dcrat | 6167fb58c6128003565dbd61fd8ce2d5a401aaee5833c8e687027ab8f1fefd97

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 03:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6167fb58c6128003565dbd61fd8ce2d5a401aaee5833c8e687027ab8f1fefd97.exe
Size

1.3MB
MD5

cc9ad0d0f99cccca23f1f3e704f9adb8
SHA1

e3d95c302595f9a21d8a8eac7399ed3a972f4775
SHA256

6167fb58c6128003565dbd61fd8ce2d5a401aaee5833c8e687027ab8f1fefd97
SHA512

49712473adfdee7d0f98fc78cb5a7b31ac65a87b233823efe82cc101e66da87f7465ef58a72960885660154ab35294da93f70240d3a22c4c82cb97418329aded
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2532	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2532	schtasks.exe	32

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000014ba6-9.dat	dcrat
behavioral1/memory/2892-13-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/2300-92-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/2872-299-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2192-359-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2500-419-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/972-479-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1504-539-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/3028-599-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/2432-718-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
480	powershell.exe
2500	powershell.exe
1640	powershell.exe
1604	powershell.exe
1544	powershell.exe
2908	powershell.exe
2916	powershell.exe
1988	powershell.exe
344	powershell.exe
2380	powershell.exe
2132	powershell.exe
1836	powershell.exe
3024	powershell.exe
2304	powershell.exe
2776	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2892	DllCommonsvc.exe
684	DllCommonsvc.exe
2300	schtasks.exe
2500	schtasks.exe
2020	schtasks.exe
2872	schtasks.exe
2192	schtasks.exe
2500	schtasks.exe
972	schtasks.exe
1504	schtasks.exe
3028	schtasks.exe
3000	schtasks.exe
2432	schtasks.exe

Loads dropped DLL 2 IoCs

pid	Process
2896	cmd.exe
2896	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
28	raw.githubusercontent.com
35	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\winevt\TraceFormat\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\System32\winevt\TraceFormat\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\3a6fe29a7ceee6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\it-IT\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Nature\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Nature\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteApps\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6167fb58c6128003565dbd61fd8ce2d5a401aaee5833c8e687027ab8f1fefd97.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1860	schtasks.exe
2984	schtasks.exe
1388	schtasks.exe
2780	schtasks.exe
1684	schtasks.exe
2176	schtasks.exe
1904	schtasks.exe
2600	schtasks.exe
2348	schtasks.exe
880	schtasks.exe
1852	schtasks.exe
2840	schtasks.exe
1236	schtasks.exe
2856	schtasks.exe
2636	schtasks.exe
264	schtasks.exe
1876	schtasks.exe
2348	schtasks.exe
572	schtasks.exe
1700	schtasks.exe
328	schtasks.exe
2416	schtasks.exe
2976	schtasks.exe
2268	schtasks.exe
1884	schtasks.exe
1340	schtasks.exe
1244	schtasks.exe
2972	schtasks.exe
2868	schtasks.exe
2964	schtasks.exe
1872	schtasks.exe
900	schtasks.exe
2124	schtasks.exe
824	schtasks.exe
764	schtasks.exe
1844	schtasks.exe
2860	schtasks.exe
296	schtasks.exe
1968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2892	DllCommonsvc.exe
1988	powershell.exe
2380	powershell.exe
2500	powershell.exe
344	powershell.exe
1604	powershell.exe
1640	powershell.exe
2304	powershell.exe
684	DllCommonsvc.exe
2916	powershell.exe
2908	powershell.exe
684	DllCommonsvc.exe
684	DllCommonsvc.exe
684	DllCommonsvc.exe
684	DllCommonsvc.exe
684	DllCommonsvc.exe
684	DllCommonsvc.exe
3024	powershell.exe
1544	powershell.exe
2776	powershell.exe
480	powershell.exe
2132	powershell.exe
1836	powershell.exe
2300	schtasks.exe
2500	schtasks.exe
2020	schtasks.exe
2872	schtasks.exe
2192	schtasks.exe
2500	schtasks.exe
972	schtasks.exe
1504	schtasks.exe
3028	schtasks.exe
3000	schtasks.exe
2432	schtasks.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2892	DllCommonsvc.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	684	DllCommonsvc.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2300	schtasks.exe
Token: SeDebugPrivilege	480	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	2500	schtasks.exe
Token: SeDebugPrivilege	2020	schtasks.exe
Token: SeDebugPrivilege	2872	schtasks.exe
Token: SeDebugPrivilege	2192	schtasks.exe
Token: SeDebugPrivilege	2500	schtasks.exe
Token: SeDebugPrivilege	972	schtasks.exe
Token: SeDebugPrivilege	1504	schtasks.exe
Token: SeDebugPrivilege	3028	schtasks.exe
Token: SeDebugPrivilege	3000	schtasks.exe
Token: SeDebugPrivilege	2432	schtasks.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2652	2100	JaffaCakes118_6167fb58c6128003565dbd61fd8ce2d5a401aaee5833c8e687027ab8f1fefd97.exe	28
PID 2100 wrote to memory of 2652	2100	JaffaCakes118_6167fb58c6128003565dbd61fd8ce2d5a401aaee5833c8e687027ab8f1fefd97.exe	28
PID 2100 wrote to memory of 2652	2100	JaffaCakes118_6167fb58c6128003565dbd61fd8ce2d5a401aaee5833c8e687027ab8f1fefd97.exe	28
PID 2100 wrote to memory of 2652	2100	JaffaCakes118_6167fb58c6128003565dbd61fd8ce2d5a401aaee5833c8e687027ab8f1fefd97.exe	28
PID 2652 wrote to memory of 2896	2652	WScript.exe	29
PID 2652 wrote to memory of 2896	2652	WScript.exe	29
PID 2652 wrote to memory of 2896	2652	WScript.exe	29
PID 2652 wrote to memory of 2896	2652	WScript.exe	29
PID 2896 wrote to memory of 2892	2896	cmd.exe	31
PID 2896 wrote to memory of 2892	2896	cmd.exe	31
PID 2896 wrote to memory of 2892	2896	cmd.exe	31
PID 2896 wrote to memory of 2892	2896	cmd.exe	31
PID 2892 wrote to memory of 344	2892	DllCommonsvc.exe	57
PID 2892 wrote to memory of 344	2892	DllCommonsvc.exe	57
PID 2892 wrote to memory of 344	2892	DllCommonsvc.exe	57
PID 2892 wrote to memory of 2380	2892	DllCommonsvc.exe	58
PID 2892 wrote to memory of 2380	2892	DllCommonsvc.exe	58
PID 2892 wrote to memory of 2380	2892	DllCommonsvc.exe	58
PID 2892 wrote to memory of 2304	2892	DllCommonsvc.exe	59
PID 2892 wrote to memory of 2304	2892	DllCommonsvc.exe	59
PID 2892 wrote to memory of 2304	2892	DllCommonsvc.exe	59
PID 2892 wrote to memory of 1988	2892	DllCommonsvc.exe	60
PID 2892 wrote to memory of 1988	2892	DllCommonsvc.exe	60
PID 2892 wrote to memory of 1988	2892	DllCommonsvc.exe	60
PID 2892 wrote to memory of 1640	2892	DllCommonsvc.exe	62
PID 2892 wrote to memory of 1640	2892	DllCommonsvc.exe	62
PID 2892 wrote to memory of 1640	2892	DllCommonsvc.exe	62
PID 2892 wrote to memory of 2908	2892	DllCommonsvc.exe	64
PID 2892 wrote to memory of 2908	2892	DllCommonsvc.exe	64
PID 2892 wrote to memory of 2908	2892	DllCommonsvc.exe	64
PID 2892 wrote to memory of 2916	2892	DllCommonsvc.exe	65
PID 2892 wrote to memory of 2916	2892	DllCommonsvc.exe	65
PID 2892 wrote to memory of 2916	2892	DllCommonsvc.exe	65
PID 2892 wrote to memory of 2500	2892	DllCommonsvc.exe	67
PID 2892 wrote to memory of 2500	2892	DllCommonsvc.exe	67
PID 2892 wrote to memory of 2500	2892	DllCommonsvc.exe	67
PID 2892 wrote to memory of 1604	2892	DllCommonsvc.exe	69
PID 2892 wrote to memory of 1604	2892	DllCommonsvc.exe	69
PID 2892 wrote to memory of 1604	2892	DllCommonsvc.exe	69
PID 2892 wrote to memory of 684	2892	DllCommonsvc.exe	75
PID 2892 wrote to memory of 684	2892	DllCommonsvc.exe	75
PID 2892 wrote to memory of 684	2892	DllCommonsvc.exe	75
PID 684 wrote to memory of 3024	684	DllCommonsvc.exe	91
PID 684 wrote to memory of 3024	684	DllCommonsvc.exe	91
PID 684 wrote to memory of 3024	684	DllCommonsvc.exe	91
PID 684 wrote to memory of 2776	684	DllCommonsvc.exe	92
PID 684 wrote to memory of 2776	684	DllCommonsvc.exe	92
PID 684 wrote to memory of 2776	684	DllCommonsvc.exe	92
PID 684 wrote to memory of 1836	684	DllCommonsvc.exe	93
PID 684 wrote to memory of 1836	684	DllCommonsvc.exe	93
PID 684 wrote to memory of 1836	684	DllCommonsvc.exe	93
PID 684 wrote to memory of 1544	684	DllCommonsvc.exe	94
PID 684 wrote to memory of 1544	684	DllCommonsvc.exe	94
PID 684 wrote to memory of 1544	684	DllCommonsvc.exe	94
PID 684 wrote to memory of 480	684	DllCommonsvc.exe	95
PID 684 wrote to memory of 480	684	DllCommonsvc.exe	95
PID 684 wrote to memory of 480	684	DllCommonsvc.exe	95
PID 684 wrote to memory of 2132	684	DllCommonsvc.exe	96
PID 684 wrote to memory of 2132	684	DllCommonsvc.exe	96
PID 684 wrote to memory of 2132	684	DllCommonsvc.exe	96
PID 684 wrote to memory of 2300	684	DllCommonsvc.exe	103
PID 684 wrote to memory of 2300	684	DllCommonsvc.exe	103
PID 684 wrote to memory of 2300	684	DllCommonsvc.exe	103
PID 2300 wrote to memory of 1120	2300	schtasks.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6167fb58c6128003565dbd61fd8ce2d5a401aaee5833c8e687027ab8f1fefd97.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6167fb58c6128003565dbd61fd8ce2d5a401aaee5833c8e687027ab8f1fefd97.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Nature\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteApps\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:684
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\winevt\TraceFormat\spoolsv.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\audiodg.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
      - C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat"
        7⤵
        
        PID:1120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2112
        
        C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat"
        9⤵
        
        PID:2280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2000
        
        C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
        11⤵
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2308
        
        C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        13⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1276
        
        C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"
        15⤵
        
        PID:2676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2696
        
        C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
        17⤵
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:748
        
        C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat"
        19⤵
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1620
        
        C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
        21⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1928
        
        C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
        23⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2776
        
        C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
        25⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2632
        
        C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe
        
        "C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\PrintHood\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Nature\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Nature\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Nature\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\RemotePackages\RemoteApps\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteApps\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteApps\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\winevt\TraceFormat\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\winevt\TraceFormat\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\winevt\TraceFormat\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Downloads\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Downloads\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2aed7c93dd5cb6e3f8ef3d2ca8d26fb5

SHA1
ee03e0d282e72f52a396b6b5407402bfacb5c614

SHA256
41e0f52492f93ea03bd934910454103f5fdd13636e61fcdd66deaf0e4121e029

SHA512
29a22ef924d9fccb3033797115e511abe3922e5a66d8ab4f57aa600d249b0b04b0422c1704347cf82b6a125760d5fa07b8b4ed4f4ea487caa1613756d55fff11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c215c9e448c2aae4ff87b68322ea7cde

SHA1
e4b7ac30353f2a0ea473a17e2cc875a8af2a92fb

SHA256
a5bf1918862e60b6a1d7c2269afa6b7acc74239d26be55b0a1277013b98ec9df

SHA512
58bfb5b348dcaeb47370ae521bbed9f16f58df3b57302fadcd5818472e4dce847d4d1f343665ccf0abe7b82b2e2362091af849e76d391bc48e7228dccf52eaf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acc9738050af28dbd80f46f313086c5e

SHA1
e24a5d35edf0472c7b2d02135ca321100a4b23eb

SHA256
ea70bd23c40edfbd026f46c7b1966a788cc8fb9a5fad2a155401a8e7e5c7193a

SHA512
9796d37721b78c4148794a5029813c5238e2963c64b5c3dde123ad38b5f70c198be6c9a6f8d538809b50a39957492b0d69f9d20fd312b23092f9a7c8349b4a81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bcb8d32a7470b1ca7322733f7b29abe9

SHA1
4d3a79f020b79dc751b71c4b7fe90f53bbc49b3e

SHA256
fbfa9c61d705addcc9885dd4f05a948231eefc5ddac481d314d8fe67d1b23d08

SHA512
fc32db59a5b2d8862601e9605a1d9ebda1bca7304115bc44d0fdae3438e79c983ef82c1c1e8ed91a9116a2d170291585d560e40195cf0574563eeb381fb826c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81b7c53b02378900c250484e62650591

SHA1
744eda819a83bcab335d4ac5da90d7107aca0958

SHA256
a3237cdf57797504f2b9a08b42421b08df13f6e185c2d5662583772bd87849cc

SHA512
8524ccb2f7b115708c0ded2fbc1bc00269e75fdec92b4e8880bb5b75cb4d8765cbd0810dc19dc37a53c4920d873fe5915ed6e5af4e47d8ff6f49cf72c3db29c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
757e750f1efc98856b7865ae72d9c7cd

SHA1
0aacc8d30cd0c6d44253b3d70b2fa1ada09e2a50

SHA256
72548294f3f9b14db70bf440fc611e1b423094b9361cc74030fdb82d0ea5faa9

SHA512
24704e33cfc1455a0c66f6150b4501d443451cfe971080048ef09222433b46929180d44fa9934b3edde9d48541b4d48b1c14eda252684aad3827f6599a253bb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fcff5c7c4ffa50c9ae60c984b8bf5c5

SHA1
e69dde7411a66a6fbfc8e3d6e12fe03386fa3ed3

SHA256
d46429cc76c0d5178ad3a691539fc9f4dbd38a031b84d50c19fb7cdd0517362d

SHA512
3a1d7b070a17dd428bcf1d00adafea37f25b651ca0c6281015147b8881db33e85543dfd32d7d959dbdbea3fd94ec52540de098229343673e6936b9be7050282f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db16ce4861aa4d3fc3c28ed9d1388b73

SHA1
45760002ce5993cd75517c3e4fa6ab9dc5358159

SHA256
3eba456700a7d2a864438fbb4b2aec33f33ae75401ff0f58057b13f2d4a23f59

SHA512
cf67646a64ff0bfc3830a4ad6ee7ab171e1d7a53f4e5ec223aa68ce2b7b04abd44345a81d3b81ce404db945316d90a8f9b000e1317c9db8ed64040658c95477c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
556d5e18a5d815ff7c97c88e7e13425c

SHA1
ea7b1863f3b603bdff1b0f7aeebc112bf64c139e

SHA256
0281f3f0d005ecd253b85c5354b31f025ab807af3c452e93e288e15d93114867

SHA512
213f5660922b9f490b519187b8d9eba3394fbe162b17bd08370270e1310f5556ff37d3be9f74ae51b0fcd9c546fcb16b713efd0928170a535a1a9ff96dbc1128

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat

Filesize
236B

MD5
694383788fb0b958e476d8c659ffab28

SHA1
db687158593b7f24c39a7c92437129217a511929

SHA256
c7f13b06ba6c75f06cbc17547d42b9e84b961e0c90fe1094e4e7965aa00ea0d8

SHA512
30119958882133d3da9c1c4a3f31ba3c55e393fbef5ec970bfc395328fb813fc5fad426dd2e187c69aaa8038b7399f403400104ea7a4ff99bd160c87e784e31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat

Filesize
236B

MD5
63f3871633925e4d287970dd3c47c337

SHA1
1f0fee287a41fcd0b7b40e793dcb3690fb3a85e7

SHA256
068a46ae9f89932efa0ca2b60b0bb3c65282bcc198f51fa5a857b8b572bb3ce1

SHA512
b3910f2c7bf5ebd2d53db50f1ed567d27c82ca87b8a114a2acc595cbbaabbbe30b4881a5b6d3d9c70baf51f4751faaa6abf93ec4839ee53c52547d1e4bfbeaf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat

Filesize
236B

MD5
b0a5b9165e7b0f04313c39df1fbe0034

SHA1
44d4008bab11606eb2a253d3bd8834042bfca066

SHA256
7cad2af6e5b62179faf1003ca82f1cfa74cf7618eb19fbfc2f2c65f14b94f79a

SHA512
9fc8aafec1c7595094d404bfab6d5fb8ad69d52df38d8e85af401645c9e4b6bd6d71518a666994db82350e1cac8aaaf7d6468f4e0fa7cc3878a986ea4b672580

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8642.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
236B

MD5
c42ffab1728d0c01d276dd4528415da0

SHA1
bb4a0dfe8c3feab03c281f689d92be1e5659d59b

SHA256
a157d27f14f9fcccb83f7444b2ad49f9f2057f0eb765ab25abf3147def38ec9a

SHA512
12a891213a09cc53e721c7ed594e28d54b991b8687809a47ad315dff52f5eb3d83397110912cac1876deb71a259073040e9f8d81797e7e06e1938b0600461d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8654.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

Filesize
236B

MD5
5d0d6bcaefc71a26b9055e38519e5493

SHA1
ce4992546ccf9fecb120743935a3b2027a5bea37

SHA256
470a530f6c904f2499189846bc22375e4c37227ebc2a5300cbb2da528ef3a882

SHA512
0dbaafe094772ff697abc7b5d913256cf8e8b6f9b13790d4850faac8897b806f6a24f9333d4b27608223524571c1e00a9b86f68d5330dc049bb1cdc00fea760d

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

Filesize
236B

MD5
29b8d1686c2941e7049fe49a3ec6e9d6

SHA1
264afd55e28924b558d791d638f651f880f43fa4

SHA256
b23762f08995e9a1bba03c8e94a640069c64f9234fa10648f45ea2fbd1eefea9

SHA512
7f73b6de303a22fd508a3d46ccb80f5b01515669983f32d44a85a0950211da9427105ef307eae1be966e0f091674c4e0aafaf923292b4a9246d877548f8cc8cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

Filesize
236B

MD5
bce62187e58a8dfcbd9918d47e20c25a

SHA1
6995d94687f8339f347c9d7719a2c6b785787b0d

SHA256
742f6507d892acaa16faa4c9ef63e3e49e49fd0539d14b6da0a198fe270a5fc0

SHA512
b80daaa71749ad4fb43ec86c4e8390269cf371fb7f945004c7fc5b9ae709778c58b2e3f059f38e2aa83b0d4136a7c983a7e8961bf10622c40eec50d2a3ed1849

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
236B

MD5
e4afbc48a89254b9ab0525a13d4be80b

SHA1
5b78dede3e219faf62fa8aac7bc5cc05ff1fea09

SHA256
22b05ca7f2f661b254d315672aa759a1a84db9ee442e848abede451b569971cc

SHA512
e3714233ea54889719098283b13922807d96fd7b9ece86667d06d0519ac9a8349c5d61b72fd82abaf4c6430f90509a25e4d3a60788cddf9dd4e0c85f8b5444bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wYroxckjTC.bat

Filesize
236B

MD5
167c30d27f47bfe9479431b60753ada3

SHA1
9516eabe001463dd3cebc9e942fe206caeeb3ab3

SHA256
842cab7ffcf11249902592ffc28288a89e5a4ae2c22d0f1e919e0b5106037be8

SHA512
b41189a485e3a2edac198bb91d50f9dc0c1bf2c8206c7ad7b48c53db1ece61761999101963b986ebc8a83b575727e9b9daba04308b40ae4eb1ed4f5e6096ed12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
23b33a8827e63453138263c91030cd83

SHA1
c2ee30fc912bd1ebdcda5a6b9b86a78a41390b83

SHA256
979080190dda570d9ab946a08df84fee0499358fdf139d430421462c5ea1aed1

SHA512
56d7c36cb411d8e8acc2fda0c3cc6020a67dfc22398b69465fa973296b0cf8ceb5cbea7d2915ce62235284a0687d2892fcfc220daf33ef480e92738f5ab60f14

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/972-479-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/1504-539-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/1988-46-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1988-48-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2020-239-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2192-359-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2300-92-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/2432-718-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2500-419-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/2776-107-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2872-299-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/2892-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2892-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2892-13-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/2892-16-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2892-17-0x0000000000510000-0x000000000051C000-memory.dmp

Filesize
48KB

Download
memory/3024-110-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/3028-599-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download