dcrat | e5008b423f52a4d940157553e42bd782fe64464ea9fb4c5defe2e29732a5f901

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e5008b423f52a4d940157553e42bd782fe64464ea9fb4c5defe2e29732a5f901.exe
Size

1.3MB
MD5

6911c7b69133f08dff48e252ab50db00
SHA1

488e737bc8602c6be02aadff8faa49eb71056a1f
SHA256

e5008b423f52a4d940157553e42bd782fe64464ea9fb4c5defe2e29732a5f901
SHA512

b949c5ec4536977865513aac3aee123de2763d0304912971590f90e3d56b2367b9084704eb05f50e0297fc4b945c6ff6d24a1e1c6e1d109da3a9c6545d258195
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	1980	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000162e9-9.dat	dcrat
behavioral1/memory/2660-13-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/1460-141-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/2432-200-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/1920-260-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/2624-320-0x00000000012B0000-0x00000000013C0000-memory.dmp	dcrat
behavioral1/memory/2604-617-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2428	powershell.exe
580	powershell.exe
936	powershell.exe
1724	powershell.exe
3056	powershell.exe
680	powershell.exe
2536	powershell.exe
1812	powershell.exe
2460	powershell.exe
2524	powershell.exe
1868	powershell.exe
1476	powershell.exe
1596	powershell.exe
1508	powershell.exe
1572	powershell.exe
2304	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2660	DllCommonsvc.exe
844	DllCommonsvc.exe
1460	taskhost.exe
2432	taskhost.exe
1920	taskhost.exe
2624	taskhost.exe
2216	taskhost.exe
2432	taskhost.exe
1272	taskhost.exe
1460	taskhost.exe
2604	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	cmd.exe
2200	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\es-ES\services.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\es-ES\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\en-US\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\en-US\56085415360792	DllCommonsvc.exe
File created	C:\Windows\inf\TermService\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\inf\TermService\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Windows\services.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Web\Wallpaper\Windows\services.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Windows\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e5008b423f52a4d940157553e42bd782fe64464ea9fb4c5defe2e29732a5f901.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
764	schtasks.exe
956	schtasks.exe
2888	schtasks.exe
1476	schtasks.exe
2936	schtasks.exe
2416	schtasks.exe
528	schtasks.exe
2064	schtasks.exe
2192	schtasks.exe
3004	schtasks.exe
1316	schtasks.exe
1716	schtasks.exe
2268	schtasks.exe
1640	schtasks.exe
2144	schtasks.exe
2348	schtasks.exe
1480	schtasks.exe
1816	schtasks.exe
1524	schtasks.exe
2604	schtasks.exe
2696	schtasks.exe
2704	schtasks.exe
820	schtasks.exe
2324	schtasks.exe
760	schtasks.exe
2468	schtasks.exe
2560	schtasks.exe
2936	schtasks.exe
1308	schtasks.exe
2596	schtasks.exe
2396	schtasks.exe
2572	schtasks.exe
1696	schtasks.exe
2980	schtasks.exe
2512	schtasks.exe
2268	schtasks.exe
996	schtasks.exe
1236	schtasks.exe
2132	schtasks.exe
1292	schtasks.exe
2972	schtasks.exe
2284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2660	DllCommonsvc.exe
2524	powershell.exe
1724	powershell.exe
936	powershell.exe
680	powershell.exe
2460	powershell.exe
1508	powershell.exe
2536	powershell.exe
580	powershell.exe
1812	powershell.exe
2428	powershell.exe
1868	powershell.exe
844	DllCommonsvc.exe
1476	powershell.exe
1596	powershell.exe
1572	powershell.exe
2304	powershell.exe
3056	powershell.exe
1460	taskhost.exe
2432	taskhost.exe
1920	taskhost.exe
2624	taskhost.exe
2216	taskhost.exe
2432	taskhost.exe
1272	taskhost.exe
1460	taskhost.exe
2604	taskhost.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	DllCommonsvc.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	844	DllCommonsvc.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	1460	taskhost.exe
Token: SeDebugPrivilege	2432	taskhost.exe
Token: SeDebugPrivilege	1920	taskhost.exe
Token: SeDebugPrivilege	2624	taskhost.exe
Token: SeDebugPrivilege	2216	taskhost.exe
Token: SeDebugPrivilege	2432	taskhost.exe
Token: SeDebugPrivilege	1272	taskhost.exe
Token: SeDebugPrivilege	1460	taskhost.exe
Token: SeDebugPrivilege	2604	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_e5008b423f52a4d940157553e42bd782fe64464ea9fb4c5defe2e29732a5f901.exe	30
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_e5008b423f52a4d940157553e42bd782fe64464ea9fb4c5defe2e29732a5f901.exe	30
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_e5008b423f52a4d940157553e42bd782fe64464ea9fb4c5defe2e29732a5f901.exe	30
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_e5008b423f52a4d940157553e42bd782fe64464ea9fb4c5defe2e29732a5f901.exe	30
PID 2180 wrote to memory of 2200	2180	WScript.exe	31
PID 2180 wrote to memory of 2200	2180	WScript.exe	31
PID 2180 wrote to memory of 2200	2180	WScript.exe	31
PID 2180 wrote to memory of 2200	2180	WScript.exe	31
PID 2200 wrote to memory of 2660	2200	cmd.exe	33
PID 2200 wrote to memory of 2660	2200	cmd.exe	33
PID 2200 wrote to memory of 2660	2200	cmd.exe	33
PID 2200 wrote to memory of 2660	2200	cmd.exe	33
PID 2660 wrote to memory of 680	2660	DllCommonsvc.exe	65
PID 2660 wrote to memory of 680	2660	DllCommonsvc.exe	65
PID 2660 wrote to memory of 680	2660	DllCommonsvc.exe	65
PID 2660 wrote to memory of 1724	2660	DllCommonsvc.exe	66
PID 2660 wrote to memory of 1724	2660	DllCommonsvc.exe	66
PID 2660 wrote to memory of 1724	2660	DllCommonsvc.exe	66
PID 2660 wrote to memory of 936	2660	DllCommonsvc.exe	67
PID 2660 wrote to memory of 936	2660	DllCommonsvc.exe	67
PID 2660 wrote to memory of 936	2660	DllCommonsvc.exe	67
PID 2660 wrote to memory of 580	2660	DllCommonsvc.exe	68
PID 2660 wrote to memory of 580	2660	DllCommonsvc.exe	68
PID 2660 wrote to memory of 580	2660	DllCommonsvc.exe	68
PID 2660 wrote to memory of 2524	2660	DllCommonsvc.exe	69
PID 2660 wrote to memory of 2524	2660	DllCommonsvc.exe	69
PID 2660 wrote to memory of 2524	2660	DllCommonsvc.exe	69
PID 2660 wrote to memory of 1508	2660	DllCommonsvc.exe	70
PID 2660 wrote to memory of 1508	2660	DllCommonsvc.exe	70
PID 2660 wrote to memory of 1508	2660	DllCommonsvc.exe	70
PID 2660 wrote to memory of 2428	2660	DllCommonsvc.exe	71
PID 2660 wrote to memory of 2428	2660	DllCommonsvc.exe	71
PID 2660 wrote to memory of 2428	2660	DllCommonsvc.exe	71
PID 2660 wrote to memory of 2460	2660	DllCommonsvc.exe	72
PID 2660 wrote to memory of 2460	2660	DllCommonsvc.exe	72
PID 2660 wrote to memory of 2460	2660	DllCommonsvc.exe	72
PID 2660 wrote to memory of 1868	2660	DllCommonsvc.exe	73
PID 2660 wrote to memory of 1868	2660	DllCommonsvc.exe	73
PID 2660 wrote to memory of 1868	2660	DllCommonsvc.exe	73
PID 2660 wrote to memory of 1812	2660	DllCommonsvc.exe	74
PID 2660 wrote to memory of 1812	2660	DllCommonsvc.exe	74
PID 2660 wrote to memory of 1812	2660	DllCommonsvc.exe	74
PID 2660 wrote to memory of 2536	2660	DllCommonsvc.exe	75
PID 2660 wrote to memory of 2536	2660	DllCommonsvc.exe	75
PID 2660 wrote to memory of 2536	2660	DllCommonsvc.exe	75
PID 2660 wrote to memory of 2228	2660	DllCommonsvc.exe	87
PID 2660 wrote to memory of 2228	2660	DllCommonsvc.exe	87
PID 2660 wrote to memory of 2228	2660	DllCommonsvc.exe	87
PID 2228 wrote to memory of 1688	2228	cmd.exe	89
PID 2228 wrote to memory of 1688	2228	cmd.exe	89
PID 2228 wrote to memory of 1688	2228	cmd.exe	89
PID 2228 wrote to memory of 844	2228	cmd.exe	90
PID 2228 wrote to memory of 844	2228	cmd.exe	90
PID 2228 wrote to memory of 844	2228	cmd.exe	90
PID 844 wrote to memory of 2304	844	DllCommonsvc.exe	103
PID 844 wrote to memory of 2304	844	DllCommonsvc.exe	103
PID 844 wrote to memory of 2304	844	DllCommonsvc.exe	103
PID 844 wrote to memory of 1596	844	DllCommonsvc.exe	104
PID 844 wrote to memory of 1596	844	DllCommonsvc.exe	104
PID 844 wrote to memory of 1596	844	DllCommonsvc.exe	104
PID 844 wrote to memory of 3056	844	DllCommonsvc.exe	105
PID 844 wrote to memory of 3056	844	DllCommonsvc.exe	105
PID 844 wrote to memory of 3056	844	DllCommonsvc.exe	105
PID 844 wrote to memory of 1572	844	DllCommonsvc.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5008b423f52a4d940157553e42bd782fe64464ea9fb4c5defe2e29732a5f901.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e5008b423f52a4d940157553e42bd782fe64464ea9fb4c5defe2e29732a5f901.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Windows\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\es-ES\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\en-US\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\1.3.36.151\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wODqquGRGG.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2228
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1688
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\TermService\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nm8lPBxSYP.bat"
        7⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2816
        
        C:\Users\Public\Music\Sample Music\taskhost.exe
        
        "C:\Users\Public\Music\Sample Music\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        9⤵
        
        PID:640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1336
        
        C:\Users\Public\Music\Sample Music\taskhost.exe
        
        "C:\Users\Public\Music\Sample Music\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat"
        11⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1464
        
        C:\Users\Public\Music\Sample Music\taskhost.exe
        
        "C:\Users\Public\Music\Sample Music\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
        13⤵
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2396
        
        C:\Users\Public\Music\Sample Music\taskhost.exe
        
        "C:\Users\Public\Music\Sample Music\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"
        15⤵
        
        PID:2460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2800
        
        C:\Users\Public\Music\Sample Music\taskhost.exe
        
        "C:\Users\Public\Music\Sample Music\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat"
        17⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2660
        
        C:\Users\Public\Music\Sample Music\taskhost.exe
        
        "C:\Users\Public\Music\Sample Music\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
        19⤵
        
        PID:336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3004
        
        C:\Users\Public\Music\Sample Music\taskhost.exe
        
        "C:\Users\Public\Music\Sample Music\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
        21⤵
        
        PID:680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2104
        
        C:\Users\Public\Music\Sample Music\taskhost.exe
        
        "C:\Users\Public\Music\Sample Music\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
        23⤵
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2620
        
        C:\Users\Public\Music\Sample Music\taskhost.exe
        
        "C:\Users\Public\Music\Sample Music\taskhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat"
        25⤵
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\Windows\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Windows\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Windows\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Office\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Update\1.3.36.151\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Temp\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\inf\TermService\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\27d1bcfc3c54e0

Filesize
61B

MD5
6565a972e2b9c7b34cfb1538d646940d

SHA1
9f5355513ee2b74a96ab994cee3a082c7e4e924c

SHA256
676c1867522d7bfa6a4b1246433d2ed2dc8695761c6900bef08ce632a547c8c7

SHA512
87551b164b816fea58cca86eacfe0c1d2f6899411bd86d152cdb0034d6a2761f644b1f125a4eb8c9b74063d421544614f49382a6d169bac4eccd14f9de626081

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66cecacbabf20957e5ff1bb90f151b8f

SHA1
d805ffba83585898962eb697162f4bebe364c0de

SHA256
3f48031eb0468e1da64f671ba1aec77e1fb46a90491bf6fb00f3ec2c1a5bc527

SHA512
65824326b8af9376a7c6af66e05a3b78e5030b22fe1fd3a9f2f9b49efb1d3383bee6aacba7875b5dcd87d15ec26a280bee95ae5ec6dd804da454bd4915f74ddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
401c7b15200debbd5a2a6ff24e616051

SHA1
1e0ea60ff48857b72f3c5ffac38b510a0ff65d1b

SHA256
146dd6113644b1c7672f5a314a6c988a99ccd01bb3cad2b47a2ec5ddd5cef946

SHA512
fb4135e855287a89e190ca1cbb66d3b7b53cc1611e874125ed19748f214e35d3fab0a133532079962e60865aacdb21fb9e2a28f5ab6bf635d0fed9951073512c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2930d8d2edb3741a6b472e2795a93f17

SHA1
d03b1c1127deb60d060fe1103e3deeb4d6b1e3b7

SHA256
ccd8ad67d791d302b4314bc642551f1497a8f6abaf035a288acbb1db11a7a8ac

SHA512
737b847d89433136813a9fc5198df706b698e1499326274d7511d690a9180d9f4135313f243f1b76f2b457e6ef87b9e6fd0ab1a2e3b7f5c3e0a777141dbba587

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d3835a189ec9b9b9814b0495c660caa

SHA1
a91b9abbb616065671ea4d948d22036c58d17d5b

SHA256
cf842dcc2b293fcea92535f91c98c5944d88ff7e24e13315ef8f64f3085068f3

SHA512
0fe0943f0d501d273c7b301a2f79f75cf3980000697e17fe990be5c031e974ad07f6be28422f9b4777afc2237af0cc0b40764fb1920d0e5ea00d8e6e44cecec9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62deddfaf16d92b5db85526db16684d9

SHA1
a9230331ddef753388529c2b5c7a3b9259d9cd64

SHA256
39e7339fddafa736c5c7ffa0ddb35f22f7a223cc7ef9b7b6eb2e97b522d24d83

SHA512
078795489b9eacfff04026706b71e9ecb68ec86a49a447dd6a14f7d916dd3c3387d01022a001e5dd1d49e70c5b9144415e13b0705b1277532531ab3467494e51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b403bde41d30608f40fdb7c1e0b4f8d

SHA1
ec2e7766971830802c514573c32145c006a676d8

SHA256
f6b3846f974c3bd985849fe70fbd0e6149586c5ef494f51d79a4c00c86a67c82

SHA512
50769e4e0c8a538017fd3198fb6a81e10eb4ca2c53841ff8d0f9a0a4f83eb4e1e96dddf1e6b3e28d6d902d319ce374fe55551959d24e4e9f7e168b3cc6dfcc4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
908f500696e49d8c6013a8f09449f0bc

SHA1
721888246c10f3573cd56baf2c47c2e2d78bfce6

SHA256
571ed0b364dda8abb9f754c8556666b88f42720496342984b49139090cbcc9be

SHA512
6cee93c69d7cb081af30225b5bec24f48fd2264341fd073989ecafc10e1558d186700f36fc3d03d49f32dc6a4d4927042d7ef4f4a441e869863a92918a30f59a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd3046af04b5e4974faba7b384818f5a

SHA1
d40b3345724532944515169dee01a5944f21c149

SHA256
cb586237719ae1f49c150b62b75f8a03160c042bd738e3d61aea90a34488ce19

SHA512
0c4bd202b73b68911454500ad69998b14736c21895e510e32bebd9d6e00f2413db52db4b8927b6c9a5bd806420e25c1a00dfa3fb111426dcc4f469e3cfcea61b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
212B

MD5
49035d257450939efef26bbc70364c90

SHA1
41c20dd59ff4a335fbc3c346d53325aec9b12624

SHA256
81ca21c2580cf56e062c1550b9f23852ebb83063a56cc030b3d056e472aabb06

SHA512
fcc02e05efdb031dab853a909ee242794ea4c2c80a4961932bd7c324ca2147ecc4948efe8eb04a7f24cc538afe0a303c323e5c5be7952c78baf99a9419bc0536

Download Submit
C:\Users\Admin\AppData\Local\Temp\BHs9KC1JDp.bat

Filesize
212B

MD5
0f7b39d467ba7087a240f133fdeb7271

SHA1
aa87a5f8759e9fc0c4bd9067148bd02abbd28994

SHA256
92abf8954f15fd8d769ec851161a51548c27f49076312fda9cf764c0d65b1599

SHA512
3f3a0792808ec9e3925a298d2587c9a815fd9aa489193599c4188498490961e2bd752539e72398ec8efb3a1610f6a8a69ff8fbc73c4aafae041e91d4dd820d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB379.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat

Filesize
212B

MD5
d0a05309f3b25843955c1e53e14ea58b

SHA1
587bc2041a641730d419572e1904bd461013df75

SHA256
34e157d3a6a154eba7a05077495deeb39ffdba8621d0daa33edba1e9da7840ea

SHA512
a507e6c27ce28190bbf8aeef5257fb2c7d8d0747ffc6ac89e3de5a2e340e1d27062a0f91ed12fa0562de33bd5b429f33278acb8c4e3664dcde218d6e8d16dc03

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat

Filesize
212B

MD5
e88cf940d88de81b6032d0b6bf68a376

SHA1
a7782cf41b6587663720e939a8ad152d5e3ea8f1

SHA256
1918ff33267d62798743d7c54543c942ce47a45957769fc393c27fe5f0b345c7

SHA512
81a7e61f929007eff6cc6f9dfcfa6034b7ac544fb93af25746b1d1b41c6246560310320bb0672bc1d462e91cfacd3f21c67c020c0490885a99f6f918989af682

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB3CA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
212B

MD5
98c738a67d60d781e9167929d2ac75a6

SHA1
40d21a893d4f6ed6cce2b5de1c1ce744236bb9c1

SHA256
108ffa19023983d0c7b6031aaf3d7788889c3eb49d6794f4318c76415781f858

SHA512
64377b86fe75039e9936e585534024ea48a7f93851a49b5ce73585912a2cc9dcff93120d438b0ee11d265ab1a017993bb4bbb9bcdda765f6b252625fa74d3f03

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

Filesize
212B

MD5
16efcc683c74ac0da39084e10b074f39

SHA1
c71f5ba13433ba4318a01bf0d8ed43f0b43f8b67

SHA256
0524cf0b0d7227a49e5df0c0a4e94f31764993b97c18774021d33d2ea30d2df9

SHA512
4239fde40bdae6075ed8ad6998e588efb1762cd5e360651d6003acef0d6f3b9e1b2085fa5647bcc5e2a3506b64090baf1b33421ac6ba3ea8941f29b75ebea68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nm8lPBxSYP.bat

Filesize
212B

MD5
856fc6e66897e08d8f062622efe9c3e8

SHA1
133e4135f8d60103c5e675aa0080df8c0e134fa5

SHA256
1b41694cf289a57dfb93c0efeb643fd82a18bf140855067d5babee4e3b6c0e2a

SHA512
45fa23bd52862fb4070c0861abc11718fabe899a28f81a428fe38a3240f88a1bdafa65c7ffdfa77ac003d421e8567548f939753859ac1743f976d2ffac3dee13

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

Filesize
212B

MD5
b64142cac6b26f91e9158bc41e45cbec

SHA1
1d5dd020b52ccc27db0fd41403a0443a0e346d58

SHA256
99636d7d1a67af72c3a526439f73ebfd9f75400ae80af762d6924e435afc6b05

SHA512
c4ade175debb0228dab9e94723f12c14d6c1669a1261c292c69bef264546d90e30b4ea83e530199eaf186e25c8dd0c669173ea84dc3c41bfad25843821ad74dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\r40S8pVzgD.bat

Filesize
212B

MD5
95a84bddc4f4152648c4882f0c4f7c6c

SHA1
02e7262db667ab3c99c4599e0164b1243c1eb557

SHA256
ac41e04ab80987cdf32d71634cd47cab59ca20582528e10c700e9230bf938c4b

SHA512
85db34bfc178f72b46cc0dad1783313bfdf04f53030ab3fe0cfe35206f3160a592fd6ae129237636ddb758921cd64186b462111d7d1be54cfe4910c549b82ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wODqquGRGG.bat

Filesize
199B

MD5
dd5b2d11c9cd45342f7579a6161af438

SHA1
3171b00b3cc4e92196d5468116f8d0ede5c74f76

SHA256
e95e949241abf2e73878a682a269ccd34000482ef177c01a3bff9cc183d1f655

SHA512
c538906172fdaf477ea684bc5d2fc7d32da7881abf676590bd2e3612c1246f71d9b19e9f47f6918a413a2f8769a32e4edb2b27f4874c05eabaf1a3e3328ff73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat

Filesize
212B

MD5
02de35aa65237170c5760cb49c8c5952

SHA1
00e71d8fef838df373515e3ff3eabb7220e4528a

SHA256
4e92469ab55680b97f2c069662e627dc9c12815c25b37150df9f06d392ed93f8

SHA512
0db3007d624d4760b79c18c09bd0d0d0cf7375dfa295b209a7e9d68a639e130b93be468ee426aa09a5ba898efc77cc49a3ac78c965f03ba04a6b4b5e657adc1d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UOE0BFXA559S931K73K4.temp

Filesize
7KB

MD5
76f89fb19b5ac306169b59f7b81206d5

SHA1
50454f8484bc8e3f9f108f3d44b42c07ced00370

SHA256
3eb8a4ada4886397225199b43c4348bb2eb5f994d9072deac20a72da6ae6be88

SHA512
fc31b9ea0344ae0c4272fc519fc03ff1a3c286a883992f2f1fc89e42c7ea2ac05b6b916df81fed26726e1757358215ad6b6372a7fb8d1015704422c34f6afdae

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1272-498-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1460-141-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/1476-121-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1476-120-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/1724-63-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/1724-98-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/1920-260-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/2432-200-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2604-617-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2624-320-0x00000000012B0000-0x00000000013C0000-memory.dmp

Filesize
1.1MB

Download
memory/2660-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2660-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2660-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2660-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2660-13-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download