dcrat | d2b7e3f6f61cf721a071f454124c3b4d4dae2d31fd8fb6a04396ea18d3b844b8

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d2b7e3f6f61cf721a071f454124c3b4d4dae2d31fd8fb6a04396ea18d3b844b8.exe
Size

1.3MB
MD5

47051bf9d9a9a9996aec54269a069779
SHA1

db82e1509a63fae794f6b83d2fc042b5ab5081dc
SHA256

d2b7e3f6f61cf721a071f454124c3b4d4dae2d31fd8fb6a04396ea18d3b844b8
SHA512

a232b55420e54fd9b96c5aed64e8fae60f7fa333f3de4c1c62e813d965ece4f1cd5e1a7a4850e8eebf874ace56b86b821a43bf10da4597f8effe21c7c1cf4d8b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2732	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001903b-10.dat	dcrat
behavioral1/memory/2560-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/904-130-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/2736-309-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/2836-369-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/3008-429-0x0000000000AE0000-0x0000000000BF0000-memory.dmp	dcrat
behavioral1/memory/2676-549-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1592	powershell.exe
2076	powershell.exe
768	powershell.exe
2092	powershell.exe
1724	powershell.exe
2356	powershell.exe
1596	powershell.exe
2088	powershell.exe
760	powershell.exe
3008	powershell.exe
2372	powershell.exe
2388	powershell.exe
2080	powershell.exe
2056	powershell.exe
1584	powershell.exe
1796	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2560	DllCommonsvc.exe
904	lsm.exe
2924	lsm.exe
1012	lsm.exe
2736	lsm.exe
2836	lsm.exe
3008	lsm.exe
1728	lsm.exe
2676	lsm.exe
1440	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
1852	cmd.exe
1852	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\Aero\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\ja-JP\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d2b7e3f6f61cf721a071f454124c3b4d4dae2d31fd8fb6a04396ea18d3b844b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2012	schtasks.exe
2040	schtasks.exe
2964	schtasks.exe
1712	schtasks.exe
1376	schtasks.exe
1296	schtasks.exe
2912	schtasks.exe
1056	schtasks.exe
552	schtasks.exe
1316	schtasks.exe
2456	schtasks.exe
2500	schtasks.exe
1864	schtasks.exe
1732	schtasks.exe
1304	schtasks.exe
1716	schtasks.exe
2648	schtasks.exe
2028	schtasks.exe
2592	schtasks.exe
1924	schtasks.exe
1736	schtasks.exe
2460	schtasks.exe
992	schtasks.exe
2808	schtasks.exe
2272	schtasks.exe
868	schtasks.exe
1856	schtasks.exe
1096	schtasks.exe
2620	schtasks.exe
2632	schtasks.exe
1368	schtasks.exe
892	schtasks.exe
2448	schtasks.exe
236	schtasks.exe
3028	schtasks.exe
2640	schtasks.exe
3036	schtasks.exe
1608	schtasks.exe
1780	schtasks.exe
2524	schtasks.exe
1420	schtasks.exe
1948	schtasks.exe
1440	schtasks.exe
600	schtasks.exe
976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2560	DllCommonsvc.exe
2560	DllCommonsvc.exe
2560	DllCommonsvc.exe
1596	powershell.exe
2372	powershell.exe
1592	powershell.exe
2076	powershell.exe
1796	powershell.exe
3008	powershell.exe
2080	powershell.exe
2388	powershell.exe
2092	powershell.exe
760	powershell.exe
2356	powershell.exe
2056	powershell.exe
1584	powershell.exe
1724	powershell.exe
2088	powershell.exe
904	lsm.exe
2924	lsm.exe
1012	lsm.exe
2736	lsm.exe
2836	lsm.exe
3008	lsm.exe
1728	lsm.exe
2676	lsm.exe
1440	lsm.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	DllCommonsvc.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	904	lsm.exe
Token: SeDebugPrivilege	2924	lsm.exe
Token: SeDebugPrivilege	1012	lsm.exe
Token: SeDebugPrivilege	2736	lsm.exe
Token: SeDebugPrivilege	2836	lsm.exe
Token: SeDebugPrivilege	3008	lsm.exe
Token: SeDebugPrivilege	1728	lsm.exe
Token: SeDebugPrivilege	2676	lsm.exe
Token: SeDebugPrivilege	1440	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2212	2236	JaffaCakes118_d2b7e3f6f61cf721a071f454124c3b4d4dae2d31fd8fb6a04396ea18d3b844b8.exe	30
PID 2236 wrote to memory of 2212	2236	JaffaCakes118_d2b7e3f6f61cf721a071f454124c3b4d4dae2d31fd8fb6a04396ea18d3b844b8.exe	30
PID 2236 wrote to memory of 2212	2236	JaffaCakes118_d2b7e3f6f61cf721a071f454124c3b4d4dae2d31fd8fb6a04396ea18d3b844b8.exe	30
PID 2236 wrote to memory of 2212	2236	JaffaCakes118_d2b7e3f6f61cf721a071f454124c3b4d4dae2d31fd8fb6a04396ea18d3b844b8.exe	30
PID 2212 wrote to memory of 1852	2212	WScript.exe	32
PID 2212 wrote to memory of 1852	2212	WScript.exe	32
PID 2212 wrote to memory of 1852	2212	WScript.exe	32
PID 2212 wrote to memory of 1852	2212	WScript.exe	32
PID 1852 wrote to memory of 2560	1852	cmd.exe	34
PID 1852 wrote to memory of 2560	1852	cmd.exe	34
PID 1852 wrote to memory of 2560	1852	cmd.exe	34
PID 1852 wrote to memory of 2560	1852	cmd.exe	34
PID 2560 wrote to memory of 760	2560	DllCommonsvc.exe	81
PID 2560 wrote to memory of 760	2560	DllCommonsvc.exe	81
PID 2560 wrote to memory of 760	2560	DllCommonsvc.exe	81
PID 2560 wrote to memory of 1724	2560	DllCommonsvc.exe	82
PID 2560 wrote to memory of 1724	2560	DllCommonsvc.exe	82
PID 2560 wrote to memory of 1724	2560	DllCommonsvc.exe	82
PID 2560 wrote to memory of 2092	2560	DllCommonsvc.exe	83
PID 2560 wrote to memory of 2092	2560	DllCommonsvc.exe	83
PID 2560 wrote to memory of 2092	2560	DllCommonsvc.exe	83
PID 2560 wrote to memory of 2088	2560	DllCommonsvc.exe	84
PID 2560 wrote to memory of 2088	2560	DllCommonsvc.exe	84
PID 2560 wrote to memory of 2088	2560	DllCommonsvc.exe	84
PID 2560 wrote to memory of 2388	2560	DllCommonsvc.exe	85
PID 2560 wrote to memory of 2388	2560	DllCommonsvc.exe	85
PID 2560 wrote to memory of 2388	2560	DllCommonsvc.exe	85
PID 2560 wrote to memory of 2372	2560	DllCommonsvc.exe	86
PID 2560 wrote to memory of 2372	2560	DllCommonsvc.exe	86
PID 2560 wrote to memory of 2372	2560	DllCommonsvc.exe	86
PID 2560 wrote to memory of 3008	2560	DllCommonsvc.exe	87
PID 2560 wrote to memory of 3008	2560	DllCommonsvc.exe	87
PID 2560 wrote to memory of 3008	2560	DllCommonsvc.exe	87
PID 2560 wrote to memory of 768	2560	DllCommonsvc.exe	88
PID 2560 wrote to memory of 768	2560	DllCommonsvc.exe	88
PID 2560 wrote to memory of 768	2560	DllCommonsvc.exe	88
PID 2560 wrote to memory of 1796	2560	DllCommonsvc.exe	89
PID 2560 wrote to memory of 1796	2560	DllCommonsvc.exe	89
PID 2560 wrote to memory of 1796	2560	DllCommonsvc.exe	89
PID 2560 wrote to memory of 1584	2560	DllCommonsvc.exe	90
PID 2560 wrote to memory of 1584	2560	DllCommonsvc.exe	90
PID 2560 wrote to memory of 1584	2560	DllCommonsvc.exe	90
PID 2560 wrote to memory of 1596	2560	DllCommonsvc.exe	91
PID 2560 wrote to memory of 1596	2560	DllCommonsvc.exe	91
PID 2560 wrote to memory of 1596	2560	DllCommonsvc.exe	91
PID 2560 wrote to memory of 2076	2560	DllCommonsvc.exe	92
PID 2560 wrote to memory of 2076	2560	DllCommonsvc.exe	92
PID 2560 wrote to memory of 2076	2560	DllCommonsvc.exe	92
PID 2560 wrote to memory of 1592	2560	DllCommonsvc.exe	93
PID 2560 wrote to memory of 1592	2560	DllCommonsvc.exe	93
PID 2560 wrote to memory of 1592	2560	DllCommonsvc.exe	93
PID 2560 wrote to memory of 2056	2560	DllCommonsvc.exe	94
PID 2560 wrote to memory of 2056	2560	DllCommonsvc.exe	94
PID 2560 wrote to memory of 2056	2560	DllCommonsvc.exe	94
PID 2560 wrote to memory of 2080	2560	DllCommonsvc.exe	95
PID 2560 wrote to memory of 2080	2560	DllCommonsvc.exe	95
PID 2560 wrote to memory of 2080	2560	DllCommonsvc.exe	95
PID 2560 wrote to memory of 2356	2560	DllCommonsvc.exe	96
PID 2560 wrote to memory of 2356	2560	DllCommonsvc.exe	96
PID 2560 wrote to memory of 2356	2560	DllCommonsvc.exe	96
PID 2560 wrote to memory of 2736	2560	DllCommonsvc.exe	113
PID 2560 wrote to memory of 2736	2560	DllCommonsvc.exe	113
PID 2560 wrote to memory of 2736	2560	DllCommonsvc.exe	113
PID 2736 wrote to memory of 1956	2736	cmd.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d2b7e3f6f61cf721a071f454124c3b4d4dae2d31fd8fb6a04396ea18d3b844b8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d2b7e3f6f61cf721a071f454124c3b4d4dae2d31fd8fb6a04396ea18d3b844b8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OHJeuSki0c.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1956
      - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"
        7⤵
        
        PID:1532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2660
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
        9⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3008
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"
        11⤵
        
        PID:1212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1392
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat"
        13⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2628
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"
        15⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2904
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
        17⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2936
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
        19⤵
        
        PID:2724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1948
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat"
        21⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2400
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
        23⤵
        
        PID:2488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\My Documents\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\My Documents\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3733e64578b7d6cfb46272f67923dbcc

SHA1
2d01a44a9ca2fa98e4e2542399391a3c11a81bb6

SHA256
5b47f44874e6ab78d4a9a4e9f23a6fd3d422016dfbccc95ec5a8f85daf37eaf1

SHA512
3156cfb0ceff29604c30dd4bb4be22b1f9ca0aee316d42f7ddbbf8180b1e4dda385d094348036d409d216fe788446e6733252d0e53eabe08cff90092a1221b40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85f30103d55bd0a5854da171cfaa3b7a

SHA1
83ff525277503184a07e3cbcb2a3c08e39192851

SHA256
9307eb548f3e0d28dd726e75b3a2d54bc999127f2ecb18c207fb96c7140b5a6e

SHA512
911cc10e603c54a1fdb58b899f98d623d754be894a1c5e17d9a96bdad998ea6b92dc8c07bc629e3bdf7ac8967bbe5fbcd64b9e875868697f90f03b076a42b2da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd4213b124f03a52a378a1f4e25d4f8a

SHA1
b67977e6c2493493c060e17ec9e848e924f99755

SHA256
794f87332acae54057294f880258a9f9e9481f33f2d4e804f22e4db9f4a95cca

SHA512
63889de7f46363e1a13a78ba4d3efc11aefdef46c8848358495d7c9184923a486a4a7c951cf79c0d1ab281a8cb256dfec2ccc1db05b85194b189979dc69bea8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25779791c24a4a4998d2a95b9953fd32

SHA1
93a03b9b760a5cbe280491dc89b92d83476f1ab9

SHA256
81c76b17c020a068e3d85ed3b0ec1ce47de878a1581dbe82cefe92a2f983f34f

SHA512
c0f9750fc08d5090d11f3073faeebcbc3a0789eb6bec6d988a70aa28ec2f7780e5f49a9a5d7eba2b6459b5d78a806cf41f0e70110cedb2fc846803aaa6686e7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b038e00c156759585b027545bf8791c0

SHA1
495e86e316aca3853d66e07aeb38d33c0fc8756b

SHA256
d3c77de2e584d1d751f791f1716303a1de4f433b9007bfee71bbfb7d906b0833

SHA512
e7e26a5b4887b436d984469c1429a9cb849fd7801fd9bea9c1a1de86641d8b062c7d6286b392519f73afc53aaf770c4033e587a6eab23c7e9302a6c2583de541

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2eb66acd2210d8d84c094a996ed8bf9

SHA1
af1bc57d06450308134139191da8dea1d0e38104

SHA256
7b6a0030ac7f00a6aa6723a4c84a536a2fc1e5001f56bf677d6278d1254a1ae5

SHA512
7b85e625bab24a4c1be6545475521bd7e3abec578dd0751150c41779a06d9cf8cdf98c9d31972358f0f15205bdafa66aa5ec40d1defbca2fb163e7b9f14472a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd3fd0b1d33f6338c36d326bed1eca51

SHA1
6828cbb77e06af0e2ba29be304af3a506e7cde34

SHA256
61fe9b497ce8c9f7d63adab2fdf952c9aa9e79c8699198688d285583ff35c5f5

SHA512
4ac884d64a2f52cabbf5a500a2ddce241f0ed1fd45562700813a5dce3e3c6107adbed31de97673529bad96db7f87187772c7bfe19b11b8ec162ddc2c50f863e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a32df85ed081dbc1e50d6e510e0dc229

SHA1
0c7bee8bb078a2fc03e0f29d1af2593240835a96

SHA256
6c2a2f37d6f31bebeb54f9e173479e9508643d115a89bcb2b4b4725ce0dae424

SHA512
ac22a853208e8841f7822eeeaec7c1722bbf21b8d342208fdf4a0628cb951dda2f0fb2362a5a3cc8be8a0fbe10c4486ab593d26a5ff41fbeb7352459771a0dd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat

Filesize
221B

MD5
d3badcce21f885a924cc2ac67136b895

SHA1
b390a2b171fe4c440088a3caa3a2404943e54034

SHA256
41b1cdf9f634649b7913ec42590539f0e80f62715b981d7b5a2db91d2bf839d0

SHA512
b666ea616a7568ad4001ed0c5d6258b1c7d4cb1d94f6d0ce50b05cb60c647862dc0d6fefb8afd4557ed13e316e5867438c75c89c4afb12f2a392a4725ebfccee

Download Submit
C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

Filesize
221B

MD5
7398ab228107c1526b4e5928d236d231

SHA1
5289fdb7700b62d429b1d3bd2d09750e8902fe03

SHA256
cc794ee82aeef4f03947b680962b66288239e5e43700c1bcd6ab4770750983d8

SHA512
6bc5c10015856b2dc194bcba97f7c25e1a234c40c335320c1390ab1cd3789679cf6df1c5516de2f4032dabefe2c4ff03bea3f9c2242d0ac1d8b24e809c8c234a

Download Submit
C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat

Filesize
221B

MD5
e3da9aecb012c76bc82c799299edee9c

SHA1
257709fde85fc7c3009b639d9e4a67bb182aa222

SHA256
7cacc9ce7c165f6b67401c569ad20f80f05cd5887106cd7a81cf0b00176d9a3c

SHA512
2ab3a603250e14f52e79dab7fac503f774ef4b3ef4d30c55686ef433fa4b6bab8bb04813b62e1aebd04d07891c26b4e52f412181fc3d88f8db76c35ab7633851

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

Filesize
221B

MD5
7e59e91493e1469541dfc925e821e997

SHA1
60a06a94a524a4ea6a7f30709c428bd630ea1a5a

SHA256
7881d0942b9e06596b8080c25fa0752a9e889cf23e19d7ffde260290c5cdb45f

SHA512
671c8ce68517da3bfc9bf0f1d9feaa5b7ac3baa33fd9043be7534a0604e6bb28ddddab46795d0fee2eab4338140aba3fe56543a5f9712ddeb1e86007b546bae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab38CE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HKL0gj8mBn.bat

Filesize
221B

MD5
27b611f6d03a1864dc0779e5d95e4c14

SHA1
13b5c05a4f159b406ec3e4110a0ae5e8f5d67cbe

SHA256
c659825cbd04766488edaf54161989290c8560277d202c4cc8f6f0009f1872cf

SHA512
09392d45288152c96067a01bef1257dde163b90f8615b484192d3197f635c4dddd05d56639ce72d54ab179ac11d4afaf6ba42a56bd6962b15ff8404cd7fc8eca

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHJeuSki0c.bat

Filesize
221B

MD5
af09d8a5377aa391c4c95444090ef865

SHA1
4a44d7c98ad1c72814b48858e5668a8ddad0909b

SHA256
58fed33b03a55c7cd98fa24eb786be4adc0448a3cfef70592db117515b3a3fc0

SHA512
1f62d0f378963dbb06517f1fc14c33769b3c046014372739a9529244b0e612bb46d79240dc2c37e275ba92a47d39b7037c52eb9696660d12709244af0fe15b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat

Filesize
221B

MD5
d2a89cfab06c67547fc6b386c67be4f9

SHA1
855edd55ae7a6a2d30b651ee470b90cc6dad11dd

SHA256
39a7cbf1aee64ea4ead5f9dcc9b6409f58efa225ccba75597dfb0cfcf10abd8c

SHA512
11f0d80e9587932ed3d6b3cd7c9171978c859eb00034a7319ebe766db121d2388df44b822130ad69fc0f07cfe820dd402a6d87511ef204cbe9d259a6aa4e7d94

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3900.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

Filesize
221B

MD5
0894d619e4e2bdd3826ad93f61ecf7eb

SHA1
3ba1c0c9b994ff9b01997775d627a6bf615b3bf7

SHA256
67a6b7f8e1048dc5c747ed2802e785a31ab653f97edf700f6bb716a3666a7019

SHA512
4f58e8e5bcf8d92e895908a8fe7297454a2c68b6e1b0a8c0a09241260ecfeda06200cc5649344e9f1bc5f498a2d5bf3bec8b7f7a4fe20afe5a0c423869258c07

Download Submit
C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat

Filesize
221B

MD5
47b985db87245c7727b74bf45bdc9417

SHA1
de3edb4241a7c93a966c5e3d796a1f76004df986

SHA256
401e9dacef43d064d4a9076e63aa27b7971b477ab5074e1988241c7492ddc5d9

SHA512
4b7bb82dc6a45335d13458d1a702be236fa1546db1a003d1ae70523417ed54d8021eac5fd7511cb799f10ebc9ef98d00e849d06d222f91549ebed1278493ecad

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat

Filesize
221B

MD5
59e16cd35f4c72dc54eb557ea31fe9d1

SHA1
ad77b864362536bfe19ee3d9a5685906819de4a3

SHA256
32c93071fd69c64d6e9bf9e2cb4a0307666961c5ab52b4dfc34cd6ac779c77eb

SHA512
8febf4a0d55ea86ada4e665ebd1dcd128965433c50bf88fbf366c0fbe053187383572342914c2806f5fb8e5d72e1ce793ae568c721a97978ffae4ba079f28f0a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5d0947f7fda65b9895179129290ef599

SHA1
ae932b0bd3c77cca65191b17007cb9f3db4f7aac

SHA256
a78ff23c14668c1ff6275db2dbdffcffff29e73d2c0e4c411cc71878a7f5df6e

SHA512
5d414b324e10c94b46ed73dcc75fc461cb0866eaff004653d85f2d2def2bf065c29110c76bca8003ccebd5ef7f9ba760909b70128649a6733ee41a3467f8e9e0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/904-130-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/904-131-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1012-249-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1728-489-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2372-72-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2372-71-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2560-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2560-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2560-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/2560-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2560-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2676-549-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2676-550-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2736-309-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/2836-369-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/3008-429-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

Filesize
1.1MB

Download