dcrat | 7b5fa126d7b7301fa829f7a12ceed1d1d637e18412af49b10950c3399479c68e

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7b5fa126d7b7301fa829f7a12ceed1d1d637e18412af49b10950c3399479c68e.exe
Size

1.3MB
MD5

c430fd854a859e75ac584e8bce08b095
SHA1

3790ffe9547b3e3215adc7b112a93a50bd2acaf3
SHA256

7b5fa126d7b7301fa829f7a12ceed1d1d637e18412af49b10950c3399479c68e
SHA512

bfd2d92d2cb56585cf330e17673caa71f74e84419f98228de53907fe1a15f95628aa5bdca7980ba3978e67798297eb7db54678579583a3259ffa1e3623147229
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2900	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2900	schtasks.exe	35

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019227-9.dat	dcrat
behavioral1/memory/2740-13-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/2708-54-0x0000000000A80000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/2188-189-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/2856-250-0x0000000000900000-0x0000000000A10000-memory.dmp	dcrat
behavioral1/memory/2992-310-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2196-370-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2388-430-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/1852-490-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/1360-550-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/2748-610-0x0000000000C10000-0x0000000000D20000-memory.dmp	dcrat
behavioral1/memory/2920-730-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2392	powershell.exe
1432	powershell.exe
1496	powershell.exe
2904	powershell.exe
2188	powershell.exe
2540	powershell.exe
2564	powershell.exe
2544	powershell.exe
1000	powershell.exe
2372	powershell.exe
3028	powershell.exe
1760	powershell.exe
988	powershell.exe
1592	powershell.exe
2120	powershell.exe
2248	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2740	DllCommonsvc.exe
2708	WMIADAP.exe
2188	WMIADAP.exe
2856	WMIADAP.exe
2992	WMIADAP.exe
2196	WMIADAP.exe
2388	WMIADAP.exe
1852	WMIADAP.exe
1360	WMIADAP.exe
2748	WMIADAP.exe
1784	WMIADAP.exe
2920	WMIADAP.exe

Loads dropped DLL 2 IoCs

pid	Process
2780	cmd.exe
2780	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
22	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\sppsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Help\System.exe	DllCommonsvc.exe
File created	C:\Windows\Help\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\es-ES\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Globalization\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Windows\Globalization\75a57c1bdf437c	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b5fa126d7b7301fa829f7a12ceed1d1d637e18412af49b10950c3399479c68e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2928	schtasks.exe
684	schtasks.exe
1544	schtasks.exe
2892	schtasks.exe
1228	schtasks.exe
716	schtasks.exe
1852	schtasks.exe
868	schtasks.exe
1580	schtasks.exe
1976	schtasks.exe
2508	schtasks.exe
1660	schtasks.exe
2144	schtasks.exe
1860	schtasks.exe
2932	schtasks.exe
2588	schtasks.exe
1676	schtasks.exe
568	schtasks.exe
2712	schtasks.exe
1368	schtasks.exe
836	schtasks.exe
3000	schtasks.exe
2692	schtasks.exe
1940	schtasks.exe
1696	schtasks.exe
408	schtasks.exe
2288	schtasks.exe
108	schtasks.exe
2736	schtasks.exe
1752	schtasks.exe
1168	schtasks.exe
1728	schtasks.exe
2292	schtasks.exe
2456	schtasks.exe
904	schtasks.exe
1984	schtasks.exe
2828	schtasks.exe
1948	schtasks.exe
1912	schtasks.exe
1936	schtasks.exe
2444	schtasks.exe
2112	schtasks.exe
848	schtasks.exe
2652	schtasks.exe
3068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2740	DllCommonsvc.exe
2740	DllCommonsvc.exe
2740	DllCommonsvc.exe
2740	DllCommonsvc.exe
2740	DllCommonsvc.exe
2540	powershell.exe
1496	powershell.exe
1760	powershell.exe
2188	powershell.exe
2120	powershell.exe
1000	powershell.exe
1592	powershell.exe
2392	powershell.exe
2904	powershell.exe
2544	powershell.exe
3028	powershell.exe
1432	powershell.exe
2564	powershell.exe
988	powershell.exe
2372	powershell.exe
2708	WMIADAP.exe
2188	WMIADAP.exe
2856	WMIADAP.exe
2992	WMIADAP.exe
2196	WMIADAP.exe
2388	WMIADAP.exe
1852	WMIADAP.exe
1360	WMIADAP.exe
2748	WMIADAP.exe
1784	WMIADAP.exe
2920	WMIADAP.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	DllCommonsvc.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1000	powershell.exe
Token: SeDebugPrivilege	2708	WMIADAP.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	988	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2188	WMIADAP.exe
Token: SeDebugPrivilege	2856	WMIADAP.exe
Token: SeDebugPrivilege	2992	WMIADAP.exe
Token: SeDebugPrivilege	2196	WMIADAP.exe
Token: SeDebugPrivilege	2388	WMIADAP.exe
Token: SeDebugPrivilege	1852	WMIADAP.exe
Token: SeDebugPrivilege	1360	WMIADAP.exe
Token: SeDebugPrivilege	2748	WMIADAP.exe
Token: SeDebugPrivilege	1784	WMIADAP.exe
Token: SeDebugPrivilege	2920	WMIADAP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2084	2172	JaffaCakes118_7b5fa126d7b7301fa829f7a12ceed1d1d637e18412af49b10950c3399479c68e.exe	30
PID 2172 wrote to memory of 2084	2172	JaffaCakes118_7b5fa126d7b7301fa829f7a12ceed1d1d637e18412af49b10950c3399479c68e.exe	30
PID 2172 wrote to memory of 2084	2172	JaffaCakes118_7b5fa126d7b7301fa829f7a12ceed1d1d637e18412af49b10950c3399479c68e.exe	30
PID 2172 wrote to memory of 2084	2172	JaffaCakes118_7b5fa126d7b7301fa829f7a12ceed1d1d637e18412af49b10950c3399479c68e.exe	30
PID 2084 wrote to memory of 2780	2084	WScript.exe	32
PID 2084 wrote to memory of 2780	2084	WScript.exe	32
PID 2084 wrote to memory of 2780	2084	WScript.exe	32
PID 2084 wrote to memory of 2780	2084	WScript.exe	32
PID 2780 wrote to memory of 2740	2780	cmd.exe	34
PID 2780 wrote to memory of 2740	2780	cmd.exe	34
PID 2780 wrote to memory of 2740	2780	cmd.exe	34
PID 2780 wrote to memory of 2740	2780	cmd.exe	34
PID 2740 wrote to memory of 1592	2740	DllCommonsvc.exe	81
PID 2740 wrote to memory of 1592	2740	DllCommonsvc.exe	81
PID 2740 wrote to memory of 1592	2740	DllCommonsvc.exe	81
PID 2740 wrote to memory of 988	2740	DllCommonsvc.exe	82
PID 2740 wrote to memory of 988	2740	DllCommonsvc.exe	82
PID 2740 wrote to memory of 988	2740	DllCommonsvc.exe	82
PID 2740 wrote to memory of 2544	2740	DllCommonsvc.exe	83
PID 2740 wrote to memory of 2544	2740	DllCommonsvc.exe	83
PID 2740 wrote to memory of 2544	2740	DllCommonsvc.exe	83
PID 2740 wrote to memory of 1760	2740	DllCommonsvc.exe	85
PID 2740 wrote to memory of 1760	2740	DllCommonsvc.exe	85
PID 2740 wrote to memory of 1760	2740	DllCommonsvc.exe	85
PID 2740 wrote to memory of 1432	2740	DllCommonsvc.exe	87
PID 2740 wrote to memory of 1432	2740	DllCommonsvc.exe	87
PID 2740 wrote to memory of 1432	2740	DllCommonsvc.exe	87
PID 2740 wrote to memory of 2392	2740	DllCommonsvc.exe	88
PID 2740 wrote to memory of 2392	2740	DllCommonsvc.exe	88
PID 2740 wrote to memory of 2392	2740	DllCommonsvc.exe	88
PID 2740 wrote to memory of 2564	2740	DllCommonsvc.exe	89
PID 2740 wrote to memory of 2564	2740	DllCommonsvc.exe	89
PID 2740 wrote to memory of 2564	2740	DllCommonsvc.exe	89
PID 2740 wrote to memory of 2372	2740	DllCommonsvc.exe	90
PID 2740 wrote to memory of 2372	2740	DllCommonsvc.exe	90
PID 2740 wrote to memory of 2372	2740	DllCommonsvc.exe	90
PID 2740 wrote to memory of 2248	2740	DllCommonsvc.exe	91
PID 2740 wrote to memory of 2248	2740	DllCommonsvc.exe	91
PID 2740 wrote to memory of 2248	2740	DllCommonsvc.exe	91
PID 2740 wrote to memory of 1496	2740	DllCommonsvc.exe	92
PID 2740 wrote to memory of 1496	2740	DllCommonsvc.exe	92
PID 2740 wrote to memory of 1496	2740	DllCommonsvc.exe	92
PID 2740 wrote to memory of 2540	2740	DllCommonsvc.exe	93
PID 2740 wrote to memory of 2540	2740	DllCommonsvc.exe	93
PID 2740 wrote to memory of 2540	2740	DllCommonsvc.exe	93
PID 2740 wrote to memory of 2120	2740	DllCommonsvc.exe	94
PID 2740 wrote to memory of 2120	2740	DllCommonsvc.exe	94
PID 2740 wrote to memory of 2120	2740	DllCommonsvc.exe	94
PID 2740 wrote to memory of 2188	2740	DllCommonsvc.exe	95
PID 2740 wrote to memory of 2188	2740	DllCommonsvc.exe	95
PID 2740 wrote to memory of 2188	2740	DllCommonsvc.exe	95
PID 2740 wrote to memory of 1000	2740	DllCommonsvc.exe	96
PID 2740 wrote to memory of 1000	2740	DllCommonsvc.exe	96
PID 2740 wrote to memory of 1000	2740	DllCommonsvc.exe	96
PID 2740 wrote to memory of 2904	2740	DllCommonsvc.exe	97
PID 2740 wrote to memory of 2904	2740	DllCommonsvc.exe	97
PID 2740 wrote to memory of 2904	2740	DllCommonsvc.exe	97
PID 2740 wrote to memory of 3028	2740	DllCommonsvc.exe	98
PID 2740 wrote to memory of 3028	2740	DllCommonsvc.exe	98
PID 2740 wrote to memory of 3028	2740	DllCommonsvc.exe	98
PID 2740 wrote to memory of 2708	2740	DllCommonsvc.exe	113
PID 2740 wrote to memory of 2708	2740	DllCommonsvc.exe	113
PID 2740 wrote to memory of 2708	2740	DllCommonsvc.exe	113
PID 2708 wrote to memory of 3024	2708	WMIADAP.exe	115

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b5fa126d7b7301fa829f7a12ceed1d1d637e18412af49b10950c3399479c68e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b5fa126d7b7301fa829f7a12ceed1d1d637e18412af49b10950c3399479c68e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\Globalization\WMIADAP.exe
        
        "C:\Windows\Globalization\WMIADAP.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"
        6⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1352
        
        C:\Windows\Globalization\WMIADAP.exe
        
        "C:\Windows\Globalization\WMIADAP.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
        8⤵
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1728
        
        C:\Windows\Globalization\WMIADAP.exe
        
        "C:\Windows\Globalization\WMIADAP.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        10⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:988
        
        C:\Windows\Globalization\WMIADAP.exe
        
        "C:\Windows\Globalization\WMIADAP.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"
        12⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2512
        
        C:\Windows\Globalization\WMIADAP.exe
        
        "C:\Windows\Globalization\WMIADAP.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        14⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1592
        
        C:\Windows\Globalization\WMIADAP.exe
        
        "C:\Windows\Globalization\WMIADAP.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        16⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1628
        
        C:\Windows\Globalization\WMIADAP.exe
        
        "C:\Windows\Globalization\WMIADAP.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"
        18⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1492
        
        C:\Windows\Globalization\WMIADAP.exe
        
        "C:\Windows\Globalization\WMIADAP.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        20⤵
        
        PID:1776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1676
        
        C:\Windows\Globalization\WMIADAP.exe
        
        "C:\Windows\Globalization\WMIADAP.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"
        22⤵
        
        PID:236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1552
        
        C:\Windows\Globalization\WMIADAP.exe
        
        "C:\Windows\Globalization\WMIADAP.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat"
        24⤵
        
        PID:1212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2520
        
        C:\Windows\Globalization\WMIADAP.exe
        
        "C:\Windows\Globalization\WMIADAP.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Help\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Windows\Globalization\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\Globalization\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Desktop\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf62ea70d43dc09e606795b49df64a0b

SHA1
12bcf69e534691b2fa0556a07ce3391e88eb2d8d

SHA256
4b74e8de4031c3495d770c519748e9104d95cb6e013b6dc4ec76fb4b150817ea

SHA512
bed7dd99d6c69521dae3c7866ebb14dd9c4351ba015078e950044b70446e30c1ee4a3d31c42c5292f6c04435dbea41e26cbb4d9d452384d7cc647575e2e03d79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
476dc5a862996953f2d423b3cc018499

SHA1
351f5213c359768a9d42f4f1f1531d9eab16cf64

SHA256
eea48fbb6607d4f34375a038142b8652d8f5122a5801aff884a6f36393b160ed

SHA512
103b68ab6bddb27c9003629a78e25f386a71c06aac63e03ef78b65cd67f87185d1222c9e6bec9b258fd7ba14123d5e7844e3c2e1363f659c43da939cfaa1588c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d213cf54df0e6db84a53dac3bf0f29a

SHA1
893c3ea7a412bc56eeb094ed4e28e8cf6e2b47e7

SHA256
7c0c3e98ffa696705e86618bafa740e9017d1102d1331831907aed8a74b2d4d4

SHA512
fe9488c1a86175094650f629e2f840943ac78f5f8f012ba019e595cbdf19f9de6de8757a6a4e7de19de0de9f386cbba34f4213b9e76efcf1f1439e68104709e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d56a90d61af127acb6a2c7380187c343

SHA1
b6b4c86151474c52d0ef9af2c0a2df3788d73cf3

SHA256
0b00b3da72c715cc494c1674fba381e0e8e3e200134705abfa336dea12c924ae

SHA512
579857d34e36485ba7ce2c344e2aa34bb0beb42544077802facd7269edb69b1b1a55e3416453ea1715cc87f4d763fa75b8cf633fc4c1be22bb542cd874dc35e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ec7d0f9fd3fb46662b056a872547a30

SHA1
88eacdf206fcf5c0da295666fe03422ee743ae17

SHA256
daef200ab9d8b13f420f9dc4398a6dadfcc63989943356089c04612958fc0fff

SHA512
c5055bfd14a2b8629180809b80529b5e5c9f48bb0f70ea99dda3b35f95d94dc188f085c2c3cfbcd54a9f5fc955e301ad785b602ada0726ba25ee3d97b1cba075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5dd6e2ee106ed08cbcc4f211190d8479

SHA1
6487f7577371ce0d84b78b7b9a22d27f1cb84587

SHA256
3329832b39ae480019a5e875d1429c1c439f6b997923949268c7fd86f1ad3229

SHA512
58430846c60d6e9f0972a84639c083f5e8d987007e3a2f37bb37aade1f3e4ddc4dd1e80efe6f62dcf94bf0d6840c885a44cb757a480bfa312b3be0b7fddaf1e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb5ff77521dc67f0fb952dd865445bfe

SHA1
946569ba37e5974d6b37d5b290b5fd9c98532201

SHA256
bcbc55ca2388b052734baaeb36ce4ddf8c1d0531fd08cfea1a1467d22e41e3c5

SHA512
80e07e4e5bdc67563a8dcee36e5b1080839985e6e6e3e2302598c6f601aeb75e3c9ed70cdc30a9af91ae265c1c54f41a2af399de948d3527f59959e2fe55634e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d22c1e7dddd1f98e12745966be5e9ce

SHA1
420fd2239875854d4f19697f7db848c454f1b71f

SHA256
021cb1d660b349f30918e987822804f94e37321acceb887040a9f0519e892fb7

SHA512
7b4fe38252338b8ac547ea8e396aaac6a1f6bebb4440206a892e12f9b2e75257142426579b416a07e5cf353b7d9f450ff3530c1b82a372e88fab8c93af63aac8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91f136f5dc22e833c35e09b0d3b304c8

SHA1
4f04c203153eccd863b9be2bb6ea54cd7264a471

SHA256
bfb950a21712dae1983d4e569f100d40ef04a257e3f7457aecca8e8962e17aa2

SHA512
2e064733ba4ff7ac2f8390549265a10e5f3f5555a51c1d5651d76e77697817017285e436d3c140794577ae9396d5332551c91a6a2793613a14abf74287509c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
201B

MD5
df8bf5294e16023aa969663bee750aae

SHA1
1dbea9efa3e33e5201a75f2768169abbb9c1bdc8

SHA256
be3c2a085d0d07662e806d34d41e30f23be1bc1afec82537d110c1cae1c0ff8c

SHA512
ae33eb2885e9e44ea97b758f0125bd7d3580b0b1805eb492b650e10a307ba9037e36bfc2540111b64955ec1d62f49d2f6dc1d3fdbfc402a13c055179ce477628

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9D2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
201B

MD5
9415c52ce8f6d843e18f9f8957e263b5

SHA1
960b41dbac411702c47b42ff46b8d8e09139e122

SHA256
a3e018338a0eebe78a7d5f75daf9379d6d391c7ab1518f1f8fa2db5e6643597c

SHA512
f986054b4785def4ee53e439591339a6d0a8c9d6d077188cb2411b626229767cdd25cbcf3549de89f43810f6591a36a35ebb972ae77c170cb47685c1261dcb0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat

Filesize
201B

MD5
d33a3a5221ef4a4c7554fdb1d7114868

SHA1
dafcf48a85e35095f08ca13d82f08cb541fdba8a

SHA256
570026e3239a6b78d1343d037a7ad59e6ef50614108d59f97758787ff5a8dd31

SHA512
4bcd7dc786a02fe4e739b8385d3bf8e1e17ace9d8b5e863ab7dbc88d81068a2592f4b058c05c5864558296e751c775b4c1084e5d831fbf4763caa4b98e2519b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat

Filesize
201B

MD5
aab023421c71708be9f7865e71e5bcf0

SHA1
5662e8159aa6303bdca1dd0d519df61220ed56d0

SHA256
0072a97003b4831f555fda20519b4b27f5145a24fdb227ed2b25209fbe5090fb

SHA512
de7b63d1aa92df22c98a66738335b21b39ae43b5fee2c1a84bbed8e1e42bba57d6130087a1cce5b92eda82a3646b2734efe54e84c55c4075da7f899382ac0f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
201B

MD5
381ca1ab4cec23d51d2dd91430d614d0

SHA1
3f89ddcb327316cec44a7733ba9413219f227acd

SHA256
f25e0de6bb341dc23c6a91021acd2d1976bba11c09132e9df88632e3be347983

SHA512
d4e6c364d286ce9aac8c5e9500ed75db834b9c5b6483915fe3730429134e504a75f455e86c007efce5d6d8f7ad580258a2dce020cb5f5f908dd5e2ff96bb78cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\aTd08pZfDw.bat

Filesize
201B

MD5
c2588dfe39d55cf08da78330f1d71bd2

SHA1
0c0701905fd8eb7a861ab431fa5c8ba430b50e80

SHA256
bd397ceedff0843a4e9aa56fcfb036759a0a6bbabfc64be3666f1c40ef261863

SHA512
45369cf0312fa4960dc945bea5dedb10999e62ad93a6a921ad273676d752cba8bc6c51ba8b4f2847cfa9456adc7c8118b361cb5dc180103c2e02032466ca9295

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
201B

MD5
badc4fda56b2acecbcc368ba76d58eff

SHA1
926d62f2e0ff07d31c40e8e2709c9ad7777b2fe4

SHA256
2cd552e17a1e111d7c7e3184b7e06b94c71b5569eea778b815e9d83411c249be

SHA512
d75a584e5510d8cdbecd72b0822ce5b8409d0b758cbbd028410396d32de0f36235b2356695a669d608bfbcb5957143c622076e8946de08eeee2a7bd80d31c445

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

Filesize
201B

MD5
4568934241d8f004658d78386e6169d6

SHA1
472e16363900c02666e03b3d7763e9d347d63227

SHA256
0ec05eeb06373849a43d9f663ed1e53372815f662d49372e2d8630ded13f02d8

SHA512
f98c8be1129ed5d01bc5cb5b9a6e41ed1589b78690157e6e43c8c6e8ae0d4967730414912780f85902a5483ea586c721d287fc3a2895fe2f01aebe7b5be693d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

Filesize
201B

MD5
21e0872dedb01ecbc48df167522bd500

SHA1
2365db9c40baef587cfb32a08d165e37edc67a9a

SHA256
25a2d97af1c11dbea38a2405c703508dc246cbb8bd85d66460149505677ad60f

SHA512
aee5b8e0f1fe7f7e61df051e4d5587c9ef40dfeb1ae22bf5cf420536e7b9fd164e666967130167017e9c8dade23500282a2c6bcaad1ea3071d75b684480e7442

Download Submit
C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat

Filesize
201B

MD5
29d3aab295beb0a24d88e0cbd6346311

SHA1
e5ea044b693cf29b291e987a2837228ca2ce7a8b

SHA256
865acbf153dedc9fb534809a6e4a5c68848853a4e2c60d5b839e185cb33b2d21

SHA512
95002a22763f7795adf127394fc37ea1854ab7da4011370b3a479576dd743b2c75df7eee279b87fa6912d376ea6c0130b2044a7dc6011d0cb3b5b8c66e774a7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c1e0e44c5a89b5a4e087c8c97f924105

SHA1
a3e4b90b868c565cbc82bcc22754e1e0eb83cb8e

SHA256
7c4f3374d25992b9ed2a659a38ae0c109241edf16901e14052e71e49b8c4db03

SHA512
160755bf8669e52187208747ae9a34247451270ce0a728326f5c23ca1680ff48e496157c205cbbac87cc7963924b5d08822c693a9f3cc5c03d414639bf09cf06

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1360-550-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/1760-69-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1852-490-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/2188-189-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/2188-190-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2196-370-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2388-430-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/2540-70-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2708-54-0x0000000000A80000-0x0000000000B90000-memory.dmp

Filesize
1.1MB

Download
memory/2708-126-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2740-13-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/2740-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2740-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2740-16-0x00000000006B0000-0x00000000006BC000-memory.dmp

Filesize
48KB

Download
memory/2740-17-0x00000000006C0000-0x00000000006CC000-memory.dmp

Filesize
48KB

Download
memory/2748-610-0x0000000000C10000-0x0000000000D20000-memory.dmp

Filesize
1.1MB

Download
memory/2748-611-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2856-250-0x0000000000900000-0x0000000000A10000-memory.dmp

Filesize
1.1MB

Download
memory/2920-730-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2992-310-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download