dcrat | 69b6c3989bec4ca7feeb269b6f9b1271089f65fda492b3d47b7737ffff0c389f

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_69b6c3989bec4ca7feeb269b6f9b1271089f65fda492b3d47b7737ffff0c389f.exe
Size

1.3MB
MD5

024a33dd06973b9f0d513ce684bafe84
SHA1

7ae69d53e03a54286ddc49f6f83ed1e77c7f2500
SHA256

69b6c3989bec4ca7feeb269b6f9b1271089f65fda492b3d47b7737ffff0c389f
SHA512

64958499683c07469ac3d605958d700d074a05ba14ce57a95ee917e7c06785828ca41dd0c502c430e2d93a7c914a95d699710ca611386fbca536ec35e49db2f7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 48 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2656	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2656	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001949d-9.dat	dcrat
behavioral1/memory/2956-13-0x0000000000FB0000-0x00000000010C0000-memory.dmp	dcrat
behavioral1/memory/2796-138-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/2208-197-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2528-317-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/1580-378-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/804-438-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/2660-498-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2108-558-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/1684-618-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/2068-678-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2300	powershell.exe
2528	powershell.exe
1636	powershell.exe
1608	powershell.exe
1708	powershell.exe
1580	powershell.exe
1952	powershell.exe
2780	powershell.exe
1984	powershell.exe
2744	powershell.exe
2776	powershell.exe
2896	powershell.exe
2920	powershell.exe
2760	powershell.exe
2908	powershell.exe
2904	powershell.exe
2924	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2956	DllCommonsvc.exe
2796	sppsvc.exe
2208	sppsvc.exe
2072	sppsvc.exe
2528	sppsvc.exe
1580	sppsvc.exe
804	sppsvc.exe
2660	sppsvc.exe
2108	sppsvc.exe
1684	sppsvc.exe
2068	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	cmd.exe
2928	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\Aero\ja-JP\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\ja-JP\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_69b6c3989bec4ca7feeb269b6f9b1271089f65fda492b3d47b7737ffff0c389f.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 48 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2372	schtasks.exe
2268	schtasks.exe
3028	schtasks.exe
684	schtasks.exe
332	schtasks.exe
2108	schtasks.exe
1640	schtasks.exe
1804	schtasks.exe
2968	schtasks.exe
1100	schtasks.exe
1932	schtasks.exe
2188	schtasks.exe
1384	schtasks.exe
2868	schtasks.exe
1532	schtasks.exe
672	schtasks.exe
2304	schtasks.exe
3036	schtasks.exe
2324	schtasks.exe
2204	schtasks.exe
2864	schtasks.exe
2752	schtasks.exe
2960	schtasks.exe
2168	schtasks.exe
2508	schtasks.exe
1672	schtasks.exe
2020	schtasks.exe
1828	schtasks.exe
1624	schtasks.exe
1960	schtasks.exe
2056	schtasks.exe
1620	schtasks.exe
2296	schtasks.exe
1724	schtasks.exe
2072	schtasks.exe
804	schtasks.exe
1720	schtasks.exe
824	schtasks.exe
1504	schtasks.exe
324	schtasks.exe
596	schtasks.exe
2464	schtasks.exe
2512	schtasks.exe
1820	schtasks.exe
2728	schtasks.exe
1500	schtasks.exe
2184	schtasks.exe
380	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
2796	sppsvc.exe
2208	sppsvc.exe
2072	sppsvc.exe
2528	sppsvc.exe
1580	sppsvc.exe
804	sppsvc.exe
2660	sppsvc.exe
2108	sppsvc.exe
1684	sppsvc.exe
2068	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2956	DllCommonsvc.exe
2956	DllCommonsvc.exe
2956	DllCommonsvc.exe
2956	DllCommonsvc.exe
2956	DllCommonsvc.exe
2300	powershell.exe
1580	powershell.exe
2908	powershell.exe
2896	powershell.exe
2776	powershell.exe
1608	powershell.exe
1952	powershell.exe
1708	powershell.exe
2744	powershell.exe
2760	powershell.exe
2780	powershell.exe
2924	powershell.exe
2528	powershell.exe
2904	powershell.exe
1636	powershell.exe
2920	powershell.exe
2796	sppsvc.exe
2208	sppsvc.exe
2072	sppsvc.exe
2528	sppsvc.exe
1580	sppsvc.exe
804	sppsvc.exe
2660	sppsvc.exe
2108	sppsvc.exe
1684	sppsvc.exe
2068	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	DllCommonsvc.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	2796	sppsvc.exe
Token: SeDebugPrivilege	2208	sppsvc.exe
Token: SeDebugPrivilege	2072	sppsvc.exe
Token: SeDebugPrivilege	2528	sppsvc.exe
Token: SeDebugPrivilege	1580	sppsvc.exe
Token: SeDebugPrivilege	804	sppsvc.exe
Token: SeDebugPrivilege	2660	sppsvc.exe
Token: SeDebugPrivilege	2108	sppsvc.exe
Token: SeDebugPrivilege	1684	sppsvc.exe
Token: SeDebugPrivilege	2068	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 2800	2952	JaffaCakes118_69b6c3989bec4ca7feeb269b6f9b1271089f65fda492b3d47b7737ffff0c389f.exe	30
PID 2952 wrote to memory of 2800	2952	JaffaCakes118_69b6c3989bec4ca7feeb269b6f9b1271089f65fda492b3d47b7737ffff0c389f.exe	30
PID 2952 wrote to memory of 2800	2952	JaffaCakes118_69b6c3989bec4ca7feeb269b6f9b1271089f65fda492b3d47b7737ffff0c389f.exe	30
PID 2952 wrote to memory of 2800	2952	JaffaCakes118_69b6c3989bec4ca7feeb269b6f9b1271089f65fda492b3d47b7737ffff0c389f.exe	30
PID 2800 wrote to memory of 2928	2800	WScript.exe	31
PID 2800 wrote to memory of 2928	2800	WScript.exe	31
PID 2800 wrote to memory of 2928	2800	WScript.exe	31
PID 2800 wrote to memory of 2928	2800	WScript.exe	31
PID 2928 wrote to memory of 2956	2928	cmd.exe	33
PID 2928 wrote to memory of 2956	2928	cmd.exe	33
PID 2928 wrote to memory of 2956	2928	cmd.exe	33
PID 2928 wrote to memory of 2956	2928	cmd.exe	33
PID 2956 wrote to memory of 1636	2956	DllCommonsvc.exe	83
PID 2956 wrote to memory of 1636	2956	DllCommonsvc.exe	83
PID 2956 wrote to memory of 1636	2956	DllCommonsvc.exe	83
PID 2956 wrote to memory of 2300	2956	DllCommonsvc.exe	84
PID 2956 wrote to memory of 2300	2956	DllCommonsvc.exe	84
PID 2956 wrote to memory of 2300	2956	DllCommonsvc.exe	84
PID 2956 wrote to memory of 1984	2956	DllCommonsvc.exe	85
PID 2956 wrote to memory of 1984	2956	DllCommonsvc.exe	85
PID 2956 wrote to memory of 1984	2956	DllCommonsvc.exe	85
PID 2956 wrote to memory of 1608	2956	DllCommonsvc.exe	86
PID 2956 wrote to memory of 1608	2956	DllCommonsvc.exe	86
PID 2956 wrote to memory of 1608	2956	DllCommonsvc.exe	86
PID 2956 wrote to memory of 2744	2956	DllCommonsvc.exe	87
PID 2956 wrote to memory of 2744	2956	DllCommonsvc.exe	87
PID 2956 wrote to memory of 2744	2956	DllCommonsvc.exe	87
PID 2956 wrote to memory of 1708	2956	DllCommonsvc.exe	88
PID 2956 wrote to memory of 1708	2956	DllCommonsvc.exe	88
PID 2956 wrote to memory of 1708	2956	DllCommonsvc.exe	88
PID 2956 wrote to memory of 1580	2956	DllCommonsvc.exe	89
PID 2956 wrote to memory of 1580	2956	DllCommonsvc.exe	89
PID 2956 wrote to memory of 1580	2956	DllCommonsvc.exe	89
PID 2956 wrote to memory of 2528	2956	DllCommonsvc.exe	90
PID 2956 wrote to memory of 2528	2956	DllCommonsvc.exe	90
PID 2956 wrote to memory of 2528	2956	DllCommonsvc.exe	90
PID 2956 wrote to memory of 2760	2956	DllCommonsvc.exe	91
PID 2956 wrote to memory of 2760	2956	DllCommonsvc.exe	91
PID 2956 wrote to memory of 2760	2956	DllCommonsvc.exe	91
PID 2956 wrote to memory of 1952	2956	DllCommonsvc.exe	93
PID 2956 wrote to memory of 1952	2956	DllCommonsvc.exe	93
PID 2956 wrote to memory of 1952	2956	DllCommonsvc.exe	93
PID 2956 wrote to memory of 2908	2956	DllCommonsvc.exe	94
PID 2956 wrote to memory of 2908	2956	DllCommonsvc.exe	94
PID 2956 wrote to memory of 2908	2956	DllCommonsvc.exe	94
PID 2956 wrote to memory of 2920	2956	DllCommonsvc.exe	97
PID 2956 wrote to memory of 2920	2956	DllCommonsvc.exe	97
PID 2956 wrote to memory of 2920	2956	DllCommonsvc.exe	97
PID 2956 wrote to memory of 2896	2956	DllCommonsvc.exe	98
PID 2956 wrote to memory of 2896	2956	DllCommonsvc.exe	98
PID 2956 wrote to memory of 2896	2956	DllCommonsvc.exe	98
PID 2956 wrote to memory of 2780	2956	DllCommonsvc.exe	99
PID 2956 wrote to memory of 2780	2956	DllCommonsvc.exe	99
PID 2956 wrote to memory of 2780	2956	DllCommonsvc.exe	99
PID 2956 wrote to memory of 2924	2956	DllCommonsvc.exe	100
PID 2956 wrote to memory of 2924	2956	DllCommonsvc.exe	100
PID 2956 wrote to memory of 2924	2956	DllCommonsvc.exe	100
PID 2956 wrote to memory of 2904	2956	DllCommonsvc.exe	101
PID 2956 wrote to memory of 2904	2956	DllCommonsvc.exe	101
PID 2956 wrote to memory of 2904	2956	DllCommonsvc.exe	101
PID 2956 wrote to memory of 2776	2956	DllCommonsvc.exe	102
PID 2956 wrote to memory of 2776	2956	DllCommonsvc.exe	102
PID 2956 wrote to memory of 2776	2956	DllCommonsvc.exe	102
PID 2956 wrote to memory of 2772	2956	DllCommonsvc.exe	116

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69b6c3989bec4ca7feeb269b6f9b1271089f65fda492b3d47b7737ffff0c389f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_69b6c3989bec4ca7feeb269b6f9b1271089f65fda492b3d47b7737ffff0c389f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\ja-JP\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZQM4pW72pX.bat"
        5⤵
        
        PID:2772
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1676
      - C:\Program Files (x86)\Google\Temp\sppsvc.exe
        
        "C:\Program Files (x86)\Google\Temp\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        7⤵
        
        PID:772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2420
        
        C:\Program Files (x86)\Google\Temp\sppsvc.exe
        
        "C:\Program Files (x86)\Google\Temp\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat"
        9⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1732
        
        C:\Program Files (x86)\Google\Temp\sppsvc.exe
        
        "C:\Program Files (x86)\Google\Temp\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        11⤵
        
        PID:1252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2708
        
        C:\Program Files (x86)\Google\Temp\sppsvc.exe
        
        "C:\Program Files (x86)\Google\Temp\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        13⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2700
        
        C:\Program Files (x86)\Google\Temp\sppsvc.exe
        
        "C:\Program Files (x86)\Google\Temp\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
        15⤵
        
        PID:380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2204
        
        C:\Program Files (x86)\Google\Temp\sppsvc.exe
        
        "C:\Program Files (x86)\Google\Temp\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"
        17⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1392
        
        C:\Program Files (x86)\Google\Temp\sppsvc.exe
        
        "C:\Program Files (x86)\Google\Temp\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat"
        19⤵
        
        PID:1544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2436
        
        C:\Program Files (x86)\Google\Temp\sppsvc.exe
        
        "C:\Program Files (x86)\Google\Temp\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        21⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:772
        
        C:\Program Files (x86)\Google\Temp\sppsvc.exe
        
        "C:\Program Files (x86)\Google\Temp\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
        23⤵
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2860
        
        C:\Program Files (x86)\Google\Temp\sppsvc.exe
        
        "C:\Program Files (x86)\Google\Temp\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"
        25⤵
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Music\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Contacts\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Contacts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\Aero\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec5db480ab395b4d4c95f2875e992597

SHA1
3940ac6ef508bdf3c64a7b3f4aec01da69602322

SHA256
a51e14d96fc00a762820e56e593327ed1e0418fba0664ff412e322b8d9faca35

SHA512
929bb30c96b7d4c99dd972d5c173732f38cb110d07975188b6783ad1c2c863ab28792415e3dcc2644e69e4cb1057659ab9d576a9df3ffe8521ed45ce788e0641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c6633c28258ef0a35499675ddca8321

SHA1
9c0c4575208e1b6e7b0bc51964de8e3693320aac

SHA256
5a7d370efc265590bb61306e277e4197507619207d95fade79c84f2415575dbe

SHA512
c466d658667ed157324379c867cfae52c3690fcda579b3909fca4b1a9d0f9dbbc9d01a3342e9399d5143c8d2245baadb492b48f52e64030664fcefddbd448d88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d377996fcb5e2943a595b5e45f94bd81

SHA1
c2a47695cca7a6fec5b46dfce043ce2e09ee6696

SHA256
7126d25931eba5e0f63b521b5d386560ed52eeaf4f753a971c5e1b961d852f81

SHA512
c4f8418c7be00ee8d650efc49fa29600e45ef0f75ca345720f4c85688d31202137bdb11d3cdb68885ad388997480d305e2b7dee9d7623f370fd9794f42aa05a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e855390bda57d6990924d8e6c28927f

SHA1
0de7f80e96078e9b30d3b150eae773c98c6c2ec4

SHA256
ab5c4d100726e18e2774d03f05535d5e37d2e394bc6042fbe34025e235152061

SHA512
7031ac9029fb7ea7eb3da732583477a9a4f2805002303ce9f3834ee643292dbe414c5f5823429b81df23ef37960e7677125dd9ce8715c04e4a2bf13e2a956446

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44a30e3ef7b050baebb053dca7a3511d

SHA1
296f2c8a972f17b4374c21f0661c32a854bc7959

SHA256
966160a1974a70fbd809e2adfe16efcb7160fe1423371bd13ba559bc6795572d

SHA512
69448b600b510dccf12f2253dc4394d336a171e5e0d67c9f55a88d74d554d14dc015a3f68509949e2835345789edf3f7e722bef2ece65d69b74a70a2dc791a9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edb8ed87191eef8b051acc3911c90db2

SHA1
faa503f7dbf25c991218ffaa25c77e7574446262

SHA256
35fa35602453ddc57100a5fe194cfed4f8cd727667d89dedcc5d1ea2b550a577

SHA512
78ea5c3d80e9963c5c604662b303112a3b902063f5619504a4f0e57c5b8cd24e8a07e40e5b80f55bfab557f9835f7a62591427412e7a7d42eb417272778294ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11660f0e932ce4f360bda4a1ab714dc7

SHA1
e3bfc25beec847386cd0df00ab735a2eb7650c67

SHA256
f1375e54d3d932467f20ac9835c70c4b6deb28a997d0f2607c17ef0158e182d5

SHA512
c7d3106919b6b95661b181d1c3835e0b008d2b8f5a1da88a3226ad039f7db9a590ecb75dc6c642b128947dd51d1c25f73ea84a9791bdd20d6124efef238cc6eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
913d4a5a8fff439b1e55d6840e17c35c

SHA1
826701aafb0651c6cd60ed1ca35252fbe4c83c8f

SHA256
55c6f7be9abeaf8bc649242c17e798732a6a882f43d2cd13064cb94670264a89

SHA512
ec9c4b5417c824a0371015da198a287e3634f3b6a7b73539d1dea9f8437fb2573e44d3e844ad54810b83b01a6aed2489de84d748bf39ee4436f4cd59f538c1d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e51dd34dbfbfcd5446742f9b9cbd546

SHA1
12cf4ec73ac4b51fdd122e91ffdb1c0f386b1573

SHA256
ab100b78bee1fcc504f251ae48c561ff48301ceceadbcee81b0e3a1ae512dcea

SHA512
84d2c923e741f6927da1bdb02521dc86bc8e9f78f1c6c53645476d856d567be8ffa60396d78c6ba503481c6aea5f7b2296822fd9d53c8822a68532790319b18f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
210B

MD5
7c9b47d7f962715f72344586fe4a2f42

SHA1
8a25f87e8b31ea129c65bb4ff0573d2eff3f709d

SHA256
ecd733c336f5c634a00c6b41ea61333476253fd39cf8483edcb3d074fbad6d3f

SHA512
d0ed3bfcdcd1eaa5aaeda0ba20048df153afa04b5ab24f61bc4ed666b7dde32e1c035f1942952a352075d3650949c79645b8e08ef84a2cf65b5164997b09bc1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uGRILFBWR.bat

Filesize
210B

MD5
6541f3cbc45d89fff6458bf7d07f4c9f

SHA1
5cf588b1e6465df26748e37e9cde56e9f6d87040

SHA256
85622195bf4d02b660cb5e35c9bc75e79874664547a31db1a36c431d0e86871a

SHA512
e87d418bf801c5294b27f3fb9e88f9cf292c254d0255d281090f2357e13008f1a8a29feb711873bc171d59d53fd9620978ee6cbc0b0864779462a7f3e308d629

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Usvo58uhQ.bat

Filesize
210B

MD5
9850e845b5b15fbbd275d8c3c5487ecd

SHA1
3abfc800d5ad904a3fa4402dac460e73250d1002

SHA256
7f27193d50247e1f20a5a33340cefdca1882602cf711b1d7b46a55ddc704b1c0

SHA512
2258c538776f76cd45422912b33b459418798ef86fb40b2e2dd6f5313781541c0322875cdd960c83b82ddab8dea13d681655f8d26deeece5cbac64173f3742dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab64FC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
210B

MD5
1ba9afd5718b83d782af7874bf21bb9b

SHA1
1490ca4899b3cdacd14788acd91842fa05b850bb

SHA256
2e79ac0f3887f795bc4b47b275ce3aec0084f43e7418a73d06dd1dcae30b477e

SHA512
af5df03fca4ffea4a560bfca9736531978343f3ad1f467cd9c67801ba9e10d51dbd7c33ed9f0a95915384745826b4ccb6d36c089cf775eddeb851beaf29fa245

Download Submit
C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat

Filesize
210B

MD5
b94db73bc7c95e55b7d56da3017913a9

SHA1
2c4e2952689c5bc91c52ab480f51d76da4b1e5fa

SHA256
beadc063ff5f1c58226237ecc098c5ca27575cd3a201f29f75a2555b1088ea51

SHA512
ae6550b7e2ec71324fa6cb4270d15a43b4999a578784c804d61426fb9d9152ace82ad4599304fd67950fde5339f581f9dc744421371a27faa1af955efab7cb7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar650F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat

Filesize
210B

MD5
b957a57b48e395d9bf0d436f49248a9d

SHA1
3372beafe7b965181c99025bb854ef31b2ff679c

SHA256
da665ba733a38e1db5d38038b00477495edb52e0f1fecf5b85187e2bb7a21229

SHA512
b6f258320619df136942bc984dbd2c01b4750870fcac2a0531a2afdea1d4de0bb8ae368180908e2f0e518cbc421815ae2632fb24e4578cfcecc1fec4c656df25

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZQM4pW72pX.bat

Filesize
210B

MD5
eb51e73492195c7a4af5b4f3895fa888

SHA1
7a6a30b8541e6b8fac06875aa7241974be61e26b

SHA256
7853779d6633e48ec8335c9de40cf5bf406ab2f02cbf0c47e28400f6fbc2f4f9

SHA512
f559d4bb6837b750c84089fce261ee2c0ee0f5de06689e2ff048d7c3da09232fe3c398f62ac1dbd66e97610d4fb37ff431613c84ced2d54398f186ca4cd0f17e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat

Filesize
210B

MD5
07818bdea66812f86f574401a5ad3654

SHA1
a94ce46cb0e5312b472e1971c2bde39c903b5268

SHA256
aacaa0db49f0bbf8fee9e88230909d4a818ea266b8dccd75c16b67ccb4ba1c0c

SHA512
3bc799e288886d675cc561fc852fd5449b4bd8aa6e5e6c0b9b68d206cf064bf9a0d876f6a079ba47843cd2e95715e61f30b33ef402642b9c8aa445d74b4938fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
210B

MD5
59161c1367339d8df84bbfdb98432cb5

SHA1
6ee67f24e3ab029b45fabd0f07395085dfb4363c

SHA256
a23b27fe96bc0c20ccaf01b0ded308b54c525f1b99fc69b5e593e8c402e27c83

SHA512
98e15d8d76225ae7cdc21b4286f26b92359a2aad7cd4abc8cb1d038ba0b4d9f91e734ced26f1b039ec09b7da44ed80b6463c2e50e0621b4c3850ba813d33fe54

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
210B

MD5
2acc866354c281a56cb0bf8ffad61b6d

SHA1
40790147df945b3ab4698ae811f863ba961c7818

SHA256
d238f91ac907fd298bbb2b21527ae1441f1f1a9d92071511b7cfc34db089feaf

SHA512
b6fcdeb89a155401f7519f62c63399b30bf176892958c6d1a3ddb71f6e18ecd99992972cbdb6c87bf5c64e71a406d37712d03bbef7c405b2cf80ace6121b2f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat

Filesize
210B

MD5
0c22442dc6994bc4c05a0ddc2c2dd7b2

SHA1
6103515ae73c7609fed0ab615fcafc55d85f790b

SHA256
ab995265a08f0ca8954462401cb67447b815ab4960ceb36769ee072ef8f49c06

SHA512
10632abc4d60db1a04cc36c5180b1ce6960c4cf5b63d4465d64e3750582a5fca047fe673e50ccdecd1b2a8d5390bc9bea54185f28273d7f2cfa1ba85ff824c3c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
875a410528d0ed539cd267656779bf12

SHA1
111bf8642232f056693fcebf141f3579ff5e2ea3

SHA256
93f9feb2fbdf2879e4487fb5b63b2edd89e10de4d7caa409c7594f47f98b9f96

SHA512
f4df2870def1b3ca9c8b23349860f7d839a1f4955d5db258e1018432083aa1953cfcfadc407d3a024e5fb713cce838807e982dfeeff859f9a4de1cbb7b57d634

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/804-438-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/1580-378-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1684-618-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2068-678-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/2072-257-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2108-558-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download
memory/2208-197-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2300-59-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/2300-58-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2528-318-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2528-317-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/2660-498-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2796-138-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2956-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2956-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2956-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2956-14-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2956-13-0x0000000000FB0000-0x00000000010C0000-memory.dmp

Filesize
1.1MB

Download