dcrat | 92fc227d170851af4e61cc5f21e4e184f9cc42b5d8236cc59175f2faf8bce51f

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_92fc227d170851af4e61cc5f21e4e184f9cc42b5d8236cc59175f2faf8bce51f.exe
Size

1.3MB
MD5

0df0a0f9704632c0d0a9f8ac49cb9e04
SHA1

5a154822cba776e1d74bb315c54e576156a07896
SHA256

92fc227d170851af4e61cc5f21e4e184f9cc42b5d8236cc59175f2faf8bce51f
SHA512

87fbd05ad098215f6a5c8ef42f3544a692e1d327e17afbe9d7fec4da92aeb35ee27d95bf874b0bc01c2bccf7dea1435f557cf1fdc1604600a9699868e7e6e9f3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	3020	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	3020	schtasks.exe	35

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016de4-9.dat	dcrat
behavioral1/memory/3044-13-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2852-136-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/580-195-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2244-491-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2364	powershell.exe
1716	powershell.exe
2328	powershell.exe
2436	powershell.exe
2044	powershell.exe
888	powershell.exe
2060	powershell.exe
1076	powershell.exe
2876	powershell.exe
1720	powershell.exe
1236	powershell.exe
1172	powershell.exe
1592	powershell.exe
2224	powershell.exe
2040	powershell.exe
1588	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3044	DllCommonsvc.exe
2852	explorer.exe
580	explorer.exe
2032	explorer.exe
2960	explorer.exe
2140	explorer.exe
2500	explorer.exe
2244	explorer.exe
2172	explorer.exe
856	explorer.exe
2576	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	cmd.exe
2604	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\TableTextService\en-US\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\3082\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\3082\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Visualizations\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\lsm.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Speech\Common\de-DE\lsm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_92fc227d170851af4e61cc5f21e4e184f9cc42b5d8236cc59175f2faf8bce51f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1408	schtasks.exe
2708	schtasks.exe
2144	schtasks.exe
992	schtasks.exe
2216	schtasks.exe
1920	schtasks.exe
900	schtasks.exe
692	schtasks.exe
2524	schtasks.exe
484	schtasks.exe
1068	schtasks.exe
1980	schtasks.exe
1512	schtasks.exe
2412	schtasks.exe
1660	schtasks.exe
2276	schtasks.exe
1628	schtasks.exe
1776	schtasks.exe
2724	schtasks.exe
2832	schtasks.exe
1940	schtasks.exe
2376	schtasks.exe
2080	schtasks.exe
3056	schtasks.exe
2552	schtasks.exe
2192	schtasks.exe
836	schtasks.exe
644	schtasks.exe
572	schtasks.exe
332	schtasks.exe
2856	schtasks.exe
2388	schtasks.exe
2868	schtasks.exe
2576	schtasks.exe
324	schtasks.exe
892	schtasks.exe
2008	schtasks.exe
1932	schtasks.exe
2776	schtasks.exe
1336	schtasks.exe
1536	schtasks.exe
2916	schtasks.exe
1632	schtasks.exe
812	schtasks.exe
1800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3044	DllCommonsvc.exe
1592	powershell.exe
1172	powershell.exe
2364	powershell.exe
1588	powershell.exe
1720	powershell.exe
2040	powershell.exe
2876	powershell.exe
1076	powershell.exe
2328	powershell.exe
2436	powershell.exe
888	powershell.exe
2060	powershell.exe
2044	powershell.exe
1716	powershell.exe
1236	powershell.exe
2224	powershell.exe
2852	explorer.exe
580	explorer.exe
2032	explorer.exe
2960	explorer.exe
2140	explorer.exe
2500	explorer.exe
2244	explorer.exe
2172	explorer.exe
856	explorer.exe
2576	explorer.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	DllCommonsvc.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2852	explorer.exe
Token: SeDebugPrivilege	580	explorer.exe
Token: SeDebugPrivilege	2032	explorer.exe
Token: SeDebugPrivilege	2960	explorer.exe
Token: SeDebugPrivilege	2140	explorer.exe
Token: SeDebugPrivilege	2500	explorer.exe
Token: SeDebugPrivilege	2244	explorer.exe
Token: SeDebugPrivilege	2172	explorer.exe
Token: SeDebugPrivilege	856	explorer.exe
Token: SeDebugPrivilege	2576	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2432	2592	JaffaCakes118_92fc227d170851af4e61cc5f21e4e184f9cc42b5d8236cc59175f2faf8bce51f.exe	31
PID 2592 wrote to memory of 2432	2592	JaffaCakes118_92fc227d170851af4e61cc5f21e4e184f9cc42b5d8236cc59175f2faf8bce51f.exe	31
PID 2592 wrote to memory of 2432	2592	JaffaCakes118_92fc227d170851af4e61cc5f21e4e184f9cc42b5d8236cc59175f2faf8bce51f.exe	31
PID 2592 wrote to memory of 2432	2592	JaffaCakes118_92fc227d170851af4e61cc5f21e4e184f9cc42b5d8236cc59175f2faf8bce51f.exe	31
PID 2432 wrote to memory of 2604	2432	WScript.exe	32
PID 2432 wrote to memory of 2604	2432	WScript.exe	32
PID 2432 wrote to memory of 2604	2432	WScript.exe	32
PID 2432 wrote to memory of 2604	2432	WScript.exe	32
PID 2604 wrote to memory of 3044	2604	cmd.exe	34
PID 2604 wrote to memory of 3044	2604	cmd.exe	34
PID 2604 wrote to memory of 3044	2604	cmd.exe	34
PID 2604 wrote to memory of 3044	2604	cmd.exe	34
PID 3044 wrote to memory of 2364	3044	DllCommonsvc.exe	81
PID 3044 wrote to memory of 2364	3044	DllCommonsvc.exe	81
PID 3044 wrote to memory of 2364	3044	DllCommonsvc.exe	81
PID 3044 wrote to memory of 1236	3044	DllCommonsvc.exe	82
PID 3044 wrote to memory of 1236	3044	DllCommonsvc.exe	82
PID 3044 wrote to memory of 1236	3044	DllCommonsvc.exe	82
PID 3044 wrote to memory of 888	3044	DllCommonsvc.exe	83
PID 3044 wrote to memory of 888	3044	DllCommonsvc.exe	83
PID 3044 wrote to memory of 888	3044	DllCommonsvc.exe	83
PID 3044 wrote to memory of 1076	3044	DllCommonsvc.exe	84
PID 3044 wrote to memory of 1076	3044	DllCommonsvc.exe	84
PID 3044 wrote to memory of 1076	3044	DllCommonsvc.exe	84
PID 3044 wrote to memory of 2044	3044	DllCommonsvc.exe	86
PID 3044 wrote to memory of 2044	3044	DllCommonsvc.exe	86
PID 3044 wrote to memory of 2044	3044	DllCommonsvc.exe	86
PID 3044 wrote to memory of 2436	3044	DllCommonsvc.exe	87
PID 3044 wrote to memory of 2436	3044	DllCommonsvc.exe	87
PID 3044 wrote to memory of 2436	3044	DllCommonsvc.exe	87
PID 3044 wrote to memory of 1172	3044	DllCommonsvc.exe	89
PID 3044 wrote to memory of 1172	3044	DllCommonsvc.exe	89
PID 3044 wrote to memory of 1172	3044	DllCommonsvc.exe	89
PID 3044 wrote to memory of 1588	3044	DllCommonsvc.exe	90
PID 3044 wrote to memory of 1588	3044	DllCommonsvc.exe	90
PID 3044 wrote to memory of 1588	3044	DllCommonsvc.exe	90
PID 3044 wrote to memory of 1592	3044	DllCommonsvc.exe	91
PID 3044 wrote to memory of 1592	3044	DllCommonsvc.exe	91
PID 3044 wrote to memory of 1592	3044	DllCommonsvc.exe	91
PID 3044 wrote to memory of 1716	3044	DllCommonsvc.exe	92
PID 3044 wrote to memory of 1716	3044	DllCommonsvc.exe	92
PID 3044 wrote to memory of 1716	3044	DllCommonsvc.exe	92
PID 3044 wrote to memory of 1720	3044	DllCommonsvc.exe	93
PID 3044 wrote to memory of 1720	3044	DllCommonsvc.exe	93
PID 3044 wrote to memory of 1720	3044	DllCommonsvc.exe	93
PID 3044 wrote to memory of 2040	3044	DllCommonsvc.exe	94
PID 3044 wrote to memory of 2040	3044	DllCommonsvc.exe	94
PID 3044 wrote to memory of 2040	3044	DllCommonsvc.exe	94
PID 3044 wrote to memory of 2876	3044	DllCommonsvc.exe	95
PID 3044 wrote to memory of 2876	3044	DllCommonsvc.exe	95
PID 3044 wrote to memory of 2876	3044	DllCommonsvc.exe	95
PID 3044 wrote to memory of 2224	3044	DllCommonsvc.exe	96
PID 3044 wrote to memory of 2224	3044	DllCommonsvc.exe	96
PID 3044 wrote to memory of 2224	3044	DllCommonsvc.exe	96
PID 3044 wrote to memory of 2328	3044	DllCommonsvc.exe	97
PID 3044 wrote to memory of 2328	3044	DllCommonsvc.exe	97
PID 3044 wrote to memory of 2328	3044	DllCommonsvc.exe	97
PID 3044 wrote to memory of 2060	3044	DllCommonsvc.exe	99
PID 3044 wrote to memory of 2060	3044	DllCommonsvc.exe	99
PID 3044 wrote to memory of 2060	3044	DllCommonsvc.exe	99
PID 3044 wrote to memory of 1544	3044	DllCommonsvc.exe	113
PID 3044 wrote to memory of 1544	3044	DllCommonsvc.exe	113
PID 3044 wrote to memory of 1544	3044	DllCommonsvc.exe	113
PID 1544 wrote to memory of 2008	1544	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92fc227d170851af4e61cc5f21e4e184f9cc42b5d8236cc59175f2faf8bce51f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_92fc227d170851af4e61cc5f21e4e184f9cc42b5d8236cc59175f2faf8bce51f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Office14\3082\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Visualizations\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VrwVepxppS.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1544
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2008
      - C:\MSOCache\All Users\explorer.exe
        
        "C:\MSOCache\All Users\explorer.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
        7⤵
        
        PID:316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:984
        
        C:\MSOCache\All Users\explorer.exe
        
        "C:\MSOCache\All Users\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat"
        9⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:816
        
        C:\MSOCache\All Users\explorer.exe
        
        "C:\MSOCache\All Users\explorer.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat"
        11⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1244
        
        C:\MSOCache\All Users\explorer.exe
        
        "C:\MSOCache\All Users\explorer.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat"
        13⤵
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2420
        
        C:\MSOCache\All Users\explorer.exe
        
        "C:\MSOCache\All Users\explorer.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
        15⤵
        
        PID:1252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2180
        
        C:\MSOCache\All Users\explorer.exe
        
        "C:\MSOCache\All Users\explorer.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
        17⤵
        
        PID:1908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2740
        
        C:\MSOCache\All Users\explorer.exe
        
        "C:\MSOCache\All Users\explorer.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
        19⤵
        
        PID:756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1852
        
        C:\MSOCache\All Users\explorer.exe
        
        "C:\MSOCache\All Users\explorer.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat"
        21⤵
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1620
        
        C:\MSOCache\All Users\explorer.exe
        
        "C:\MSOCache\All Users\explorer.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat"
        23⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1716
        
        C:\MSOCache\All Users\explorer.exe
        
        "C:\MSOCache\All Users\explorer.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Recorded TV\Sample Media\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Default\PrintHood\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\Templates\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\3082\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Office14\3082\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Office14\3082\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\Visualizations\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\Visualizations\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca4ec2ade9cac6c99d7cc473e4464f91

SHA1
8a9d4d01b4d9e2e64c8f15b93c87fb14f701d9a8

SHA256
f815239363325d235320c5e06b28e74c6b93f5db82c8e847abbdda4664486fa2

SHA512
8e84e2e5379e911e8696b904ac596ec11772ab47acc943ff6f28a3211bc688a8de54c780b2205895786942741c958002e03c66c9cd37c8014d75a57071a95297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31670e1c290ef85c921b1045edd9ccf2

SHA1
2ec0594599133572627100e5b6b9b130d4eff201

SHA256
edd624452a8a6970781a33c0251716fa8057b6ee6e0f97425318e09881ba370f

SHA512
ccf30e289c3828a527f0419976cbb6324608c90a8f936273d5c3b6bd3e0c093c60e9bb4329ad81f8f355b80a8ba03286140b215dd921d08701ed3b91224ecdd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c645c079ebc20f5ce59daa9a0a3ade1c

SHA1
4f70a73ffa0492a70dd017870aa083e72f0fb4a5

SHA256
61273cc34a56285fbbcfc962f718cf996e93fb34f0e14fd2dbbbb2d43fbeac4f

SHA512
19ac3adf145ca4569df539f8a043a6b8d8c9a610b96921ba3ab036c67ad7c55d2be2dcbdfaaead5b02abfb74b1ae8d38aff3b3e7cd5b407ecd902834f44f0c3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21e82a74e3c4e25767c8e78665dbe716

SHA1
b66b52219bc4a698a0191237773a8e8acd655759

SHA256
2f5355be9b72c0a2cefe79b514d835a5f68f97d0de4c3430285c070517b694f1

SHA512
63fba67d0a0adac8b6cb74a763f233c96a80fe46ccf52259127cf680e631f8df25e15b5f05e63d4f83191f1a16c779491d6c046c350f4089008779b7095e33fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6238ac122ab1835445fe471539bb4f3

SHA1
b3000de66ead2943d85b3a9f706c0036e369b68a

SHA256
85e404cf89ef4344b417d4e06ecc201df79040f345ac389e53f783bfaa27346b

SHA512
aa1e54a0d733d45511f4815d7ab4d9b0beb50592e622861a41625e6173f96a72cf154eb54e915478365e80ca715b19d0633a667842f45aa55f7a8d5503f87a46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e6e324d797d12d5c9e380675a94f141

SHA1
994ede7a700f291eff76930377bfa51a89c59da3

SHA256
215ab159889c6433a858b3862cc39fbb036e91397ebe85d01ed7a2fd78588332

SHA512
2d815f8d30c7ca15709ca07da2f596cbb2aa492696ec0bfb4868e6be97e95649f5fcbcde0a0b94e60520599019b7e4404d499b72558d6504bfdd65a0713e1ead

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9ca31c9833d2f049627d5307e5fe024

SHA1
83baf8ba3a6e148ee570677ce551eea7a67ce2b1

SHA256
bb4553e3fc7dd215f175aba4db9d580ae899de717162338e3ffdf734371bc24e

SHA512
ba33c4dad747c249a62b677fadb525474cbbe465cc095fca780f1cf8657dd7103f91045a5346a17eacaedb4367c8b5ccbec41b56c446b2d5dd274a68fb15d9d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f283688764649891c6e14a2c8e28fdd

SHA1
c38ec53d8accc71c101fd6cb273675f8bcc3b76f

SHA256
88993d17a3c5fd5f89f1c02b6b34e200d7c2eeb67a07affca46cc3f01d29e4cb

SHA512
8e8f3f761e5f7c3d7b346e1ee69c6711fb463ba611bcc6b6b72bfa0fec3b2ef460a31dfa0a1c92fd631368afe13a0be6d185d04efd6f460bd613573823a04aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0P1AeAAEDQ.bat

Filesize
199B

MD5
f87d86d4a7b909f1f5c3c7061b498f1b

SHA1
bf487bd73b59e69864c949c8aa23e4f280fc92bc

SHA256
522f2109d5b4b537d41cf483070f10e27695a9abf704c470fbc801a0ec156137

SHA512
ba832d55673ee86fbe1d28eb81d184c952d426ed96e048df4f8a7bc2eb4bea2f0c74ed197593c24df4b9173c3146fa98c06656a86001db8f2f131c7189a78d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

Filesize
199B

MD5
284c1782f82fdeac7ef29ad6297c465e

SHA1
400feb13c0ec842155d627c1f2fcaa15c9c9797a

SHA256
6c690add94d4266a1767047c45d3c4140e16e44e86722e16fbcace4c7a9e15fe

SHA512
afb7a19febb5b9af9b5d72c8c8f5ea226f6c56fbc781a8122c3f5c028e4784299d1b59b443ef9b411e66f002eb00dca2f8157737d8b3fea47fc534f0f0c61eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat

Filesize
199B

MD5
107ab19df55fbd1846671bcc0e2a4366

SHA1
241ed8cbf7e1d6c6f139629a6a7c619b426d6bbb

SHA256
2e8cdd2dc7025cd7ac2a4b23b3bc30509ab0bee130c99d6c16a90140e110ac69

SHA512
ef550217801c365482ae3a1c699259c3cf6d43f41cad71ceae56dfd91cc1244d097d7d82e4a97ab14d48dce6fe26330e5e11d2067ffeeb11120131cf38ae97ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

Filesize
199B

MD5
353ce6f48d916e7a663a00483e7e6ba8

SHA1
01638fd812878369bcb3ffa5a651f0a4a3a425eb

SHA256
d238d1b9ca4386f0bd103824731b919051ac729e5eeeaf3e6574aacbbdc885b7

SHA512
dadaf3e8a2c3392dd428e524125a586299d3c2b34d2693fbc8d59486c96e668de7f1d534ae1e493f1aeb9f0460db90fff9f00048c75ce28ad0ca82e2cc0d602b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3851.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

Filesize
199B

MD5
0d2a156d9b72b4c4da3b9656b6f30597

SHA1
de7ee63515b8bd379f515e5d9b940f899204653a

SHA256
3eaafc0771a2870021dd5032e477d300a2910f6f4691d18f57f14026fd88865e

SHA512
4a414dbad1ae2b0dd9246d7759a68e37114b73525b1e7406cc736b25aa61845e01d9cdd6859b05bc52ff89be90c7ba468b5c7be417472b52292ec03a6c48a186

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3873.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VrwVepxppS.bat

Filesize
199B

MD5
733c336d5950407e721992fae78e9669

SHA1
bd042835d8def7239606b31cab164c7157ef9530

SHA256
a6ab1d8724cd967d34b14b39c902c8b770a5844d3862199b86b88a0ab5af6971

SHA512
f3dd030cf207a5680fc41300abf09fe69dbfe0d85460560786579fd74e70c65dddcc89212aa7e52cc04c04ccef146faee4a7d2c34eb6065db8d045ca6268ca6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat

Filesize
199B

MD5
a30e44d6a1535d312ac1d8f724d37ff3

SHA1
556edce0214fa9b55f31bec72c71eb347f889e02

SHA256
8c3675dd29edde779331275bb5462ad1bb63e8ea6a522000835ddfa96d84cf6b

SHA512
1c35d5faeb383ec949e6a11fe4d28f765d52a8c534d77f908061eb027f470258d55ac2465a2698f7b3a536713a043729982c373f6af37a88672ebc316a46e317

Download Submit
C:\Users\Admin\AppData\Local\Temp\m1XclINWiF.bat

Filesize
199B

MD5
b2d1a6da90ca4973c88fe53aeb5a4862

SHA1
6069cd27b3f7dab5f326bd60b16a8c7610773bc3

SHA256
cf7064d24d2f195e231b9d2efca80ec5bf8250829fa620589f228bc12c1c092f

SHA512
66371753413350951f9a281ee7b23247aef51c7617fe1a5f5f80b96aca9cbef5f5d1457b5f760bd787134573f5054a7eba39d37d307f988f5c33e3c62a9f232b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

Filesize
199B

MD5
217c39d3905612653fab8d65c2530c51

SHA1
f48aaf8a89d5672e609922de75b6d8ab0f77461e

SHA256
d2576fdcda64190a0e5b327c3bceefafaeee40ecd9881d32dec23587f08ea883

SHA512
4a109184624a86a111cc7d3cefe5e5241d7bc9e6d0bf8a40082254e07e8adc28ba1d4c25f490b0c56e4cd70f6c7e5eff6bb93d25f97778f9492929bcea29546c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vFDRBKGR2C.bat

Filesize
199B

MD5
75548cd66d565144ba0d0a056dd206ec

SHA1
049ecbbe7d8d4edc7b40ba7abbdc0e682bd6fce0

SHA256
a3dc9c49ba055d68ee3afbd8a9b66397c5ef456be5edfb51b6ae48ba2d043e27

SHA512
b28715716c7fe9bb0c66b8231f935ff844a539bb39c60a5c32ba41b15ce5d4d58243f15dbbb2020dfb514910ad128bdba104f09f71f3fb20a08d108c7cf7a0b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
353c2a3e549f1fe3462c4af8ad321366

SHA1
3542cfb180ad65f2a21d422a4734a9a8238185b6

SHA256
a1f6c09718a814a6fce9c4b9710e93f588854af5c71272580f488ff51e4c4f15

SHA512
831134a6fca02aade1c8c916d4d9772f790f08c82c5a008484ff79ccd0b05274a1eee5d8b791535dc77a95bcf2031f2961b21458a6f31e198a79a445f9feeb7c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/580-195-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/1592-67-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1592-72-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2244-491-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2852-136-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/3044-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/3044-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/3044-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/3044-13-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/3044-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download