dcrat | 96dad6e5e407ae57be58bfc4fe144c7b15c0d7bc22fc6eea4ab3a0edc969c81a

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_96dad6e5e407ae57be58bfc4fe144c7b15c0d7bc22fc6eea4ab3a0edc969c81a.exe
Size

1.3MB
MD5

ecfc4da2b8a74e1c9a6fc6950d4c98b0
SHA1

7b5db6167f6260848857d4013fb9824613a35bdd
SHA256

96dad6e5e407ae57be58bfc4fe144c7b15c0d7bc22fc6eea4ab3a0edc969c81a
SHA512

aeefb6fd20e554aa7a307ecfdef55d6e157b28d1e25ba6770ebe52b4d728cafb5217de9218ab5527e2a36af81d03ce3a947072be1803ffbc16bbb7c628585b67
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2568	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2568	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016edc-9.dat	dcrat
behavioral1/memory/2808-13-0x00000000008A0000-0x00000000009B0000-memory.dmp	dcrat
behavioral1/memory/2996-109-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/1852-249-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/664-428-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2408-488-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/1544-549-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/960-609-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/1284-669-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
892	powershell.exe
1844	powershell.exe
2892	powershell.exe
1304	powershell.exe
2012	powershell.exe
632	powershell.exe
1316	powershell.exe
2916	powershell.exe
1152	powershell.exe
2304	powershell.exe
1780	powershell.exe
2056	powershell.exe
536	powershell.exe
2132	powershell.exe
2336	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2808	DllCommonsvc.exe
2996	audiodg.exe
2764	audiodg.exe
1852	audiodg.exe
900	audiodg.exe
3016	audiodg.exe
664	audiodg.exe
2408	audiodg.exe
1544	audiodg.exe
960	audiodg.exe
1284	audiodg.exe
1756	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2804	cmd.exe
2804	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\it-IT\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\it-IT\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\es-ES\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\es-ES\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\RemotePackages\RemoteDesktops\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_96dad6e5e407ae57be58bfc4fe144c7b15c0d7bc22fc6eea4ab3a0edc969c81a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1980	schtasks.exe
2480	schtasks.exe
704	schtasks.exe
1540	schtasks.exe
2984	schtasks.exe
708	schtasks.exe
760	schtasks.exe
1376	schtasks.exe
2092	schtasks.exe
2184	schtasks.exe
2236	schtasks.exe
2500	schtasks.exe
988	schtasks.exe
2964	schtasks.exe
1664	schtasks.exe
2868	schtasks.exe
1992	schtasks.exe
2968	schtasks.exe
2552	schtasks.exe
2640	schtasks.exe
3020	schtasks.exe
932	schtasks.exe
884	schtasks.exe
2296	schtasks.exe
2368	schtasks.exe
2936	schtasks.exe
828	schtasks.exe
1552	schtasks.exe
3012	schtasks.exe
2152	schtasks.exe
1484	schtasks.exe
1440	schtasks.exe
1352	schtasks.exe
984	schtasks.exe
2156	schtasks.exe
2484	schtasks.exe
1080	schtasks.exe
1400	schtasks.exe
2348	schtasks.exe
1740	schtasks.exe
1904	schtasks.exe
904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2808	DllCommonsvc.exe
2808	DllCommonsvc.exe
2808	DllCommonsvc.exe
2916	powershell.exe
1152	powershell.exe
2056	powershell.exe
892	powershell.exe
2012	powershell.exe
1316	powershell.exe
632	powershell.exe
2304	powershell.exe
2336	powershell.exe
2132	powershell.exe
536	powershell.exe
1304	powershell.exe
1780	powershell.exe
2996	audiodg.exe
1844	powershell.exe
2892	powershell.exe
2764	audiodg.exe
1852	audiodg.exe
900	audiodg.exe
3016	audiodg.exe
664	audiodg.exe
2408	audiodg.exe
1544	audiodg.exe
960	audiodg.exe
1284	audiodg.exe
1756	audiodg.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	DllCommonsvc.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2996	audiodg.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2764	audiodg.exe
Token: SeDebugPrivilege	1852	audiodg.exe
Token: SeDebugPrivilege	900	audiodg.exe
Token: SeDebugPrivilege	3016	audiodg.exe
Token: SeDebugPrivilege	664	audiodg.exe
Token: SeDebugPrivilege	2408	audiodg.exe
Token: SeDebugPrivilege	1544	audiodg.exe
Token: SeDebugPrivilege	960	audiodg.exe
Token: SeDebugPrivilege	1284	audiodg.exe
Token: SeDebugPrivilege	1756	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2748	2828	JaffaCakes118_96dad6e5e407ae57be58bfc4fe144c7b15c0d7bc22fc6eea4ab3a0edc969c81a.exe	30
PID 2828 wrote to memory of 2748	2828	JaffaCakes118_96dad6e5e407ae57be58bfc4fe144c7b15c0d7bc22fc6eea4ab3a0edc969c81a.exe	30
PID 2828 wrote to memory of 2748	2828	JaffaCakes118_96dad6e5e407ae57be58bfc4fe144c7b15c0d7bc22fc6eea4ab3a0edc969c81a.exe	30
PID 2828 wrote to memory of 2748	2828	JaffaCakes118_96dad6e5e407ae57be58bfc4fe144c7b15c0d7bc22fc6eea4ab3a0edc969c81a.exe	30
PID 2748 wrote to memory of 2804	2748	WScript.exe	31
PID 2748 wrote to memory of 2804	2748	WScript.exe	31
PID 2748 wrote to memory of 2804	2748	WScript.exe	31
PID 2748 wrote to memory of 2804	2748	WScript.exe	31
PID 2804 wrote to memory of 2808	2804	cmd.exe	33
PID 2804 wrote to memory of 2808	2804	cmd.exe	33
PID 2804 wrote to memory of 2808	2804	cmd.exe	33
PID 2804 wrote to memory of 2808	2804	cmd.exe	33
PID 2808 wrote to memory of 2056	2808	DllCommonsvc.exe	77
PID 2808 wrote to memory of 2056	2808	DllCommonsvc.exe	77
PID 2808 wrote to memory of 2056	2808	DllCommonsvc.exe	77
PID 2808 wrote to memory of 2012	2808	DllCommonsvc.exe	78
PID 2808 wrote to memory of 2012	2808	DllCommonsvc.exe	78
PID 2808 wrote to memory of 2012	2808	DllCommonsvc.exe	78
PID 2808 wrote to memory of 632	2808	DllCommonsvc.exe	79
PID 2808 wrote to memory of 632	2808	DllCommonsvc.exe	79
PID 2808 wrote to memory of 632	2808	DllCommonsvc.exe	79
PID 2808 wrote to memory of 1844	2808	DllCommonsvc.exe	80
PID 2808 wrote to memory of 1844	2808	DllCommonsvc.exe	80
PID 2808 wrote to memory of 1844	2808	DllCommonsvc.exe	80
PID 2808 wrote to memory of 536	2808	DllCommonsvc.exe	81
PID 2808 wrote to memory of 536	2808	DllCommonsvc.exe	81
PID 2808 wrote to memory of 536	2808	DllCommonsvc.exe	81
PID 2808 wrote to memory of 2132	2808	DllCommonsvc.exe	82
PID 2808 wrote to memory of 2132	2808	DllCommonsvc.exe	82
PID 2808 wrote to memory of 2132	2808	DllCommonsvc.exe	82
PID 2808 wrote to memory of 2916	2808	DllCommonsvc.exe	83
PID 2808 wrote to memory of 2916	2808	DllCommonsvc.exe	83
PID 2808 wrote to memory of 2916	2808	DllCommonsvc.exe	83
PID 2808 wrote to memory of 2892	2808	DllCommonsvc.exe	84
PID 2808 wrote to memory of 2892	2808	DllCommonsvc.exe	84
PID 2808 wrote to memory of 2892	2808	DllCommonsvc.exe	84
PID 2808 wrote to memory of 1152	2808	DllCommonsvc.exe	85
PID 2808 wrote to memory of 1152	2808	DllCommonsvc.exe	85
PID 2808 wrote to memory of 1152	2808	DllCommonsvc.exe	85
PID 2808 wrote to memory of 2336	2808	DllCommonsvc.exe	86
PID 2808 wrote to memory of 2336	2808	DllCommonsvc.exe	86
PID 2808 wrote to memory of 2336	2808	DllCommonsvc.exe	86
PID 2808 wrote to memory of 1316	2808	DllCommonsvc.exe	87
PID 2808 wrote to memory of 1316	2808	DllCommonsvc.exe	87
PID 2808 wrote to memory of 1316	2808	DllCommonsvc.exe	87
PID 2808 wrote to memory of 1780	2808	DllCommonsvc.exe	88
PID 2808 wrote to memory of 1780	2808	DllCommonsvc.exe	88
PID 2808 wrote to memory of 1780	2808	DllCommonsvc.exe	88
PID 2808 wrote to memory of 2304	2808	DllCommonsvc.exe	89
PID 2808 wrote to memory of 2304	2808	DllCommonsvc.exe	89
PID 2808 wrote to memory of 2304	2808	DllCommonsvc.exe	89
PID 2808 wrote to memory of 1304	2808	DllCommonsvc.exe	90
PID 2808 wrote to memory of 1304	2808	DllCommonsvc.exe	90
PID 2808 wrote to memory of 1304	2808	DllCommonsvc.exe	90
PID 2808 wrote to memory of 892	2808	DllCommonsvc.exe	91
PID 2808 wrote to memory of 892	2808	DllCommonsvc.exe	91
PID 2808 wrote to memory of 892	2808	DllCommonsvc.exe	91
PID 2808 wrote to memory of 2996	2808	DllCommonsvc.exe	106
PID 2808 wrote to memory of 2996	2808	DllCommonsvc.exe	106
PID 2808 wrote to memory of 2996	2808	DllCommonsvc.exe	106
PID 2996 wrote to memory of 1856	2996	audiodg.exe	108
PID 2996 wrote to memory of 1856	2996	audiodg.exe	108
PID 2996 wrote to memory of 1856	2996	audiodg.exe	108
PID 1856 wrote to memory of 2084	1856	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96dad6e5e407ae57be58bfc4fe144c7b15c0d7bc22fc6eea4ab3a0edc969c81a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96dad6e5e407ae57be58bfc4fe144c7b15c0d7bc22fc6eea4ab3a0edc969c81a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\es-ES\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\it-IT\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2084
        
        C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
        8⤵
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:664
        
        C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
        10⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1836
        
        C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"
        12⤵
        
        PID:448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1704
        
        C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
        14⤵
        
        PID:588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1556
        
        C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
        16⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2968
        
        C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"
        18⤵
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2264
        
        C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat"
        20⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1904
        
        C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat"
        22⤵
        
        PID:1328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1140
        
        C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        24⤵
        
        PID:1644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2844
        
        C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe
        
        "C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
        26⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Documents\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\RemotePackages\RemoteDesktops\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e19a0ce9d7869e5d0c3c6968dbadf67

SHA1
b8102553aafbe835af0474a84d749c97e27a75c9

SHA256
fa155e0981838381c02e028f4368efeb24d56f485e7784bfabcc4811f2500f8a

SHA512
ff929d69a21b7e625c352e8b33e013410794e1ced8ca16839244796b17c835d1728bd266d89e22485607bb17766e32cc9ef748c159b4db24cc7535e06d0bb9fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9cb65d270f07c694f38a267a3e53622

SHA1
b7c47e42bdf448ab95fbe904183cf56945743d5c

SHA256
29cf365747cec9e638bf15e0716f350bbd693493f42b22d30541fe9c40ab90cc

SHA512
7bdcaa7850a92db124f353cb609b2bb028b34879263674f9c6fcc0b4f36d168d1fb23bf445fb4005a11cd2de8579d6c941a90d8428bf87c0c4de4d53900204ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd03882e4cf9b5707904840c099bebcc

SHA1
8b97f15a82934222d6ed7995584b12540a2ba7bc

SHA256
1abb7edb87c4edcb05f307e0b272b539982ac134acacbbe3b4ba641ef0c9a2ae

SHA512
f6fab1ebbbd43ccd50dd6941d8539e6c0404231f29d564628f838d240eeb0854da9e72e48fa770fe4d0b06aef625f61eae3fd6c67c7dfa3be0b5e540b2046831

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eec460b0d09c7713297d584d43b9c8dc

SHA1
2457474cfdc425a52c84ee462d71cdebfb58e6a0

SHA256
4885265b5ca1a61becc49fb2f5967004555543005bef08da988a604f61dee45b

SHA512
5ada6effbcc53efcfebd28bac0795f1dcc367ce5e7ee5ac52133b3d8983764cabe36df85c95ed51f9beeabf5cb68d0d373c29461af6d9ac82d55d020d79d50f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7bc5235839d617ea04e91ef55449e8a

SHA1
676d547c7d4c8e2eefe70b0b4db1a3fecf03fefc

SHA256
b57214b7be15f37ffcb3639542f2d25396bbaef5e2a833f4b2760231f3eda433

SHA512
8b19cc45fffd25138fc39e91de4ce36148fdc9e9a28497bff58f33f98b43f6593d68a3cf72c82e20e52bce3697f9c929c971b2905a798816e91761fff79ccfc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ce4713104f91aada866d337da736bf9

SHA1
e74d6896ae42901a7657e123cce72b2584576f22

SHA256
1324c551db2deb718331fdb71bcc9473d05ef23c252d52168769ea3825514682

SHA512
6621f99513ff1f4a43d7057fd6e8544c7cef6aae2907303ab552a58b2c228d816e7212c0bbc0a6bea148208660f83895da76f8c807d6c12663811da9db5b832a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ab274fef116f42b44f2967af74f79b6

SHA1
681fd20f0a4137c9b5c61916512a1c22c80d04c0

SHA256
ebd5a5285f4c21c119b83c64f47b9f0fb2937afd7ce3de04d56b0ba7280adf85

SHA512
4b210619fa8b63b02ade540abc59294cdda8cfa997b1a2f0d024900bf56ee553ad93d7aa62669d0efdbe7078e70eeaa80a5e2c6077edbd0cac91dcd5f08c61ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5642a06b6331a111462580c4168c0f71

SHA1
81d6d46482d1c4eff422bdce7a95072479965104

SHA256
617a330a44ed26d3249aa2ca1f3a755359d1eca5526ab80d935f4342b7fb326a

SHA512
012c3aa12e9f044ed56762459065ca95fd40ba06a66d0f1b51cdd606cabae5fdddbc5412a6f4d12198c3849cabcd236a9ec15ca6426c8cb134c799011d7d224f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76a260476ba6f1d8e3c32ed741b4d6f2

SHA1
ddc506664d3b63a545ffbd948334f376a1636ca8

SHA256
6288abada9845f7ce227ff605e1cdbba46a08f2b000ca7e257205b399f511afa

SHA512
b798b167cd24b5bcf22b3ca62af270bbdb0a40cfcbff3faeb4222747f0adb374fc894ae8876dd6b9474549caac9ec1d5973df19ef69d5417f1f74cc771719b54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acbb869723f8080495dde64826773dd5

SHA1
d5ba16df1468cea8aff79ce9934df8c15ef262f6

SHA256
2705cc8ff6e725b26430ecc81b0ea251afc7c5bf3428fed07367d929f0ddd873

SHA512
c96be85b7de4d510a8c0c71a2bd3c2ab577bdd805aecfa8a395ddcf7bd7f490637e24ff6f560d7da89f195acbb995b0c22273e5ef6f2cd150e5cddedd4260100

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yEObGBIDe.bat

Filesize
217B

MD5
180482ba073ba6c95909985db0e7a1ae

SHA1
dd3344107e21af1eb658bb889a3dad71b030ee1f

SHA256
ce788c8008fde45132a74f69025db760d3afc8f63c141927b99df663e5d54dd9

SHA512
8f409f5a4bc9822b6796e05186cf2798b6dcc6a6b769119abbf14b0cf38b79337afae1fca80c13f6ab2f7857d3836b2885e05f7bd34d6959efff09aebaed52c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat

Filesize
217B

MD5
f4e4f5351fbfe219044b8b5499bb548d

SHA1
1c1466617b4dcf0e9c3f597d12b90379bae9c60b

SHA256
f4c66ee530a1c6c166fdc9e8d845d1c9c09e808a70b877de6ff0c18bcb04a37d

SHA512
6867b623d30cc2b46613a9b33707b21d34cc936d92428a18a1061dbe2043b05d095db9dc8cfe62d59d28e4f3c4638cb5d38e64a42713d0881634953456ac2566

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

Filesize
217B

MD5
28a013375965b44890e173f8944ee65b

SHA1
2988903758e552b8d5e1610022b7fc6fb1df6424

SHA256
c2d2e157facc5308a60cef061d3e15730c3652b27236184f824467c43564cab0

SHA512
6662a8de93d3b53dc1458923d2484abcfc359d2a2a0df1dd80f8ca8cea1980b86240c56d95cd80b573e56a36fe86a60f85f768d83e4ab1ddc429b4f2beaf6e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
217B

MD5
c2b7d378e4bdcca9e65f0bfef8fb842d

SHA1
d7985b77decd1fa12152237c6575fb1589527fd1

SHA256
f88b063a0e56e26ddbfd7c8bd19cd5a7a3d446ea19f632948204ce402b7c0f22

SHA512
e666dc79edb2f56e33752763e576c663ec85fc304a498089f8adaa3a3a8fe67645740ee37d5e01d3a2bafde7e83ef31123268dc0ee4050b23e418c5ed3a50990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2954.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat

Filesize
217B

MD5
4d806150369ddd33bd34c15f3dd0b291

SHA1
c46c6e8fc8843144c189aa6c0de4a12311db76d0

SHA256
919251ce78c459aa22a33f58a15f3ab211a5293eedc9033dbc832be0941103fc

SHA512
c9e7b26d1dca6119c6bf12c47b51de916fbf91dc694713aa799b6e9d26e6b682b05883e8735b6eedfdc8e679eef27282f8d22b0ca97071cc6f9addc30350a899

Download Submit
C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat

Filesize
217B

MD5
6bdbf582f75972e51383bab49c2e2894

SHA1
73d9b54738fc6e46601522ec8fdb504bf7713089

SHA256
44dd7638d1bf90f2b51e516ec0a83f9b0b4acfa8ace21f38120843081b264969

SHA512
9e903d89ab33dda88144fa0cc893c0e26f6682069f34127458bcf7402b2c9b1fe501ea6becdebb280fb2cf5db2128943815fe5a241beeff7b28b474443666da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

Filesize
217B

MD5
86c4ae19698fc2a57fedeb095d9bbc8a

SHA1
3762ec67248113042427c8335f5c15a1f4582e24

SHA256
6f1e3bd9e5de4d1ab1bafd31a14e0cce98976fdd1e74f8eb028d21451dba3447

SHA512
4576e797c9b1dc4a5791c51b8382c831198854b5731ef90af58932b79dc31ee6c7521cff7a9567d09cbf9a6d2bc644daaaf79948ae891622ced366098024e2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2966.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

Filesize
217B

MD5
271a96a65c32d2e2dac428b7aa184db5

SHA1
71aae84acb811d7f16538a2d3a02c81f7c13f721

SHA256
04d33a4e90af519464e9c5ccbaff0f838114874e0331675405e764bad788d367

SHA512
76bd8630107a52b841b797be04879c7ce2368f20b9f6b647be1e3c32da399f4d8bdf865fb0f4757174eb7d1d7afddbbefda975609be23169177c9156fcd2dece

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

Filesize
217B

MD5
646dfa5fc98617f75a581a63d43aff6e

SHA1
e9ffdbe97cb4f79c02f913aee9283eb4d24bce24

SHA256
99640c1f51936eb4caa7ef7e323b052da30961108226d2150aa31be3bd493b1b

SHA512
9e4e7844e5a4f273bd6b3dcf5b97288518ba5c870fd5fe6d82276d4719f37de5e4f7770715db4f6aa1fe7b3b3c9c4337a420747bed000cb9f356563c290975dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat

Filesize
217B

MD5
e8a014007094b2520f30b94227d2ab4b

SHA1
74c18948d1642d4975674502b4825f21e7a85b00

SHA256
c319bb76f019b97b9e298aab09f81d72d7bb592e0393ee3055177187262de65e

SHA512
61dcd47bd001fe5356fbdcd39c99b75177f5de2929b3f2808b47031acf57cacd58f81e229b5dbd3f2424581522c5e91c8dcf6d547074d3ab74641e703f091699

Download Submit
C:\Users\Admin\AppData\Local\Temp\qO35UmqwIy.bat

Filesize
217B

MD5
88927b5c57e408d809a5c39f74eaf61a

SHA1
6672d64c0242a3a9a59ecdb291b8f748ba995ba6

SHA256
15a66296a004588d44ae538a8ad4836f6394428fe98a902aee3f389d14c470d5

SHA512
cc4683f19f71b10a7c1880161c0b94128d7b7ccca8bf339bb409edf5a8b1bbffb2274998c1aed58503448fc2dbcbf11b9213676c99ce95b673b77858d1fbccbb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2188ec4de3106e309dd864b1c0952566

SHA1
b04fc36f55e5471eda89783f216b63db38d6bdf5

SHA256
e6d385c5a015a7a4576ab4e18dc5ab9621a381f09e044d9406f86a9bb6708fc9

SHA512
bc23b4f13c27128165f60ec30a6def9d6148eabf8105d9a731e6ea0cc36eac46782b6a26173cbf9aaaf0ac879a337ae562b8390a6daf722b5e8b6c1def493186

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/664-428-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/960-609-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/1152-70-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/1284-669-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/1544-549-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/1756-729-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1844-131-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/1844-130-0x000000001B500000-0x000000001B7E2000-memory.dmp

Filesize
2.9MB

Download
memory/1852-250-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/1852-249-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/2408-489-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2408-488-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/2808-14-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2808-16-0x0000000000880000-0x000000000088C000-memory.dmp

Filesize
48KB

Download
memory/2808-13-0x00000000008A0000-0x00000000009B0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-15-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/2808-17-0x0000000002110000-0x000000000211C000-memory.dmp

Filesize
48KB

Download
memory/2916-61-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2996-119-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2996-109-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download