dcrat | d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe
Size

1.3MB
MD5

e4dda23dd5768f4962c4538afbaf69a0
SHA1

9dc3192471df94de1dc45fe5914f781711b5d0f8
SHA256

d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a
SHA512

8b53332e40808f9ea913490805afd829b984717d3d6b9da97c8080645c745be0c0f51f38fa18fa6c2a9a57c4c63d925cba6864b5c90c6605efbd024d83ab5713
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2732	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2732	schtasks.exe	35

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001707c-12.dat	dcrat
behavioral1/memory/2708-13-0x00000000012B0000-0x00000000013C0000-memory.dmp	dcrat
behavioral1/memory/1084-157-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/816-693-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2792	powershell.exe
2616	powershell.exe
2660	powershell.exe
2360	powershell.exe
2772	powershell.exe
2488	powershell.exe
3056	powershell.exe
2836	powershell.exe
660	powershell.exe
2228	powershell.exe
2940	powershell.exe
1668	powershell.exe
580	powershell.exe
2832	powershell.exe
2200	powershell.exe
2724	powershell.exe
2972	powershell.exe
2588	powershell.exe
2668	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2708	DllCommonsvc.exe
1084	wininit.exe
1776	wininit.exe
2444	wininit.exe
1200	wininit.exe
2120	wininit.exe
1932	wininit.exe
536	wininit.exe
2244	wininit.exe
1920	wininit.exe
816	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
544	cmd.exe
544	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\0410\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\System32\0410\a76d7bf15d8370	DllCommonsvc.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\DigitalLocker\en-US\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\DigitalLocker\en-US\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Characters\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Characters\ebf1f9fa8afd6d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2164	schtasks.exe
560	schtasks.exe
1364	schtasks.exe
1696	schtasks.exe
536	schtasks.exe
2168	schtasks.exe
2756	schtasks.exe
2508	schtasks.exe
984	schtasks.exe
1624	schtasks.exe
1388	schtasks.exe
2632	schtasks.exe
2552	schtasks.exe
2364	schtasks.exe
2416	schtasks.exe
3060	schtasks.exe
1308	schtasks.exe
3068	schtasks.exe
1804	schtasks.exe
1560	schtasks.exe
2108	schtasks.exe
940	schtasks.exe
1380	schtasks.exe
988	schtasks.exe
2728	schtasks.exe
1736	schtasks.exe
2868	schtasks.exe
2920	schtasks.exe
2240	schtasks.exe
1816	schtasks.exe
872	schtasks.exe
2712	schtasks.exe
804	schtasks.exe
2204	schtasks.exe
2940	schtasks.exe
2144	schtasks.exe
1680	schtasks.exe
448	schtasks.exe
612	schtasks.exe
2692	schtasks.exe
1288	schtasks.exe
1856	schtasks.exe
2176	schtasks.exe
2248	schtasks.exe
2120	schtasks.exe
1956	schtasks.exe
1800	schtasks.exe
2124	schtasks.exe
2936	schtasks.exe
2460	schtasks.exe
2100	schtasks.exe
1684	schtasks.exe
1720	schtasks.exe
1988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2708	DllCommonsvc.exe
2708	DllCommonsvc.exe
2708	DllCommonsvc.exe
580	powershell.exe
2792	powershell.exe
2360	powershell.exe
2724	powershell.exe
2972	powershell.exe
2940	powershell.exe
1668	powershell.exe
3056	powershell.exe
2588	powershell.exe
660	powershell.exe
2616	powershell.exe
2832	powershell.exe
2660	powershell.exe
2200	powershell.exe
2488	powershell.exe
2668	powershell.exe
2836	powershell.exe
2228	powershell.exe
2772	powershell.exe
1084	wininit.exe
1776	wininit.exe
2444	wininit.exe
1200	wininit.exe
2120	wininit.exe
1932	wininit.exe
536	wininit.exe
2244	wininit.exe
1920	wininit.exe
816	wininit.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	DllCommonsvc.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	2836	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1084	wininit.exe
Token: SeDebugPrivilege	1776	wininit.exe
Token: SeDebugPrivilege	2444	wininit.exe
Token: SeDebugPrivilege	1200	wininit.exe
Token: SeDebugPrivilege	2120	wininit.exe
Token: SeDebugPrivilege	1932	wininit.exe
Token: SeDebugPrivilege	536	wininit.exe
Token: SeDebugPrivilege	2244	wininit.exe
Token: SeDebugPrivilege	1920	wininit.exe
Token: SeDebugPrivilege	816	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2392	2960	JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe	30
PID 2960 wrote to memory of 2392	2960	JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe	30
PID 2960 wrote to memory of 2392	2960	JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe	30
PID 2960 wrote to memory of 2392	2960	JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe	30
PID 2392 wrote to memory of 544	2392	WScript.exe	31
PID 2392 wrote to memory of 544	2392	WScript.exe	31
PID 2392 wrote to memory of 544	2392	WScript.exe	31
PID 2392 wrote to memory of 544	2392	WScript.exe	31
PID 544 wrote to memory of 2708	544	cmd.exe	33
PID 544 wrote to memory of 2708	544	cmd.exe	33
PID 544 wrote to memory of 2708	544	cmd.exe	33
PID 544 wrote to memory of 2708	544	cmd.exe	33
PID 2708 wrote to memory of 2200	2708	DllCommonsvc.exe	90
PID 2708 wrote to memory of 2200	2708	DllCommonsvc.exe	90
PID 2708 wrote to memory of 2200	2708	DllCommonsvc.exe	90
PID 2708 wrote to memory of 2724	2708	DllCommonsvc.exe	91
PID 2708 wrote to memory of 2724	2708	DllCommonsvc.exe	91
PID 2708 wrote to memory of 2724	2708	DllCommonsvc.exe	91
PID 2708 wrote to memory of 2772	2708	DllCommonsvc.exe	92
PID 2708 wrote to memory of 2772	2708	DllCommonsvc.exe	92
PID 2708 wrote to memory of 2772	2708	DllCommonsvc.exe	92
PID 2708 wrote to memory of 2836	2708	DllCommonsvc.exe	93
PID 2708 wrote to memory of 2836	2708	DllCommonsvc.exe	93
PID 2708 wrote to memory of 2836	2708	DllCommonsvc.exe	93
PID 2708 wrote to memory of 2488	2708	DllCommonsvc.exe	94
PID 2708 wrote to memory of 2488	2708	DllCommonsvc.exe	94
PID 2708 wrote to memory of 2488	2708	DllCommonsvc.exe	94
PID 2708 wrote to memory of 2972	2708	DllCommonsvc.exe	95
PID 2708 wrote to memory of 2972	2708	DllCommonsvc.exe	95
PID 2708 wrote to memory of 2972	2708	DllCommonsvc.exe	95
PID 2708 wrote to memory of 2588	2708	DllCommonsvc.exe	96
PID 2708 wrote to memory of 2588	2708	DllCommonsvc.exe	96
PID 2708 wrote to memory of 2588	2708	DllCommonsvc.exe	96
PID 2708 wrote to memory of 2792	2708	DllCommonsvc.exe	97
PID 2708 wrote to memory of 2792	2708	DllCommonsvc.exe	97
PID 2708 wrote to memory of 2792	2708	DllCommonsvc.exe	97
PID 2708 wrote to memory of 2616	2708	DllCommonsvc.exe	98
PID 2708 wrote to memory of 2616	2708	DllCommonsvc.exe	98
PID 2708 wrote to memory of 2616	2708	DllCommonsvc.exe	98
PID 2708 wrote to memory of 2668	2708	DllCommonsvc.exe	99
PID 2708 wrote to memory of 2668	2708	DllCommonsvc.exe	99
PID 2708 wrote to memory of 2668	2708	DllCommonsvc.exe	99
PID 2708 wrote to memory of 2660	2708	DllCommonsvc.exe	100
PID 2708 wrote to memory of 2660	2708	DllCommonsvc.exe	100
PID 2708 wrote to memory of 2660	2708	DllCommonsvc.exe	100
PID 2708 wrote to memory of 2360	2708	DllCommonsvc.exe	101
PID 2708 wrote to memory of 2360	2708	DllCommonsvc.exe	101
PID 2708 wrote to memory of 2360	2708	DllCommonsvc.exe	101
PID 2708 wrote to memory of 660	2708	DllCommonsvc.exe	102
PID 2708 wrote to memory of 660	2708	DllCommonsvc.exe	102
PID 2708 wrote to memory of 660	2708	DllCommonsvc.exe	102
PID 2708 wrote to memory of 2228	2708	DllCommonsvc.exe	103
PID 2708 wrote to memory of 2228	2708	DllCommonsvc.exe	103
PID 2708 wrote to memory of 2228	2708	DllCommonsvc.exe	103
PID 2708 wrote to memory of 3056	2708	DllCommonsvc.exe	104
PID 2708 wrote to memory of 3056	2708	DllCommonsvc.exe	104
PID 2708 wrote to memory of 3056	2708	DllCommonsvc.exe	104
PID 2708 wrote to memory of 580	2708	DllCommonsvc.exe	105
PID 2708 wrote to memory of 580	2708	DllCommonsvc.exe	105
PID 2708 wrote to memory of 580	2708	DllCommonsvc.exe	105
PID 2708 wrote to memory of 2832	2708	DllCommonsvc.exe	106
PID 2708 wrote to memory of 2832	2708	DllCommonsvc.exe	106
PID 2708 wrote to memory of 2832	2708	DllCommonsvc.exe	106
PID 2708 wrote to memory of 2940	2708	DllCommonsvc.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d35c608b629646ef5143e7d09350957771e444dfb922f1f008fe027c20353f2a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\DigitalLocker\en-US\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\0410\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Characters\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a38xJPb62e.bat"
        5⤵
        
        PID:3052
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:280
      - C:\Users\Public\Music\wininit.exe
        
        "C:\Users\Public\Music\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat"
        7⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2376
        
        C:\Users\Public\Music\wininit.exe
        
        "C:\Users\Public\Music\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
        9⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2924
        
        C:\Users\Public\Music\wininit.exe
        
        "C:\Users\Public\Music\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
        11⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:280
        
        C:\Users\Public\Music\wininit.exe
        
        "C:\Users\Public\Music\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat"
        13⤵
        
        PID:1372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1832
        
        C:\Users\Public\Music\wininit.exe
        
        "C:\Users\Public\Music\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"
        15⤵
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1936
        
        C:\Users\Public\Music\wininit.exe
        
        "C:\Users\Public\Music\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        17⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:280
        
        C:\Users\Public\Music\wininit.exe
        
        "C:\Users\Public\Music\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat"
        19⤵
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2464
        
        C:\Users\Public\Music\wininit.exe
        
        "C:\Users\Public\Music\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat"
        21⤵
        
        PID:1288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2136
        
        C:\Users\Public\Music\wininit.exe
        
        "C:\Users\Public\Music\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        23⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:984
        
        C:\Users\Public\Music\wininit.exe
        
        "C:\Users\Public\Music\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Windows\DigitalLocker\en-US\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\DigitalLocker\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\DigitalLocker\en-US\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\0410\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\System32\0410\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Windows\System32\0410\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Recorded TV\Sample Media\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Music\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Characters\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Characters\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Characters\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0f99f0622cc67dcff62b2eab6877646

SHA1
ae84abcc60f323d75a1e3e9e4be03c401c2faabc

SHA256
699db951e2dff68cbfa225d6bbe9877d26343069ea7038f259269275b8fbb815

SHA512
ca10dcd01d66f0e8085d8cd28d3cfeaf7cdd6f134ef73adedcedb3350be224af190fdedf064a8fc769c3cf3635a3d33355cbf7a5ce49a8bd90e4bd391e17a427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d25f107ec7f34086df83884586b05c7

SHA1
b24217f6650797b6f0ef6f82b610b11c3a4706e0

SHA256
dc1d9a4542c625d82b4c8791465d71f29e3eac3aa488f613b2841ac0ef986693

SHA512
a09571c3405642a1293d79a4ca83277bd6b91c38613a12890e3cff5f5caf117830fefb22883986ef5290bd39c106b75e19c0cd0bafc7add5821e124635a3b17d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e319c587a9e71b66b8e112366b251c92

SHA1
30c928ef1d82dcc88bb1ff36c036c20f07e9ee5b

SHA256
6b87bf6018b31730939c5ceadd954fe973925afc57d3f290290c2508d0a85323

SHA512
e83ec055c1d06bd7886515244d2a993e46d9111e4f2320f02c224d9c07997442522cef816b46bb685da01109c809a4a5b43d92abbdc11b07d10d122f4e526659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d83d9ea34d7ac23e18a055671b6f332b

SHA1
fe75159ece61d332b037a6aaa2d9bd887a12939a

SHA256
b9e89f170190e826869e820620c718ad00f6456bcd5930c1a683c47710580869

SHA512
88eaf01e2229f90017edece8b2ae334e3fe3c842f6b33a4810f3406526711262e903ba2760aa8ac52ffbd778166b69f17b1aaf366692bc27bd98f0f1df906463

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c575432d2fbae29f99d4b689fed3e13f

SHA1
d15c36614b2b598c9f0e08d752bcc5dcce3f79cd

SHA256
d32a3d70c950dd01254d574ba4122a3aa3e80381d50d14bfb64ed89b04bc08e8

SHA512
7c0089b68e92963472b18df2d7e2a1b13eaea524a500a820ab6bdffb4b7f2b2e465d5676e537637bf47b1918dd15dafe6f0110c76e4ce5188d4a1e0bbda9fbeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28222ab4b06cdcc57f0cf6b8b3b7866c

SHA1
6aa37a4c28472019859d28b551c92f4fd6e45dfe

SHA256
a53e7cfccd8e46ba7f55974989e40045ee59609bdc18b53cd2b47b69ba84d587

SHA512
72e6099d7a471b18b10528a3a1da8b9ce2d9cea15920e69dfbe112ffd60bdbfd9af3fa858a91e03c4dcd64b51b16296b684f796d60eaac68383142e40c9e2de3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
918f551ddc488a2b9ee0347df1c6edbe

SHA1
6cc20d944da3d829828d18022ec9e201c14c4b6c

SHA256
8657e1d98da1d34cae7020df9b4fefc4b77fea3dd1183546edfa34d6281eacc1

SHA512
04ce46877875b740f15d17c06c9f623d122c8fdbc2cce574ff34161ae1f8d1c0b5cec244dd04e1fd5a9b77d7fbad156b3b40b7576114b604b2a9f8c73e0719c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79aba7501df05a6ea78576afc97dfa87

SHA1
949572b6c38557f2e1a5849d9eb18cf6ab1886e5

SHA256
8b55a138562b00162ca51f8963d5ebad792bfdeb5adf048535f7b939577cf7bb

SHA512
a2c948eae31a6ba293363e14dc6a5b88b9d2a757bda4f0e14dafdac4d800e90a77093e15b66df443f8783e66614555996ba2f533c48377bff9e4ab2a15a8c05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat

Filesize
198B

MD5
9a59e2d36f411ae20a640f4c6260aa38

SHA1
b9d0fecf253f7ea993c71a59fef8c8ec56d18f70

SHA256
a9e01e3b71a2baf36775027ac7bd4f387fcfe43d342900a8e03826cc2e3bdca2

SHA512
2e86ccb3ac6688380892bcf47ed5c09af68c84d0cf0e12a646e579cb1e3da75efef640b4a048cfd9d832eb983a2fb9591d0a8e20f5e99acc86277d0c80fa8761

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat

Filesize
198B

MD5
d72509be477d32b3a30a33b06c742323

SHA1
d715d2ea3452f4ecaf9d3d862208f08b0b730326

SHA256
ffba130cc5d8df1baf09749133bdd81ed88301548dd1473056f5e519445640cb

SHA512
9e644264928f16a58782bf05ff8a2862a53ceda71719e0bb2abd7901d02f5d57ba63380e0cc1b3994c93256703b9cde24afd6ae14b7eaf9709f59962eaa801b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

Filesize
198B

MD5
752ee3f93ca2194ecdf72db011f0ca12

SHA1
b016b3d370ba789ae8081e0a66c89c5686647d3d

SHA256
59bbe4ea00e1453cb2db42dc2cb609238a640fda9121cdc4712edd45c00749a5

SHA512
27d3e2c99fc133ab03e96eb2176e05cb4f7ff7d2e002cbb2503c19d7ee26c2d569f9fe60f46d4ed3c4f1fab9baf4b2703ef94b037fdf55d9d648f476193f8b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1586.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1598.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
198B

MD5
984b36def379663a89eaf95f8767ec88

SHA1
139a0afc8ca4d4628ed9e56ae8ce4cd0c72fd002

SHA256
467b71a3f7f41d16a8187e705788465b97e09765ae88363f0f69fdbcbbc4e577

SHA512
a3fbc04faa24f62930f3c523de49169648964f0581101a732fefad1bf67c53bcb372a5c00d7e1bed56b1674693e3a2dadd6ece839363a3cacf4280a4648091e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat

Filesize
198B

MD5
f6af3567988a603a9f169c2dfee719ce

SHA1
95cfcd53e238efe24fb7bb8d3837316a13e70e95

SHA256
86b9530fa1ca4a5b0d3c91db34af9a2356fa2cf27f256acc26f277ae46acccd2

SHA512
17046f08dc5a805e585bb4477c617ed94fa956230dafef4f6c15c247717ee5a905f237df256af686ef97a8b27f19a7a194ffb75badc779fa2bce1d725b1d7185

Download Submit
C:\Users\Admin\AppData\Local\Temp\a38xJPb62e.bat

Filesize
198B

MD5
f0ce79066392f80218ad82ac33576019

SHA1
b85e98621be467da87075648e5a892d4368e30a3

SHA256
781f44ffd2a186d655233806c3fe99b2e0cc9fdaf73d3efabdb5ce31b09871b0

SHA512
7fe9c114badb92516a52c3077f49853939d8dfb72c75d50c008eb55173a2e231dec2484670c9e2c1b55eea0b55efd54eec3b3411aaedd9592dd67be9a6b3007f

Download Submit
C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat

Filesize
198B

MD5
91a24c54bb8c3656861c1b94deb15c5f

SHA1
c335aa1c6251afcff19133089631a24b63bb1ffd

SHA256
6c674eeb6a6ceb225fb805bc5c6aef94ac4b372e33de8ed5570bd569a3b52247

SHA512
7a3d26f4e31e5fcd6d7785f957b6ba2fe12e648a1890757d50da8f887f3527a70b4b9b5cf711dfd7b14a42557a458f4cfc7bd5b59837ceb9c0aa183c724bbd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

Filesize
198B

MD5
aefe7e2518fd1ac4ccdfd896ed6e8867

SHA1
3a85adb9eaf97b5b63e14881f74dd57560f189bf

SHA256
68c27af9df2442ff7e775b8e7ffe5669c88e353be8578c508cdb99d7d030937e

SHA512
836547d35879462a8e05cb960bcac3fb6dc5685c3623a6ff88ad9d2c952c9c7a2ac08cb794644fe1e946813dac9bbdd8adf43ebdb645ef9b81ce097894416852

Download Submit
C:\Users\Admin\AppData\Local\Temp\rgoiaSdxpd.bat

Filesize
198B

MD5
e43267edff9fcb1ba4c2d9945bf35c2d

SHA1
ef501f49406ee8da238f7818b9f7b6596ca22edf

SHA256
c63efda8423c6628879f2ced69e006810adfe38abd857ffe3d442fa0a4e299d2

SHA512
976e06559e19b25cbbf0f56a5ac6fdbe5b8413a22d34fabca90279163fe39fd236026cebe234d28fa0254e069667032406257a209e925b836aeb00a50c3892dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
198B

MD5
18e6c870c1cdb44500ce4958b4e677a2

SHA1
7ccdafc9b18c1c89d403aaaa2aa85dab96952517

SHA256
23f30c77e3eb8e6466f6d78c1443890c48f8534625db87293c3512ebde75ee79

SHA512
cd7b4bdd03bf81d4537895898cfeda6b37b7f0680889ff8ab4989335a98b89384271239af7627fb88643cbdadb14da8d79bbf27547189cd5464277a58ee2b0b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
deb38f1766d9ff332991d1476ae30588

SHA1
e7d88cde8d2e43bb761913f2225454272e25c034

SHA256
e4a424044575978f0045208f94aa49f8d03e20c49a617596a59f5a56f5e25366

SHA512
7dc77504ac0f8db66b2927d27c41b91764169ed213e5160efffc934b0e25970916de223f17960ee23d41143e71022753ef72c58b51e79f1488eb77b538eaca0b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/580-74-0x0000000001C00000-0x0000000001C08000-memory.dmp

Filesize
32KB

Download
memory/580-72-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/816-694-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/816-693-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/1084-157-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/1084-158-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1776-217-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1932-456-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2120-396-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2444-277-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2708-16-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2708-13-0x00000000012B0000-0x00000000013C0000-memory.dmp

Filesize
1.1MB

Download
memory/2708-14-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2708-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2708-17-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download