audiodg.exe
1796	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
1616	cmd.exe
1616	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
37	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sppui\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\sppui\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\en-US\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\es-ES\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\es-ES\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\en-US\winlogon.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\tracing\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\CSC\v2.0.6\OSPPSVC.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42d9eefada6282866bad2e0824bd0435ea162b4b26694f6d88e86df489a177b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1980	schtasks.exe
3056	schtasks.exe
2696	schtasks.exe
1828	schtasks.exe
2516	schtasks.exe
1992	schtasks.exe
2056	schtasks.exe
1100	schtasks.exe
1920	schtasks.exe
2808	schtasks.exe
668	schtasks.exe
2860	schtasks.exe
1140	schtasks.exe
2272	schtasks.exe
2100	schtasks.exe
2000	schtasks.exe
2492	schtasks.exe
1772	schtasks.exe
2060	schtasks.exe
2796	schtasks.exe
1084	schtasks.exe
2456	schtasks.exe
2616	schtasks.exe
740	schtasks.exe
3012	schtasks.exe
2508	schtasks.exe
1300	schtasks.exe
1612	schtasks.exe
872	schtasks.exe
1648	schtasks.exe
2988	schtasks.exe
2920	schtasks.exe
2500	schtasks.exe
1708	schtasks.exe
1812	schtasks.exe
1288	schtasks.exe
2812	schtasks.exe
2728	schtasks.exe
2580	schtasks.exe
1284	schtasks.exe
2160	schtasks.exe
2960	schtasks.exe
2976	schtasks.exe
2744	schtasks.exe
572	schtasks.exe
2736	schtasks.exe
2240	schtasks.exe
1040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
1916	DllCommonsvc.exe
1916	DllCommonsvc.exe
1916	DllCommonsvc.exe
2600	powershell.exe
2128	powershell.exe
2072	powershell.exe
1588	powershell.exe
824	powershell.exe
1684	powershell.exe
2428	powershell.exe
1688	powershell.exe
2352	powershell.exe
1932	powershell.exe
2080	powershell.exe
1036	powershell.exe
1256	powershell.exe
1320	powershell.exe
1940	powershell.exe
1904	powershell.exe
2008	powershell.exe
3004	audiodg.exe
3768	audiodg.exe
2976	audiodg.exe
2440	audiodg.exe
2092	audiodg.exe
1040	audiodg.exe
984	audiodg.exe
1708	audiodg.exe
2116	audiodg.exe
2944	audiodg.exe
1796	audiodg.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	DllCommonsvc.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	3004	audiodg.exe
Token: SeDebugPrivilege	3768	audiodg.exe
Token: SeDebugPrivilege	2976	audiodg.exe
Token: SeDebugPrivilege	2440	audiodg.exe
Token: SeDebugPrivilege	2092	audiodg.exe
Token: SeDebugPrivilege	1040	audiodg.exe
Token: SeDebugPrivilege	984	audiodg.exe
Token: SeDebugPrivilege	1708	audiodg.exe
Token: SeDebugPrivilege	2116	audiodg.exe
Token: SeDebugPrivilege	2944	audiodg.exe
Token: SeDebugPrivilege	1796	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 824	1796	42d9eefada6282866bad2e0824bd0435ea162b4b26694f6d88e86df489a177b0.exe	30
PID 1796 wrote to memory of 824	1796	42d9eefada6282866bad2e0824bd0435ea162b4b26694f6d88e86df489a177b0.exe	30
PID 1796 wrote to memory of 824	1796	42d9eefada6282866bad2e0824bd0435ea162b4b26694f6d88e86df489a177b0.exe	30
PID 1796 wrote to memory of 824	1796	42d9eefada6282866bad2e0824bd0435ea162b4b26694f6d88e86df489a177b0.exe	30
PID 824 wrote to memory of 1616	824	WScript.exe	31
PID 824 wrote to memory of 1616	824	WScript.exe	31
PID 824 wrote to memory of 1616	824	WScript.exe	31
PID 824 wrote to memory of 1616	824	WScript.exe	31
PID 1616 wrote to memory of 1916	1616	cmd.exe	33
PID 1616 wrote to memory of 1916	1616	cmd.exe	33
PID 1616 wrote to memory of 1916	1616	cmd.exe	33
PID 1616 wrote to memory of 1916	1616	cmd.exe	33
PID 1916 wrote to memory of 2128	1916	DllCommonsvc.exe	83
PID 1916 wrote to memory of 2128	1916	DllCommonsvc.exe	83
PID 1916 wrote to memory of 2128	1916	DllCommonsvc.exe	83
PID 1916 wrote to memory of 2600	1916	DllCommonsvc.exe	84
PID 1916 wrote to memory of 2600	1916	DllCommonsvc.exe	84
PID 1916 wrote to memory of 2600	1916	DllCommonsvc.exe	84
PID 1916 wrote to memory of 1588	1916	DllCommonsvc.exe	86
PID 1916 wrote to memory of 1588	1916	DllCommonsvc.exe	86
PID 1916 wrote to memory of 1588	1916	DllCommonsvc.exe	86
PID 1916 wrote to memory of 1688	1916	DllCommonsvc.exe	87
PID 1916 wrote to memory of 1688	1916	DllCommonsvc.exe	87
PID 1916 wrote to memory of 1688	1916	DllCommonsvc.exe	87
PID 1916 wrote to memory of 2080	1916	DllCommonsvc.exe	89
PID 1916 wrote to memory of 2080	1916	DllCommonsvc.exe	89
PID 1916 wrote to memory of 2080	1916	DllCommonsvc.exe	89
PID 1916 wrote to memory of 2072	1916	DllCommonsvc.exe	91
PID 1916 wrote to memory of 2072	1916	DllCommonsvc.exe	91
PID 1916 wrote to memory of 2072	1916	DllCommonsvc.exe	91
PID 1916 wrote to memory of 1940	1916	DllCommonsvc.exe	93
PID 1916 wrote to memory of 1940	1916	DllCommonsvc.exe	93
PID 1916 wrote to memory of 1940	1916	DllCommonsvc.exe	93
PID 1916 wrote to memory of 2008	1916	DllCommonsvc.exe	94
PID 1916 wrote to memory of 2008	1916	DllCommonsvc.exe	94
PID 1916 wrote to memory of 2008	1916	DllCommonsvc.exe	94
PID 1916 wrote to memory of 1684	1916	DllCommonsvc.exe	95
PID 1916 wrote to memory of 1684	1916	DllCommonsvc.exe	95
PID 1916 wrote to memory of 1684	1916	DllCommonsvc.exe	95
PID 1916 wrote to memory of 1932	1916	DllCommonsvc.exe	96
PID 1916 wrote to memory of 1932	1916	DllCommonsvc.exe	96
PID 1916 wrote to memory of 1932	1916	DllCommonsvc.exe	96
PID 1916 wrote to memory of 1320	1916	DllCommonsvc.exe	97
PID 1916 wrote to memory of 1320	1916	DllCommonsvc.exe	97
PID 1916 wrote to memory of 1320	1916	DllCommonsvc.exe	97
PID 1916 wrote to memory of 1904	1916	DllCommonsvc.exe	98
PID 1916 wrote to memory of 1904	1916	DllCommonsvc.exe	98
PID 1916 wrote to memory of 1904	1916	DllCommonsvc.exe	98
PID 1916 wrote to memory of 1036	1916	DllCommonsvc.exe	99
PID 1916 wrote to memory of 1036	1916	DllCommonsvc.exe	99
PID 1916 wrote to memory of 1036	1916	DllCommonsvc.exe	99
PID 1916 wrote to memory of 2428	1916	DllCommonsvc.exe	100
PID 1916 wrote to memory of 2428	1916	DllCommonsvc.exe	100
PID 1916 wrote to memory of 2428	1916	DllCommonsvc.exe	100
PID 1916 wrote to memory of 1256	1916	DllCommonsvc.exe	101
PID 1916 wrote to memory of 1256	1916	DllCommonsvc.exe	101
PID 1916 wrote to memory of 1256	1916	DllCommonsvc.exe	101
PID 1916 wrote to memory of 824	1916	DllCommonsvc.exe	102
PID 1916 wrote to memory of 824	1916	DllCommonsvc.exe	102
PID 1916 wrote to memory of 824	1916	DllCommonsvc.exe	102
PID 1916 wrote to memory of 2352	1916	DllCommonsvc.exe	103
PID 1916 wrote to memory of 2352	1916	DllCommonsvc.exe	103
PID 1916 wrote to memory of 2352	1916	DllCommonsvc.exe	103
PID 1916 wrote to memory of 3004	1916	DllCommonsvc.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\42d9eefada6282866bad2e0824bd0435ea162b4b26694f6d88e86df489a177b0.exe
"C:\Users\Admin\AppData\Local\Temp\42d9eefada6282866bad2e0824bd0435ea162b4b26694f6d88e86df489a177b0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\es-ES\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\sppui\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\en-US\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat"
        6⤵
        
        PID:3696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3728
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        8⤵
        
        PID:1100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2400
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat"
        10⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2224
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
        12⤵
        
        PID:3316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1996
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
        14⤵
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2256
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
        16⤵
        
        PID:3684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3464
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat"
        18⤵
        
        PID:4056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4088
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
        20⤵
        
        PID:3216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3152
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
        22⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3136
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"
        24⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3208
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\es-ES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Windows\tracing\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\SysWOW64\sppui\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sppui\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\sppui\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\en-US\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\en-US\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c392e42badeaafb452c8f89c92803830

SHA1
5e61f8b3af95c011a4e7808758dc660bb94c43af

SHA256
e3df11e4ed5d7863250b72a5b904b622fcc4c7d698b015fcaaa14c90c8d15b9a

SHA512
1ef9c22288681dd216ab63711c472bb69b8db39b0991dbbccd6ed31e8dfe9c288f0d70288894d0a94d49a8841f4774ff36d1db21c4c8e9767a50384ce48e88eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33b491387975749c122107f5639271a3

SHA1
2e0bfd308c54be13332234433e34f0bd5133c658

SHA256
32af90be821ca7a4f05fcbcf806f628deb34eba784bc2703e61313f3b6220687

SHA512
df3df2a59c19203621d895cca519f64be4d2a9172948bc9f72c1654356ff02eceb5092010a7bab9e234321fb5984e9da781c51ff60ee9423fbce793942d393ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ba754c5e1caf42c2ad66eff99fb8e8e

SHA1
c2a47b71ee0cb50d15bb3255dd73a32ee60d955b

SHA256
df83354ac6c11312c24a2382306d3bc1f7723e60092bc67a6e75bb03df8ae612

SHA512
f7b4f21ea53bc6640b7d925289e588f7c78036f9f6de7cd3b724e64cd5c424e251ac5e147bd524a56edb0c0505b10a5da5c15bf28801df62e096a96186c56405

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae53f940dfb9f6a2068ad57425c57139

SHA1
48a76f24fac18e42416563268308cc8a40969af5

SHA256
7f17658645d33b4f46238a69185a435a4341590c5bdebc5d5345dc270fde59fc

SHA512
57ded35ff809d2e1823f9babe32352e57cb3e5f68381b04bfb6d9dbd7f4075c3287eed319e0472344a404f3d3a65c9d9e6d6b1be5ad886bceac68990366f09c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
941e377df975bec37a0aaa48393d12e6

SHA1
ed4b3342131efc0ddb37847f335868d19538b74c

SHA256
9bd3a91c5a75a9192225026780dfea7b8c43e684040df9259b08ae5e9b23d196

SHA512
06e0638179398e630373018d8588041c25c24386470c19966ed2cc1d25938e20098a57b1f602315024f410a16a5f3c9454727a71f24ad297ca00f15835fd69ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd6db7de3745e754926ec40857d1162c

SHA1
ae5392461d11bce32ab36b25824fa579dc83e7f8

SHA256
6120e2a042458888edc01f71cd56dd40486cfe9ec667353eb7946223e961b925

SHA512
c03297b954b1d7d11891c817392debd2fc3113fd2c4ff91746542e469b4f7b1922bb2790032fe190fd220429770fe9126248b0906e94830dcc4d29261824a515

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
227355b8bec52bd06486195744c98884

SHA1
648d1ff77e9df52fa43c84a47174412aebd1a5d2

SHA256
37c829ffbde47029556327268f532dffc938200c94f096cbcab021ea673c2554

SHA512
f560b8a346771f282a797db6a555958bc98001d98c2965bb24acb676285c80a5c5d50bde95db6f3cdf9c7691b69bdeb8a49d0163b55cdd36531dcf4c9449e4f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
222117354d8c952c86c45e9954388f5a

SHA1
2ed0cc7d2301febfd07a4a42268c1b92fa242ea3

SHA256
fa9f86c1bbef5ff1ebf0cf170b247f6042e7f4647c3842883d51d385b48a2b1b

SHA512
ea90a9dc51626e14bb93f30a821478ccf08fba38096bc0b11a280797e43e274c0636b0b54f3325eb0313a64ef1dcc27addb3ce553bd10d0957c1f010675cd145

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bfb16bdd8908dd8e1c0e4b8a4f297d7

SHA1
99349601957cd591cb94a741e7241c9c2369a0f8

SHA256
5a0ba406a47bca62fba4445e91227f7d8026ea7bb8cd5ceaaa7d034c2a1044e3

SHA512
68552e0aa116aec6acf5d51c3d470e3917e01105333939457ccfedd6a79259b1cf8ac2d81fb9fea5ddccb56f15834b4b30526fe677839928d32e2e0a394c1a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

Filesize
194B

MD5
84dc2a204494858c0411b027fd25459d

SHA1
6ef1f57905870246ad9358bf1356a92f51f9c628

SHA256
d9ad0859608653fb4ae7edbfd31e67f0697011bdc6006f51acbd773d4f1e8a51

SHA512
c8cf7cd2b96fbe71a2c3587cd601c0e01ad68ba960a6859e78961286f5db33942d16460ed0472619d9453ddb0e51692fbc1b3bc16254373e544007feaa74ed1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE948.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

Filesize
194B

MD5
d0dade0522d5ca05785e5018dcb0328c

SHA1
f8ae76247741653304fe6e05f2ef8a085d9aa6d8

SHA256
b8bf96bea5ce8f07b114eb11f3a200bacc4230d9403b5dd0bf1889566603bd4b

SHA512
baaef5d8ef0c264b68ebc10b08c2acdd0d14a603e85be9a639cfe1a99ed93757141916b0ce7593117f05a5367801c51fcce1a32fb760436c56b4dc9206ab763f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

Filesize
194B

MD5
9bd836c75defd455734f91f271017003

SHA1
9bc12c87749e6585ceda1dc3a30b9be61a5eeb16

SHA256
f4d8d7d18d902174ecc824a9e4ec087f8a62d7134571755693e1d6c90064b340

SHA512
e7669dce811126141400b48477799053cb4b56d401bdc13df2d3ef0b9d9c968da9ae23af6005832ef7539bd184f619a1a289c13ad953e84bd6c1b94b571e8432

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPH1A2PBmS.bat

Filesize
194B

MD5
d6f89d68e58ed546dfbb0b86178cbcb7

SHA1
17d58c2cdcb379ddc8bfe9cb0aa2e54acdf111ab

SHA256
898b7603463a5960fc835210fd2afc4a68f67c99673c79105b8d5d3a184bbfba

SHA512
3cf63e15fbb5c6ef82b638d98fc9fe27f13356040ed68ed7eedd820ce3adcbd39e8cdf9fe6fcbf98df098113224134558cdb3c0594598b628c1195c80819289f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat

Filesize
194B

MD5
0166f2963b1146cdad563a2cc5a44252

SHA1
d6bdb6dcb73eee5246af7e9707a951cd17f0d0ec

SHA256
02b29c7cf3b774c9ae3b04c9b17edf3c808bbb9fcb1fa097e4d1c01f869cacd4

SHA512
ba5e287c77b8f873abb4f73b50cd231df5e347af0fedf0726dc1040f350a83ca4a6e207f5a3900a4395516751a47ce1532a07df9eaa20f0e28e81c22fa02f887

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE96A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

Filesize
194B

MD5
404fe708c8c58555080318d66018735f

SHA1
226de9a48f1b682b62e8d6ef41357ef705e0fd89

SHA256
1d6a8d98cc2ebfb5f441cea64b60dec4aca300fd6e2464ae7869ebd999e71b68

SHA512
39a0540927b8697ad66f550e8c3501032cdf22bb58582d287ced7747c93e7141ecdb3eea53ea01184c78a19c8d7dbc64e8b10f38fe519c2fda14e96466b71ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat

Filesize
194B

MD5
e975b4103ce940cbe22f3817ba664bc5

SHA1
a5137037e9e3e792272f50e317e7fa4bd4ddafb4

SHA256
7ae3d3077292e751a0f621e4f9d1aa841433669bc7396ffbb6ce89cb35cbeb75

SHA512
4c5475306daa5ba72f0ad91a9a9fa046a2214cc32180e2d7dc69779c68c78cd05fa393cab17bbf251278ea2455c88e25dabc8b0b04ede6ae0c22213ebcd3a38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
194B

MD5
e6184ab0170638d7bb5c440e3d642c09

SHA1
a29be0e8e5fb03fe856db6f179c7da91ee606132

SHA256
772b76eef560e7b37564521e01fefa2a903df524e77528530266cb50873729e1

SHA512
4f7a69f548dd90172667ec53df95e8f693a1e75a140b46a352643e9c61d696ce647f70990479d481e687681ec9adc1f7b003b796448a4d76b6dcc2e08f3749f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

Filesize
194B

MD5
7f02f47a6fd8867bc410d79a4208ecdd

SHA1
5984026d51ad75d3b17a5e9476733119759210d3

SHA256
14ced5a7b9e3667d7bc583b2ac39ba55c93ee77b0acb7dad918bf9dfceffb4f6

SHA512
9a7469d6afeb47a0b4d94eb6aeabeb2e1fdebe7c19b8a28a997d0abc5de52c3c8f52471434195bf7a8999b8960cb64fd1cea6f5ac2630f4fec37b5087da41554

Download Submit
C:\Users\Admin\AppData\Local\Temp\z9xTb8lNHs.bat

Filesize
194B

MD5
06e6b2f1241ca3f2a6d07f192fc79ffe

SHA1
6e590fcd031e1e2c03cb4810b4f0b1062f4363fd

SHA256
f50e0ae68152d01a0b1d906fec58f3fe6bb430a3bcfcb2745d098d9d4e7f6d97

SHA512
025986bff30821d2dab394330f8817b13233aa357794452baacfa3704aec95ef4fcd98d0788d5fcf86146321bfc6bb886e46c2ade12f89b45428d420becbfed9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c90f2f4d8795fc7e4443b1e310a3db9d

SHA1
3010d9966ca145c15bd606ce8ea460a5eb025284

SHA256
ef2a53df525abe436a307bd0feae448f943df1f2c932033c16c2ee09a246f887

SHA512
aad8691b9c478c3b93a97dc0e4888d52239c13e87630be53e77dbc9a33d1097c41d1e1b98c52b4c54fc73efb6503dbd5462b887b9ef367a34f109eb9c6e564c8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/984-504-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/1040-443-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/1040-444-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/1708-564-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/1916-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1916-13-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/1916-14-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1916-15-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1916-16-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2092-383-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2128-77-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2440-323-0x0000000000A20000-0x0000000000B30000-memory.dmp

Filesize
1.1MB

Download
memory/2600-71-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2944-683-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2976-263-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2976-262-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/3004-56-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/3768-201-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/3768-202-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download