dcrat | 11033d8121b230e740ba127c10b61c9b50267c6e16e04f622aafff0c39fd1db6

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_11033d8121b230e740ba127c10b61c9b50267c6e16e04f622aafff0c39fd1db6.exe
Size

1.3MB
MD5

7d10b69219d7b2c21e36dc39cf731a3a
SHA1

4cd16cc98fb5643b0f60c8cf4f9b11430862e4f9
SHA256

11033d8121b230e740ba127c10b61c9b50267c6e16e04f622aafff0c39fd1db6
SHA512

d21796fc4f7a675c188e587372f5c475ff17e1fefe8fa2c902fde88c5fd7373cd554c20145a3a11312deeff17a29f86e35f225d05b1835ee1ed7b5adec1f0c02
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	996	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2648	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2648	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001921d-12.dat	dcrat
behavioral1/memory/2752-13-0x0000000000870000-0x0000000000980000-memory.dmp	dcrat
behavioral1/memory/2296-54-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/2368-196-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat
behavioral1/memory/1640-433-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1964-493-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/1244-554-0x0000000001190000-0x00000000012A0000-memory.dmp	dcrat
behavioral1/memory/1800-732-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2776	powershell.exe
1788	powershell.exe
880	powershell.exe
1992	powershell.exe
324	powershell.exe
2844	powershell.exe
2112	powershell.exe
2092	powershell.exe
1156	powershell.exe
2224	powershell.exe
584	powershell.exe
1580	powershell.exe
2136	powershell.exe
2380	powershell.exe
2528	powershell.exe
1596	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2752	DllCommonsvc.exe
2296	audiodg.exe
2368	audiodg.exe
2928	audiodg.exe
1916	audiodg.exe
2312	audiodg.exe
1640	audiodg.exe
1964	audiodg.exe
1244	audiodg.exe
2312	audiodg.exe
2800	audiodg.exe
1800	audiodg.exe
2436	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2640	cmd.exe
2640	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
36	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Ease of Access Themes\services.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Ease of Access Themes\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_11033d8121b230e740ba127c10b61c9b50267c6e16e04f622aafff0c39fd1db6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2416	schtasks.exe
1268	schtasks.exe
112	schtasks.exe
2432	schtasks.exe
2892	schtasks.exe
2140	schtasks.exe
740	schtasks.exe
1772	schtasks.exe
664	schtasks.exe
1284	schtasks.exe
692	schtasks.exe
528	schtasks.exe
3012	schtasks.exe
2168	schtasks.exe
676	schtasks.exe
1904	schtasks.exe
2304	schtasks.exe
2376	schtasks.exe
448	schtasks.exe
2288	schtasks.exe
2468	schtasks.exe
2176	schtasks.exe
2544	schtasks.exe
1844	schtasks.exe
1744	schtasks.exe
960	schtasks.exe
1608	schtasks.exe
996	schtasks.exe
2968	schtasks.exe
1808	schtasks.exe
1728	schtasks.exe
2552	schtasks.exe
2948	schtasks.exe
1500	schtasks.exe
1748	schtasks.exe
952	schtasks.exe
1484	schtasks.exe
1924	schtasks.exe
1776	schtasks.exe
2728	schtasks.exe
2280	schtasks.exe
2044	schtasks.exe
776	schtasks.exe
1956	schtasks.exe
2372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
1156	powershell.exe
2112	powershell.exe
324	powershell.exe
880	powershell.exe
1596	powershell.exe
2296	audiodg.exe
2092	powershell.exe
2844	powershell.exe
2776	powershell.exe
2528	powershell.exe
1788	powershell.exe
1580	powershell.exe
1992	powershell.exe
584	powershell.exe
2136	powershell.exe
2380	powershell.exe
2224	powershell.exe
2368	audiodg.exe
2928	audiodg.exe
1916	audiodg.exe
2312	audiodg.exe
1640	audiodg.exe
1964	audiodg.exe
1244	audiodg.exe
2312	audiodg.exe
2800	audiodg.exe
1800	audiodg.exe
2436	audiodg.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2296	audiodg.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	584	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2368	audiodg.exe
Token: SeDebugPrivilege	2928	audiodg.exe
Token: SeDebugPrivilege	1916	audiodg.exe
Token: SeDebugPrivilege	2312	audiodg.exe
Token: SeDebugPrivilege	1640	audiodg.exe
Token: SeDebugPrivilege	1964	audiodg.exe
Token: SeDebugPrivilege	1244	audiodg.exe
Token: SeDebugPrivilege	2312	audiodg.exe
Token: SeDebugPrivilege	2800	audiodg.exe
Token: SeDebugPrivilege	1800	audiodg.exe
Token: SeDebugPrivilege	2436	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2820	2724	JaffaCakes118_11033d8121b230e740ba127c10b61c9b50267c6e16e04f622aafff0c39fd1db6.exe	31
PID 2724 wrote to memory of 2820	2724	JaffaCakes118_11033d8121b230e740ba127c10b61c9b50267c6e16e04f622aafff0c39fd1db6.exe	31
PID 2724 wrote to memory of 2820	2724	JaffaCakes118_11033d8121b230e740ba127c10b61c9b50267c6e16e04f622aafff0c39fd1db6.exe	31
PID 2724 wrote to memory of 2820	2724	JaffaCakes118_11033d8121b230e740ba127c10b61c9b50267c6e16e04f622aafff0c39fd1db6.exe	31
PID 2820 wrote to memory of 2640	2820	WScript.exe	32
PID 2820 wrote to memory of 2640	2820	WScript.exe	32
PID 2820 wrote to memory of 2640	2820	WScript.exe	32
PID 2820 wrote to memory of 2640	2820	WScript.exe	32
PID 2640 wrote to memory of 2752	2640	cmd.exe	34
PID 2640 wrote to memory of 2752	2640	cmd.exe	34
PID 2640 wrote to memory of 2752	2640	cmd.exe	34
PID 2640 wrote to memory of 2752	2640	cmd.exe	34
PID 2752 wrote to memory of 1992	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 1992	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 1992	2752	DllCommonsvc.exe	81
PID 2752 wrote to memory of 880	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 880	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 880	2752	DllCommonsvc.exe	82
PID 2752 wrote to memory of 1156	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 1156	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 1156	2752	DllCommonsvc.exe	83
PID 2752 wrote to memory of 2092	2752	DllCommonsvc.exe	84
PID 2752 wrote to memory of 2092	2752	DllCommonsvc.exe	84
PID 2752 wrote to memory of 2092	2752	DllCommonsvc.exe	84
PID 2752 wrote to memory of 2528	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 2528	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 2528	2752	DllCommonsvc.exe	85
PID 2752 wrote to memory of 324	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 324	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 324	2752	DllCommonsvc.exe	86
PID 2752 wrote to memory of 584	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 584	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 584	2752	DllCommonsvc.exe	87
PID 2752 wrote to memory of 1580	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 1580	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 1580	2752	DllCommonsvc.exe	88
PID 2752 wrote to memory of 1596	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 1596	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 1596	2752	DllCommonsvc.exe	89
PID 2752 wrote to memory of 2112	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 2112	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 2112	2752	DllCommonsvc.exe	90
PID 2752 wrote to memory of 1788	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 1788	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 1788	2752	DllCommonsvc.exe	91
PID 2752 wrote to memory of 2776	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2776	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2776	2752	DllCommonsvc.exe	94
PID 2752 wrote to memory of 2380	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2380	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2380	2752	DllCommonsvc.exe	96
PID 2752 wrote to memory of 2224	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2224	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2224	2752	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2844	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2844	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2844	2752	DllCommonsvc.exe	98
PID 2752 wrote to memory of 2136	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 2136	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 2136	2752	DllCommonsvc.exe	100
PID 2752 wrote to memory of 2296	2752	DllCommonsvc.exe	109
PID 2752 wrote to memory of 2296	2752	DllCommonsvc.exe	109
PID 2752 wrote to memory of 2296	2752	DllCommonsvc.exe	109
PID 2296 wrote to memory of 2540	2296	audiodg.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11033d8121b230e740ba127c10b61c9b50267c6e16e04f622aafff0c39fd1db6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11033d8121b230e740ba127c10b61c9b50267c6e16e04f622aafff0c39fd1db6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Windows NT\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Ease of Access Themes\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
        6⤵
        
        PID:2540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2508
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"
        8⤵
        
        PID:2092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2324
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
        10⤵
        
        PID:996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3068
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat"
        12⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2392
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"
        14⤵
        
        PID:676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:760
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
        16⤵
        
        PID:1720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2336
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"
        18⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:936
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
        20⤵
        
        PID:324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1532
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        22⤵
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2840
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        24⤵
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2452
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat"
        26⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2512
        
        C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe
        
        "C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Windows NT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Microsoft\Windows NT\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Favorites\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Favorites\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Resources\Ease of Access Themes\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Resources\Ease of Access Themes\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\Resources\Ease of Access Themes\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ebf6d9d712565077e793dbbbc4e4b6e

SHA1
d6096df875496bf81c7e4a0f66a76a2e82c99d4f

SHA256
db133e9a21deae3eab8f0aac79d4f36db26f063b9f202f40dc3e02ca40adb377

SHA512
2579dadaa68db7ccd024692185c1a4f7062fb94edef7c28c7fe9f183b2a73907a698afece6488cb8e5c209c8ad7112ec7a63b59e506995e3126410a7d5c0e3e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc779ffd1926fb66f3f74a17eeaae90a

SHA1
5fef83d80436cc9f3ab5c15bff6d8cba08b9bf30

SHA256
8f703cf33150de52978b2626b21650b39c571ceb5ddcc8a4cd55e523e209be32

SHA512
83cfa963ac75ee28342924ae103740ece934ab4c08427f2088135b31b658c3239b0f7b726f4dddf6554f0ac3396f184e53ca3c949f963c99d1f884ecab4f4a64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe7d342d75815de2e1a8cbce17e6b43f

SHA1
0c74269b0b5edcc2a473d43e1cec4a5752d01b59

SHA256
5b72ebd7fbc83144d449b6158edf83a9065c11ba35311e612db371d1a1da3d9e

SHA512
b37535b71776756543015c52d50d350ff4dd1ee100d583c35b1c8f9355483c7885cc37ea14b4dbe11dd2889fffc0f2aa5970539185ee448c544fafe53402fd1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56c6a094d0aea1442ce904b397c51368

SHA1
9fc79970c393c7d372dba1e22a8db5272880e618

SHA256
f350f5d36d5f631a2a73608463f04b37e2898a6e45ec73284428fea7baf888de

SHA512
f361aeecac6b391eb2eb16afdb31b15a85237f441d2d2c4d049a594ac7f967746f305f96cd5dd393d0d386270c4a03356b011e717878684f75468bf0e7eaa116

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17ad2f9191cd78f38ba891e111f3412d

SHA1
b38fd7ee254e12d9befff948f15d4f88f7172db7

SHA256
9cd07c87b7b3fbcc9bb6c81481bd954ac185848b1711a7d3f0d29a30414e3177

SHA512
a1c4650a472c56282d007a9a1d9da6c1bedce0327fe5e5f53c358d29dd613a417628c8c8786d819ce08efc2fdf0389d93ed3942817430e8e4a177acf2abdcf4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da828307f590ffbdd84086c472483d14

SHA1
19f7b378fac7664062c3935eb693fcbda6800b60

SHA256
65bb111d3003782f3a7b5ffb8d6a7d6d99bb0d7a27982621aff7fc76b01d28dc

SHA512
5e6c83f3f301f9fb37922b634ced6e611a8098e4c1e1438fc9900bdb1247eb7777a3b23465cbeef33019b230e045a8b14c84a93b740cb5c0ec449d086af47e7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fbc4c80655bb040566c77af0d738049

SHA1
8f161bce060db645e0fee1699bc210d221059230

SHA256
9698da1470d58cb28321a528e00cf287ad15446edc298049383db607a0af3aa2

SHA512
b65a98c319ba0146a243e3d93e3df3699a07ba8f259c82ddc029b908065bf068013a10af755615d887ef9ca62df8cc4eaba664c942f44380d2e89297fadbb6c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05d897147fd8977b8972061da0ddb4ad

SHA1
37de0150918ebb1454e00788abead54b30d01ba1

SHA256
dfff806172c4a3a13d999d9eea67a537a8475184212de644da4bebe4d5b329ba

SHA512
6f5a5f0552b638505bb8235379c6ad0e8b9b6a623d82d7ebfc9821468e3d6932e3e323dc4cca664c4cfdf5a2242d508d2b703891147ab4912add6e08a83bab81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deafaed21fb43a14e3f2dd2bacec1761

SHA1
88099e71bfe59be023257d0cd92755228722a483

SHA256
99bde642f3183719c1dd3707280c78c836f480f12ca74771ead8b828626781c6

SHA512
7c670286eb46b7ab04b2990e92fd81a0156adb477420c37dbc10a53360107a9aa626457df99b29993b8ea3ce707224282ba9459f23194852ba15d1dd9c3b08f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a621bcfaf3c2e519fda90f9de7124a9b

SHA1
5713d2b75fe942a5fdd79390060a7ed6549451dc

SHA256
6148f99291d39b791d7c7e8a84a43dcc42e93c569844bcea71fcd51d206b3f29

SHA512
6cb52e8cb6ae9acd179c252f7272e0c95e08394626598b95eee89d42b70c5db25414e9f6e687227a67d7a6d0441b1cc251f8be5ffd60a05e607aed83abe70b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat

Filesize
225B

MD5
2771d421d9c7f39f1bb40ca8957753fa

SHA1
1917b6f531cc4d13d95cf4c33311092e801ace31

SHA256
a245d36e5d89e05b8a487038d059ef092eca5035c2bacfa3e4f4ae6495d77576

SHA512
b67c51ab6264459ed3602a93455a96f09c5fd489074c9c03aa3ecdbda0c0b849c513de7f2b892eb3ab045dd5cd7eaa337f04122015cb78e9ac0901c5d21f8243

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat

Filesize
225B

MD5
3fe84a13c49310f71ad192edd8f327eb

SHA1
5aa10ebfc6ccd1cba0551e0afa08eca4ffe38b8b

SHA256
38c0f6853da75a0ae81fb09a2efb5ab402ddbdf853bb859461a4fab6ca54dad7

SHA512
1832713bb7e67f4b97846ff6067a602c7a388836426c56555ca3dd2349c4bb6beb08a485f1405875d06d9745af58ba382333c0f742c0df89de60e3661fc67d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3258.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

Filesize
225B

MD5
d2ed40fccad74084f2cb936f3cdba5e7

SHA1
d2bae4c4f43b8f75a7c8f275493524fcaae445d7

SHA256
83416af2f8a80d5ab4216a6d86791e9db396cd6dddba1646de77286b6a72d101

SHA512
053ac4decf85afcd8368739c5170c7e054980ee0c650a7781626862ddba0c1fab64f163c0fd77b15a25392673a530b7b4549ce68f7e4e7942a1dd99e6393784b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat

Filesize
225B

MD5
4ef052699a0560d6441782fc3b6343f9

SHA1
92a51f7b2219e67385de2bb3937dd6a0c6ee2d12

SHA256
d58f99bd2bb1bea806ad3d0e4a1f90f837e4427a6ad7eb895e9da56e88ba186e

SHA512
1f71039b373dbbcbca920ea06a5098ba2975640f86213565b99fee31cb067011f8ebfc4b1bf620baff902a3c9e7e079165216cd525dde0daaf9430e91064a406

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

Filesize
225B

MD5
cb6f6c227cba81128ced28a41c626f17

SHA1
3325041835a10b8e228d17f80efc7784450258dd

SHA256
cfadf629f1338dd9bc8869553dfab6d24779e409c4a1ae44f13009f10bb2982d

SHA512
9e6d778460ee1bfcf96c306377e642a2d557099c35f75cc3e786108030042818b100babbcc79988fcc415c0ec4faace0b47f03b01764cfcadc870bfe66fd730d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar328A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat

Filesize
225B

MD5
780141520bf40e55de0a3730d1a79f79

SHA1
74a1544ac8f24ffe5f9cb464ab250ff83f7fffda

SHA256
9c3b86e843e80ff4a05b7110df4661062addf4dfae5a9b5ddfdff72d5dfa6420

SHA512
b87cafaddf8ddf097884ccf6d93e9af5e40cea807110835b70d207ad22312a09720d5c4e87fd829f8982b66897da3a6ad8281d2451e894d96903ba0566fd1fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

Filesize
225B

MD5
445fa0c83027411838280354d17f21a3

SHA1
3cbffb71eb9c901e837d13d5752e499575e23c5b

SHA256
79ab43a3c3c7efeda951e9550ee20e8bc4bd7aa2906b58f30047db0070df2f35

SHA512
eec98378eed65135bab96c9774cec16b95e4bf819780bebe53d8612b17b1505e9b72fce0dd7fbb48c9d27e8bb7169342971cf08e5630da6d1db690affe179542

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
225B

MD5
c2222967fc001b41714ceebbd033f95d

SHA1
820284b42a9529a4832eac2b3b6ebedcf8cefee4

SHA256
aafe619e2615f83631bca0faee8eda3c617cfc54d073d92f29b199150ca8d76c

SHA512
5cf862a23efb55198f2be82207239fbce6b7bbb61fca80f485d70d749304c7232121f79f9ed0c58902e2bdee6fef2d7571f1c4e7f78132ae44bbee4ab4ec025f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
225B

MD5
e4c3e061b76097b32d77d156c32c6199

SHA1
0590835188cbeb736180390f556297d9300be5ab

SHA256
5daf3d4f43286491c7b01ce4f35382a8b8d68cc6e56275b42e54959695d15916

SHA512
c302c900e9b24a33001ef6421b8dc13cd9aec442c065773daf7ebd7d745def839cd05ff7b7bda8acbda2b6eac27cff2f224c9074fd6099e600ef832bc582d463

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
225B

MD5
c9ee3d0a509c3a39a19f9a35788b248b

SHA1
e76d6323e114563e6ee4b5ff1a42c6727eed1282

SHA256
c334842e17db0a92682035f6e014c08f6b16aecc9188b3a35c59367217db8e77

SHA512
8424db8c1d9ac642f5bdf16f11b660d34a127f27af1922a207a4bc8e9066c93533dcb1190aadc27f3ce21b745d14488b949f89f1ad6f9507d84518a920b02c39

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat

Filesize
225B

MD5
8f405e24cfa3c6d702896629d4b1cfb9

SHA1
f9edf4fcc5571d20062cf1fc1e909c077e59986a

SHA256
16211f9f0a2306653e93b9600e4b35bfe18a3c134117c2ff27d828145011e79e

SHA512
32dcb96b054f9ad3a12cb06163037056f860636a5b669e663102bd0c7c7e944d5be85a838a908d6aa5045c261282815c722068db36768839fe5fc0653d884948

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RRS2CHRRN6ZZJ3XTUBAU.temp

Filesize
7KB

MD5
be02b17c6d7ba2fff9bee9c6be53058c

SHA1
01415324c1459870395ea6353fd70a5c548d9b25

SHA256
73a14d93c092a5d06d4feecd561d9ae68af8fcb9ee05f01111a6fcfac81919b7

SHA512
3f074db306e0b6770e4c411f41e4270c5a5dcc572c6e385a04912b9cca5f3cab2d5cb2dffe75daeac809b749c588f5076c7f640cdeb70a18d41ee6d9504b1581

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1156-61-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/1156-60-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1244-554-0x0000000001190000-0x00000000012A0000-memory.dmp

Filesize
1.1MB

Download
memory/1640-433-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/1800-732-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/1964-493-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/1964-494-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2296-54-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/2368-196-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/2752-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2752-13-0x0000000000870000-0x0000000000980000-memory.dmp

Filesize
1.1MB

Download
memory/2752-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2752-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2752-15-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download