dcrat | f490fd276b4e6a5eb49424a5cb1ff0b90e50d93c3f61bed82ab3504f6a9c60b7

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f490fd276b4e6a5eb49424a5cb1ff0b90e50d93c3f61bed82ab3504f6a9c60b7.exe
Size

1.3MB
MD5

2c273627f748d2c1898792798043c60d
SHA1

1014e08c702207d632ad6961f525d87b9636d756
SHA256

f490fd276b4e6a5eb49424a5cb1ff0b90e50d93c3f61bed82ab3504f6a9c60b7
SHA512

6425af0d71634b28a03a49d06aa8a1d8eecc2756d81b8338acf5b06dd59adf632235aef6369fa43204e387f052bbbc3327b28e21d82142789f2e80d6ff67b6a6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	924	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2688	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2688	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015d89-9.dat	dcrat
behavioral1/memory/2480-13-0x00000000008A0000-0x00000000009B0000-memory.dmp	dcrat
behavioral1/memory/1664-58-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/376-205-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/1056-266-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/2132-326-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2120	powershell.exe
1728	powershell.exe
2860	powershell.exe
1732	powershell.exe
2612	powershell.exe
536	powershell.exe
2308	powershell.exe
2932	powershell.exe
2620	powershell.exe
1888	powershell.exe
1752	powershell.exe
2716	powershell.exe
2804	powershell.exe
2108	powershell.exe
1896	powershell.exe
2096	powershell.exe
2596	powershell.exe
2928	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2480	DllCommonsvc.exe
1664	spoolsv.exe
376	spoolsv.exe
1056	spoolsv.exe
2132	spoolsv.exe
2928	spoolsv.exe
2756	spoolsv.exe
2480	spoolsv.exe
1664	spoolsv.exe
1628	spoolsv.exe
816	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
1244	cmd.exe
1244	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com
28	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\fr-FR\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\smss.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Setup\State\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f490fd276b4e6a5eb49424a5cb1ff0b90e50d93c3f61bed82ab3504f6a9c60b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1040	schtasks.exe
2504	schtasks.exe
992	schtasks.exe
680	schtasks.exe
2524	schtasks.exe
2544	schtasks.exe
892	schtasks.exe
2760	schtasks.exe
2520	schtasks.exe
1492	schtasks.exe
1784	schtasks.exe
3028	schtasks.exe
304	schtasks.exe
1640	schtasks.exe
2088	schtasks.exe
1100	schtasks.exe
2736	schtasks.exe
2756	schtasks.exe
1980	schtasks.exe
2444	schtasks.exe
1700	schtasks.exe
988	schtasks.exe
836	schtasks.exe
2536	schtasks.exe
1572	schtasks.exe
2148	schtasks.exe
1952	schtasks.exe
1812	schtasks.exe
848	schtasks.exe
1256	schtasks.exe
2976	schtasks.exe
1772	schtasks.exe
1720	schtasks.exe
3004	schtasks.exe
1764	schtasks.exe
1392	schtasks.exe
3052	schtasks.exe
1704	schtasks.exe
2196	schtasks.exe
1912	schtasks.exe
1688	schtasks.exe
1124	schtasks.exe
924	schtasks.exe
1792	schtasks.exe
2780	schtasks.exe
1172	schtasks.exe
2924	schtasks.exe
2696	schtasks.exe
1516	schtasks.exe
3068	schtasks.exe
332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2480	DllCommonsvc.exe
2096	powershell.exe
2108	powershell.exe
1732	powershell.exe
1728	powershell.exe
2596	powershell.exe
2932	powershell.exe
1896	powershell.exe
1752	powershell.exe
2860	powershell.exe
2928	powershell.exe
2120	powershell.exe
2716	powershell.exe
2308	powershell.exe
1888	powershell.exe
2612	powershell.exe
536	powershell.exe
2620	powershell.exe
2804	powershell.exe
1664	spoolsv.exe
376	spoolsv.exe
1056	spoolsv.exe
2132	spoolsv.exe
2928	spoolsv.exe
2756	spoolsv.exe
2480	spoolsv.exe
1664	spoolsv.exe
1628	spoolsv.exe
816	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2480	DllCommonsvc.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	1664	spoolsv.exe
Token: SeDebugPrivilege	376	spoolsv.exe
Token: SeDebugPrivilege	1056	spoolsv.exe
Token: SeDebugPrivilege	2132	spoolsv.exe
Token: SeDebugPrivilege	2928	spoolsv.exe
Token: SeDebugPrivilege	2756	spoolsv.exe
Token: SeDebugPrivilege	2480	spoolsv.exe
Token: SeDebugPrivilege	1664	spoolsv.exe
Token: SeDebugPrivilege	1628	spoolsv.exe
Token: SeDebugPrivilege	816	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1428	2412	JaffaCakes118_f490fd276b4e6a5eb49424a5cb1ff0b90e50d93c3f61bed82ab3504f6a9c60b7.exe	30
PID 2412 wrote to memory of 1428	2412	JaffaCakes118_f490fd276b4e6a5eb49424a5cb1ff0b90e50d93c3f61bed82ab3504f6a9c60b7.exe	30
PID 2412 wrote to memory of 1428	2412	JaffaCakes118_f490fd276b4e6a5eb49424a5cb1ff0b90e50d93c3f61bed82ab3504f6a9c60b7.exe	30
PID 2412 wrote to memory of 1428	2412	JaffaCakes118_f490fd276b4e6a5eb49424a5cb1ff0b90e50d93c3f61bed82ab3504f6a9c60b7.exe	30
PID 1428 wrote to memory of 1244	1428	WScript.exe	31
PID 1428 wrote to memory of 1244	1428	WScript.exe	31
PID 1428 wrote to memory of 1244	1428	WScript.exe	31
PID 1428 wrote to memory of 1244	1428	WScript.exe	31
PID 1244 wrote to memory of 2480	1244	cmd.exe	33
PID 1244 wrote to memory of 2480	1244	cmd.exe	33
PID 1244 wrote to memory of 2480	1244	cmd.exe	33
PID 1244 wrote to memory of 2480	1244	cmd.exe	33
PID 2480 wrote to memory of 1732	2480	DllCommonsvc.exe	86
PID 2480 wrote to memory of 1732	2480	DllCommonsvc.exe	86
PID 2480 wrote to memory of 1732	2480	DllCommonsvc.exe	86
PID 2480 wrote to memory of 2120	2480	DllCommonsvc.exe	87
PID 2480 wrote to memory of 2120	2480	DllCommonsvc.exe	87
PID 2480 wrote to memory of 2120	2480	DllCommonsvc.exe	87
PID 2480 wrote to memory of 2108	2480	DllCommonsvc.exe	88
PID 2480 wrote to memory of 2108	2480	DllCommonsvc.exe	88
PID 2480 wrote to memory of 2108	2480	DllCommonsvc.exe	88
PID 2480 wrote to memory of 1896	2480	DllCommonsvc.exe	89
PID 2480 wrote to memory of 1896	2480	DllCommonsvc.exe	89
PID 2480 wrote to memory of 1896	2480	DllCommonsvc.exe	89
PID 2480 wrote to memory of 1728	2480	DllCommonsvc.exe	90
PID 2480 wrote to memory of 1728	2480	DllCommonsvc.exe	90
PID 2480 wrote to memory of 1728	2480	DllCommonsvc.exe	90
PID 2480 wrote to memory of 2612	2480	DllCommonsvc.exe	91
PID 2480 wrote to memory of 2612	2480	DllCommonsvc.exe	91
PID 2480 wrote to memory of 2612	2480	DllCommonsvc.exe	91
PID 2480 wrote to memory of 2596	2480	DllCommonsvc.exe	92
PID 2480 wrote to memory of 2596	2480	DllCommonsvc.exe	92
PID 2480 wrote to memory of 2596	2480	DllCommonsvc.exe	92
PID 2480 wrote to memory of 1752	2480	DllCommonsvc.exe	93
PID 2480 wrote to memory of 1752	2480	DllCommonsvc.exe	93
PID 2480 wrote to memory of 1752	2480	DllCommonsvc.exe	93
PID 2480 wrote to memory of 2096	2480	DllCommonsvc.exe	95
PID 2480 wrote to memory of 2096	2480	DllCommonsvc.exe	95
PID 2480 wrote to memory of 2096	2480	DllCommonsvc.exe	95
PID 2480 wrote to memory of 1888	2480	DllCommonsvc.exe	97
PID 2480 wrote to memory of 1888	2480	DllCommonsvc.exe	97
PID 2480 wrote to memory of 1888	2480	DllCommonsvc.exe	97
PID 2480 wrote to memory of 2620	2480	DllCommonsvc.exe	100
PID 2480 wrote to memory of 2620	2480	DllCommonsvc.exe	100
PID 2480 wrote to memory of 2620	2480	DllCommonsvc.exe	100
PID 2480 wrote to memory of 2860	2480	DllCommonsvc.exe	101
PID 2480 wrote to memory of 2860	2480	DllCommonsvc.exe	101
PID 2480 wrote to memory of 2860	2480	DllCommonsvc.exe	101
PID 2480 wrote to memory of 536	2480	DllCommonsvc.exe	102
PID 2480 wrote to memory of 536	2480	DllCommonsvc.exe	102
PID 2480 wrote to memory of 536	2480	DllCommonsvc.exe	102
PID 2480 wrote to memory of 2308	2480	DllCommonsvc.exe	103
PID 2480 wrote to memory of 2308	2480	DllCommonsvc.exe	103
PID 2480 wrote to memory of 2308	2480	DllCommonsvc.exe	103
PID 2480 wrote to memory of 2932	2480	DllCommonsvc.exe	104
PID 2480 wrote to memory of 2932	2480	DllCommonsvc.exe	104
PID 2480 wrote to memory of 2932	2480	DllCommonsvc.exe	104
PID 2480 wrote to memory of 2804	2480	DllCommonsvc.exe	106
PID 2480 wrote to memory of 2804	2480	DllCommonsvc.exe	106
PID 2480 wrote to memory of 2804	2480	DllCommonsvc.exe	106
PID 2480 wrote to memory of 2928	2480	DllCommonsvc.exe	107
PID 2480 wrote to memory of 2928	2480	DllCommonsvc.exe	107
PID 2480 wrote to memory of 2928	2480	DllCommonsvc.exe	107
PID 2480 wrote to memory of 2716	2480	DllCommonsvc.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f490fd276b4e6a5eb49424a5cb1ff0b90e50d93c3f61bed82ab3504f6a9c60b7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f490fd276b4e6a5eb49424a5cb1ff0b90e50d93c3f61bed82ab3504f6a9c60b7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1428
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\fr-FR\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat"
        6⤵
        
        PID:2168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1352
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat"
        8⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2364
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat"
        10⤵
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1228
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
        12⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1676
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
        14⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1740
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"
        16⤵
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1252
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"
        18⤵
        
        PID:1816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1768
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"
        20⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3004
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        22⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1860
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        24⤵
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\Setup\State\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Setup\State\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Searches\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\DigitalLocker\en-US\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\DigitalLocker\en-US\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\Accessories\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Windows\PCHEALTH\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
568688c7a2ff976ac159c4b6e7cc8aea

SHA1
9adec9b7ad629bf84fa871e58bce3d451549272c

SHA256
e986b64be13cd8a9ae5c62446201217e07bebd145f880ddba0fc292efccb340a

SHA512
59abf9e67befe32b31f6135cce4876516af6a10f9dc2297b7787d3184635df0d62a831a9a48326b631935786d55ceb00f05bc3dd07267724023c541c42c5a150

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
060d6d3015b2a9460b71492f88569d95

SHA1
2ff33912b9d83da998e1ba5d860625bf31f21596

SHA256
868c823a535ec291702efa92a8cd03c84e6c327b89fbf6ce2df821de6ad6f11b

SHA512
296a9ea862b5200774bb653d07b5cf886b6175bda7e603a85795483a0fd0665527a4fbd75ef0b3e7b08920c14ee7bccb73eff32d5116f84e224eff93bda36526

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c56843e601ad9b1fdc1f8a030a730308

SHA1
6c16888faaac1906b4cafc075f946471430d4cae

SHA256
077ddfdefb739b41b55ed660f740323190f651b3b768e4283f202835692db693

SHA512
80ec6238f6f9a4f9c6eb21be81494c04f13689d173c0a9cf8632ef9b660c6bede8d99db2650f095cd656d7fa410aab56b0ae08048b48f3796aaa652318cfc5f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd78d8f09ed579dead73cdc9a25d6a2e

SHA1
9b4274c9d09c98854db9e6574cc5b6b262f9d55e

SHA256
fb8de1437df118a90108ca989657e55a8bbfdb66e08142a759252fa1cbd1ff2c

SHA512
3de04ec1505cfdd465d0746c27ff49d428b0f925b57c25a7d577aa98f457059d49607c9c0b3281280e88d3efcf265463cadcddd2555775263bbc90c42de9536a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e65e8ef0280a723d73c3f63383f7d80

SHA1
e481495732bed3943a3a481982ed9be5f004ab7f

SHA256
af3e36b7baa3d3a411fca8251c81832d4ed2ac3c0f8746d7d9c5b543f8df8d42

SHA512
e6d173414075add225835e803f063a95681e2fa70aab796987c0bb08dd5823b594cefeab85191a8ceb2d780ced3a4d36adc539eae557608597c7bc83a8f1ee7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de3fc4616a10ce780cfaf7683d21194f

SHA1
a8dbdc11166d5e5e0c4de8f71dc0ec7340024105

SHA256
3f139ff22bf186b93c60c484f16228d9a251b2de43a2ab9ea0d2a787f43788e6

SHA512
ed4dbdb7be56495ad991975bcfcb0e931c8fd1a7674ce0ba4272594f2023b8080439bb30f2c5275f24631c4fff0fabcde751336b7b1309b91f2636cbc8a52f86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94a3e976d0daedb62fdcd83610e75f4f

SHA1
b42db6f403b378db27a0edc1f63023c32268d330

SHA256
f9b64d64fae3f092726098ee7aa981b224b9d3b792297e4812502aa121d8f862

SHA512
61f955a0c9ff4d0d837fdd406b5ba3f5dd57f604c89d137850638a3792741c6edb7135e9087f22a647605bbdbd0aca72fd3b90f3b4fbb0df9772a5354e8ab362

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f9f3dccbe8f751a71ab882571b706c5

SHA1
ea96a1e1f563df815555ee06ba68a0fd63937621

SHA256
d556d8f5d5986616e40a29592970e3a1c9a96275c4a6a46e7036276e067b5299

SHA512
e13a6f1dcc63caa9ef55e6efe6f036b8ad2a35342ab7632e4fb99b987f204558b1fe046bbc9fbf30ebc8f552c37fc777a695722f7860100cedf49ae4be333974

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbbcf2e716257dbb14216cd5ca3903c7

SHA1
75714e83fd2148ec0e29d742b319b0d8f03eac67

SHA256
54dc1d3f757759536c9133c0976dda02aeb68816e77a298bb7ac9074d984688f

SHA512
d0cdc51175a14d02602a6eaade47c3c4b3f9434b4464d6a5bdcc6f511670860ddee771d1d1bb9ad519fe0145b2d68e82ba97a252047cd9a22e58b584a55fc2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat

Filesize
198B

MD5
58b081a391a42d008cd12ed7cbce760a

SHA1
4601f7c2433267efa01dc71277b673b26b131e83

SHA256
2d93bf89413865d22a0db9ee3f068b0a7b206351f8843135967d0c8149a1baea

SHA512
9c1c1e68146876536d85a56e65bc01d348270753181985dcfc827380683a31bdfddabf6f36be9eb3239c3b81162ed6d64569a5d6a66bdf1916b7d7d6d3a345b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEA03.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat

Filesize
198B

MD5
6c7dd10fc56707db509b78d166554523

SHA1
f9d3186f47041aa9799cc0574397a6a9a1dc5c5c

SHA256
aca0facc487b602b8ce642b68410f2b7a3739276b38831c0aed6e22a992becba

SHA512
3a59b53bfcaecec01f0d9f90f4d690717b82d2f1c2922ab49840fa569d5e8417f9b0c68b3b5726fd79448a0156b353a449ba7f31bbaadad42a03d5937a0ca395

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat

Filesize
198B

MD5
4811e4857b8abcdce68a68732a0421cb

SHA1
d0c13d899c4138e171887271d673acffbe56a1c0

SHA256
092129fef8373d21fe460de7aaae75bc6ae7d1b915d3fc4a455bdc80f11bf6fa

SHA512
ae1094bf4639b6db919dec90e59d90e3b4055da9ca984ee5936263d4d447a188358376d9fa8c029ada7716b9513119545481537db6e0ad9a8d54e35e35a8fee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA25.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat

Filesize
198B

MD5
7e5973744d1cc9d9705ac029cb9bce4d

SHA1
24c6c7b8430f6be99fb9f9a5ec7d1b2c9dd7815a

SHA256
21772f90c68247a5881fce7515bde69d00ea58c86286cfb9c984093abd25e0dd

SHA512
51084de16a2a2aa7f7a361bec92d9c042a457e3765d479127a34c932872ff639b9cb9da030e9d6183eb8b0a3af6d4112ba67ade9a49680aaaa37710a96c38ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat

Filesize
198B

MD5
aa9ebcd41c4f128dc95557d5b58e89fe

SHA1
4df2d96d309d75cf0d433945e4253b7dfc422936

SHA256
57ef252d511afffc21dc9098ea1f7ea98b83a5da23277e3cccf848b9824fb2a4

SHA512
0e21f73ca410f3340e698bd71ec685620180adf7e28ecbaf6afe5d1071b19a0034f9acc66ad2aec37f612c1c1ec6f463a8581891cc10c5f06e535cf1a09ef42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat

Filesize
198B

MD5
b368fbaeed68727f3c305fc9f95d1b1b

SHA1
fd4923dc82814033c9ade5421e68291a99304b84

SHA256
d0d6af6f83294828c28bf5b6e6cb0d54617527a2b4f09b0c05762aa59b7cfbe8

SHA512
b83c0583a48a20226397746723bc6c98e41184d9b6db429de7812804c82d0783d9e7553f49f6bb5be4ae7384c3cf70f38554dfdd55108d688c6bfded02a801cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
198B

MD5
93152a82f33bc7a137f59b9be099011f

SHA1
3c26fdfd97ebf34811c7909edd929d27f9040d31

SHA256
e40aa9835fdc72004528a657e77caa879fc1623174b91fba21021dd7b36bd61d

SHA512
3a2faed1527bd5413d8ae5485c87938321dfbad30754552f71c3eefeb4577c41c07b350790a82b6d42a16dcd0245727d1cf9eed9cbfbdc69be51ad630c89d60e

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

Filesize
198B

MD5
39c8203e8f6c293cc0d1aba602ae9585

SHA1
0d94eb12e97d1eed880aaee84ff911a8ddab11c7

SHA256
0621cce01b50147e5737128fe7a3ce007fadbc8aa207929b595ccea9bbf26ce7

SHA512
a0e91453d011bd07535ae1cfa8bb5f5d251ece9451d07910a5f53a317d12a9a5b5d40cd2705243f07131ff14a6a9cd8d5d5fc68fb5f2bb3240f357eac4d86cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
198B

MD5
b85d224c650893fa8b6553c073947fe2

SHA1
79bc24e16408ac35668f81726b99af512aa26de9

SHA256
0a7fa6cc92269125c1ab72efad4d38076f37983891c3949b718cd37201c5b946

SHA512
ac357f8aff4964a29cde1fb8bce014433c54c16fffd7f9b7b53ef9c6d35a5752275c8608df87e185138afd188754084a9efc5cfc38cb16a43abc43fd60ea7e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat

Filesize
198B

MD5
4f14c37a6c9bbad47f004167f50f492f

SHA1
20b17ba8c8ae4817509fd770a4ab3713bd735cba

SHA256
41133e72d1a58de0d5eb994efd95fd4629aedee4007de7567522ce511c709f99

SHA512
466a1ddaa200e7062c4a50a857b41c8ce1c144f58ca5248e4ab9a510c1a77959181437a437153b370393261d31261a03a75f95854547fe56f2187cbb6ece51eb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
15dca31d8ea1c0a186585b340ffb4b5a

SHA1
48d401145c68136c9c77c0b61fb00e044d3ad52b

SHA256
e3c4d900d3c79c1c16cd96851f5d308f9ce40e5ed23b63c81f4ceb1059f105e5

SHA512
10ada4a8a2882b201c5c44fde3f8305b9a490a680a7c59037c3e1e3eca787fd4bb630fdfca3fc2c48c8db6b232bf6605817991d026ac53b330b6c5a8faa12e3c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/376-205-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/376-206-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/1056-266-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/1664-58-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2096-73-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2108-75-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2132-326-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/2480-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2480-13-0x00000000008A0000-0x00000000009B0000-memory.dmp

Filesize
1.1MB

Download
memory/2480-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2480-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2480-504-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2480-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download