dcrat | 493975a94ebf1954f85995b8a85335c568c52075bdf07b9e62714fe46a2d6454

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_493975a94ebf1954f85995b8a85335c568c52075bdf07b9e62714fe46a2d6454.exe
Size

1.3MB
MD5

3f39c5dae94184a45ae30d2d7941f37a
SHA1

b1e54287275fc17f1be91fab95339ac853974a53
SHA256

493975a94ebf1954f85995b8a85335c568c52075bdf07b9e62714fe46a2d6454
SHA512

2e3d488d8f54b948fb165da1d38a4d9604667e2eb3d7537a985b4cbd3a325fca29388e0206184642a45a4f56522709fa98bc4dfd94149c605095b86babcf5c6c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2776	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2776	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001903b-9.dat	dcrat
behavioral1/memory/2760-13-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/3008-48-0x0000000000970000-0x0000000000A80000-memory.dmp	dcrat
behavioral1/memory/1760-173-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/1676-293-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/2624-353-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/1720-413-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2880-473-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/2644-533-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2452-593-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/2668-712-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1540	powershell.exe
2952	powershell.exe
2148	powershell.exe
2572	powershell.exe
2344	powershell.exe
1076	powershell.exe
780	powershell.exe
2472	powershell.exe
1664	powershell.exe
1528	powershell.exe
2308	powershell.exe
1676	powershell.exe
2476	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2760	DllCommonsvc.exe
3008	spoolsv.exe
1760	spoolsv.exe
1136	spoolsv.exe
1676	spoolsv.exe
2624	spoolsv.exe
1720	spoolsv.exe
2880	spoolsv.exe
2644	spoolsv.exe
2452	spoolsv.exe
1804	spoolsv.exe
2668	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2300	cmd.exe
2300	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
31	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
17	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\OSPPSVC.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Architecture\dwm.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Architecture\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\servicing\it-IT\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_493975a94ebf1954f85995b8a85335c568c52075bdf07b9e62714fe46a2d6454.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2684	schtasks.exe
824	schtasks.exe
2284	schtasks.exe
2028	schtasks.exe
1520	schtasks.exe
1196	schtasks.exe
2908	schtasks.exe
2704	schtasks.exe
1628	schtasks.exe
2008	schtasks.exe
2588	schtasks.exe
2808	schtasks.exe
2620	schtasks.exe
1636	schtasks.exe
1936	schtasks.exe
1920	schtasks.exe
2796	schtasks.exe
1820	schtasks.exe
1816	schtasks.exe
2272	schtasks.exe
2632	schtasks.exe
1972	schtasks.exe
1948	schtasks.exe
2680	schtasks.exe
3036	schtasks.exe
2500	schtasks.exe
1132	schtasks.exe
2848	schtasks.exe
2592	schtasks.exe
1268	schtasks.exe
848	schtasks.exe
1096	schtasks.exe
2644	schtasks.exe
868	schtasks.exe
1748	schtasks.exe
2440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
1528	powershell.exe
2476	powershell.exe
2344	powershell.exe
1676	powershell.exe
2572	powershell.exe
2952	powershell.exe
2308	powershell.exe
1664	powershell.exe
780	powershell.exe
2472	powershell.exe
1076	powershell.exe
1540	powershell.exe
3008	spoolsv.exe
2148	powershell.exe
1760	spoolsv.exe
1136	spoolsv.exe
1676	spoolsv.exe
2624	spoolsv.exe
1720	spoolsv.exe
2880	spoolsv.exe
2644	spoolsv.exe
2452	spoolsv.exe
1804	spoolsv.exe
2668	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	DllCommonsvc.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	3008	spoolsv.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1760	spoolsv.exe
Token: SeDebugPrivilege	1136	spoolsv.exe
Token: SeDebugPrivilege	1676	spoolsv.exe
Token: SeDebugPrivilege	2624	spoolsv.exe
Token: SeDebugPrivilege	1720	spoolsv.exe
Token: SeDebugPrivilege	2880	spoolsv.exe
Token: SeDebugPrivilege	2644	spoolsv.exe
Token: SeDebugPrivilege	2452	spoolsv.exe
Token: SeDebugPrivilege	1804	spoolsv.exe
Token: SeDebugPrivilege	2668	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2068	2216	JaffaCakes118_493975a94ebf1954f85995b8a85335c568c52075bdf07b9e62714fe46a2d6454.exe	30
PID 2216 wrote to memory of 2068	2216	JaffaCakes118_493975a94ebf1954f85995b8a85335c568c52075bdf07b9e62714fe46a2d6454.exe	30
PID 2216 wrote to memory of 2068	2216	JaffaCakes118_493975a94ebf1954f85995b8a85335c568c52075bdf07b9e62714fe46a2d6454.exe	30
PID 2216 wrote to memory of 2068	2216	JaffaCakes118_493975a94ebf1954f85995b8a85335c568c52075bdf07b9e62714fe46a2d6454.exe	30
PID 2068 wrote to memory of 2300	2068	WScript.exe	32
PID 2068 wrote to memory of 2300	2068	WScript.exe	32
PID 2068 wrote to memory of 2300	2068	WScript.exe	32
PID 2068 wrote to memory of 2300	2068	WScript.exe	32
PID 2300 wrote to memory of 2760	2300	cmd.exe	34
PID 2300 wrote to memory of 2760	2300	cmd.exe	34
PID 2300 wrote to memory of 2760	2300	cmd.exe	34
PID 2300 wrote to memory of 2760	2300	cmd.exe	34
PID 2760 wrote to memory of 1528	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 1528	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 1528	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 1676	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 1676	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 1676	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 2308	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 2308	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 2308	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 1540	2760	DllCommonsvc.exe	76
PID 2760 wrote to memory of 1540	2760	DllCommonsvc.exe	76
PID 2760 wrote to memory of 1540	2760	DllCommonsvc.exe	76
PID 2760 wrote to memory of 2476	2760	DllCommonsvc.exe	79
PID 2760 wrote to memory of 2476	2760	DllCommonsvc.exe	79
PID 2760 wrote to memory of 2476	2760	DllCommonsvc.exe	79
PID 2760 wrote to memory of 1664	2760	DllCommonsvc.exe	80
PID 2760 wrote to memory of 1664	2760	DllCommonsvc.exe	80
PID 2760 wrote to memory of 1664	2760	DllCommonsvc.exe	80
PID 2760 wrote to memory of 2472	2760	DllCommonsvc.exe	81
PID 2760 wrote to memory of 2472	2760	DllCommonsvc.exe	81
PID 2760 wrote to memory of 2472	2760	DllCommonsvc.exe	81
PID 2760 wrote to memory of 780	2760	DllCommonsvc.exe	82
PID 2760 wrote to memory of 780	2760	DllCommonsvc.exe	82
PID 2760 wrote to memory of 780	2760	DllCommonsvc.exe	82
PID 2760 wrote to memory of 1076	2760	DllCommonsvc.exe	83
PID 2760 wrote to memory of 1076	2760	DllCommonsvc.exe	83
PID 2760 wrote to memory of 1076	2760	DllCommonsvc.exe	83
PID 2760 wrote to memory of 2952	2760	DllCommonsvc.exe	84
PID 2760 wrote to memory of 2952	2760	DllCommonsvc.exe	84
PID 2760 wrote to memory of 2952	2760	DllCommonsvc.exe	84
PID 2760 wrote to memory of 2344	2760	DllCommonsvc.exe	85
PID 2760 wrote to memory of 2344	2760	DllCommonsvc.exe	85
PID 2760 wrote to memory of 2344	2760	DllCommonsvc.exe	85
PID 2760 wrote to memory of 2572	2760	DllCommonsvc.exe	86
PID 2760 wrote to memory of 2572	2760	DllCommonsvc.exe	86
PID 2760 wrote to memory of 2572	2760	DllCommonsvc.exe	86
PID 2760 wrote to memory of 2148	2760	DllCommonsvc.exe	87
PID 2760 wrote to memory of 2148	2760	DllCommonsvc.exe	87
PID 2760 wrote to memory of 2148	2760	DllCommonsvc.exe	87
PID 2760 wrote to memory of 3008	2760	DllCommonsvc.exe	98
PID 2760 wrote to memory of 3008	2760	DllCommonsvc.exe	98
PID 2760 wrote to memory of 3008	2760	DllCommonsvc.exe	98
PID 3008 wrote to memory of 1680	3008	spoolsv.exe	99
PID 3008 wrote to memory of 1680	3008	spoolsv.exe	99
PID 3008 wrote to memory of 1680	3008	spoolsv.exe	99
PID 1680 wrote to memory of 2604	1680	cmd.exe	101
PID 1680 wrote to memory of 2604	1680	cmd.exe	101
PID 1680 wrote to memory of 2604	1680	cmd.exe	101
PID 1680 wrote to memory of 1760	1680	cmd.exe	102
PID 1680 wrote to memory of 1760	1680	cmd.exe	102
PID 1680 wrote to memory of 1760	1680	cmd.exe	102
PID 1760 wrote to memory of 2836	1760	spoolsv.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_493975a94ebf1954f85995b8a85335c568c52075bdf07b9e62714fe46a2d6454.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_493975a94ebf1954f85995b8a85335c568c52075bdf07b9e62714fe46a2d6454.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Architecture\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft Help\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2604
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        8⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1712
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
        10⤵
        
        PID:1584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:772
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
        12⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2332
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
        14⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1664
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
        16⤵
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:760
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat"
        18⤵
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2816
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat"
        20⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2856
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        22⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1600
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
        24⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2164
        
        C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe
        
        "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Architecture\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Architecture\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Architecture\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Microsoft Help\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft Help\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Microsoft Help\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\SpeechEngines\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6a43a3e85b3431f43efb57980f75fd0

SHA1
b1dca37741ba9fab75a0cfa09c06db2c40bd7060

SHA256
3037dd8abb44684235d61004eb3f4f22c660ed6f855329c815cb542e7ec125ff

SHA512
79b91485c5bcf530a261623bbf2426e917548e563f920b9e2505200087b933bf2865470aecc50cf5a3e43ffabea570207d3109825a5f9eaf22a08869d4b4014c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
516cc5cfbe204d92cd96c30f7b37000d

SHA1
c9e45e8a8caf9481865f1e27608ef7c188815125

SHA256
03ea738e349cdb04f0bb84f41460d681335365e9d922dd76c8723182a8172ad5

SHA512
2e2f5df4171ec957b2cf2f90ef94a7957aac0f1f95d3d2f4c2529544fd41c5a86062103698dd2d78687d017cb7fd81e4f0b9bf5a10656a224030558518864dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c784ec848996dc808cd9c4f53ed56ec8

SHA1
0909c0170fcbd28569f0ff92e6fa397c70250601

SHA256
b9e6c85496ea54ce97236456cee69af436a4b55ae674a642047bdc06fa35f2fb

SHA512
21e66b64cd46e28efb2cd1a4745e734414edc6247e32288da212fc41d4030b614b5fd23f5da8637cb284e4545d7e6a0639f987e0e86a6f1204f70963f8bab2ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
666b9828f291128f733e0860c6e345e8

SHA1
db5810c5bca6ba67a02dc68ea2635aded038d1f4

SHA256
ade38eed300b7e7d02717621bd58f4852690fed4f107e5c1e54f8ac4c4e606b1

SHA512
a86b465411a071f4d7c5ceca099ca9bb4e38fcd5f2bebf7e22e2e2d499df1f80be168cb23d91286b8a4547f53c00aa79344bec8a65b739e85136255844f5a4fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13f0a1bc09a56e424f89e1329e500a32

SHA1
5c95ade2efc2ec506f5bec4a42a39b1a2c1296d5

SHA256
ed00e8b9cef1198359c27b53e84f7b97184a3fdee0782fcabffa34bcd52708d4

SHA512
2e9ed5c0dcce8e447b7df719e22fa843d9cf8e6eecb942ee290e93dadfcae32d18e69e35519e1a7ca3acb08a75f59e95b70a38bcd91c9ce2eeee4c5a94aaa969

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab8cf5009072a72b099c74cfafd60196

SHA1
b2f6f37053419d32d63401f86ab309e9914835f3

SHA256
bb0e6fe3674cc4ae2e0c9d7e04c47d1b9fd952aac6ffe9be692edb599e356ca6

SHA512
f0543f821d14233ba3549d93fb0927ed477ff77b92f096aa0d2e48a28c2b1d2afbfeefbfa7e486b4a3d2523856dec4f4a56453647fb103e45357ac76b4bd0aab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
904b4d3be69b561ca660376cdc26e704

SHA1
5fdeb7092a0754685a623c2ee459afddb7550b37

SHA256
3aa4e7812d052b3441c149bb27bfcb87e7eaa2088f4337fd248cc05deefed526

SHA512
f6e7cfb5d4777ea71e5fe094c50eaac2f8a29ad5b7b756d2f77a9ce54a04b75c434d5f6a7b0f2f46d66e0f932fa92e17817bb4d3ce7b34a36d705059f769a7cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
695292930037d29eb9d7d033ffcc4ec0

SHA1
ace3160547706a0cc3949e2605a3c4c9eef36daa

SHA256
55ff07f6fd511c32685a977b921af05a833eaf38ba143aa03639171ef2f4bccd

SHA512
0dbdaedba35262bf801ce25acc78306ad0ff7c200b5bf43575454750a49a0c38929eb2649a5340b8066151d600029d0578b2a1f1a53c8d3afc7b4e8b8a19faaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aba9b9456e8541bdc4c7e47000550d53

SHA1
60f6722ffbc8f6db423e413297a978bd38661722

SHA256
14644f8acf0cc90cf5480f2c63d371581a87177c92ca611af4eda5aaed0af637

SHA512
ef15f231ced72950b9a5ad680184098d35016b7c99d5547b8845a9df95b06fe812dc8df95018d1f8ba7fc685f2c6e88897f395c7b830c71f22cedb28cd4d1241

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
244B

MD5
53a529131fe4a08d56f12c9e798630bd

SHA1
c9dbe80c113a344b5a104aad97a9e3de4becc2b5

SHA256
894e600cedeb65e46ae16ef44fa60372f0e0fe8f4f9f97285ca7ca328597df07

SHA512
9997fd8c109e4eb9ba0ecc96f1225e86a26d934a44d796c5c0556a5ad529d56ff992088719ef0c9ceeecffde5ab62e043898b2ec36e3adf7c74ec8ebb8b0acfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat

Filesize
244B

MD5
0483455d58f4b0a64a38d5319ae1d5ca

SHA1
56db8bb6fc58e25212c32dd99b0bf9b3da9f428a

SHA256
64bf9b8b6863611ce00a1d9cf3ced7514fd25a1e633bd263f28bba00dd36952f

SHA512
173f49287270a48d344d33296c3a9ec34c7ea976090417f5b869e4e5332fa2a05321791eba124bcd786dfe5396236f6a3791adac9bccfe42aa0404d55a47ca4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1325.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat

Filesize
244B

MD5
b5d72e3191e41accfd576729f58ffbf8

SHA1
86e6f2daaf1f192404b963f4b0949c32a8b0ea16

SHA256
0b99073583387bf2fee880d84e049ac6c781c850e2f447b4a046ff8fc09e12b1

SHA512
ccd3e08245e6bd35c24f131a036439bba0111395785bc29fe181eb91d83a7eb9ef7981351becfa61eafaf598b28c38eb76d3167074a1cadce523e66c8f26fa09

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

Filesize
244B

MD5
2f3efa40fb36d33779d333eabf7283a7

SHA1
1481a4de70594f4d9fed937440a7a34eee93d871

SHA256
3e613cf0ded4b10dbc682033a4d023a61951e4953e7b12a06721a95e6da4a3b9

SHA512
b8048f115c5b2a624ba5a01e05b73af902307e7e8de4143b73bcb5fc986e3475be64ae9ca1e84a5bedc2fde8cda74ded6e52e904659626710bb965e218454f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\R5wNYqVH5b.bat

Filesize
244B

MD5
d7e5182c21fe2fd50e8049fccf874b4d

SHA1
df4f198b440cfbbf038e09c21184d3b5b15f48c5

SHA256
f9ef10bcdf498373432ad63d614f78c69d388a79d74f4c88d392ffbc2893e0eb

SHA512
504c0b3853c385619385299c89ed8c444b1cb9411badfadbff6a1ed8838378f19a850b5f2d200274885bed9263ebd33258537bfc0d9f6906952d71de9f8bd615

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1338.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat

Filesize
244B

MD5
82ea304dcae74ef6cd6e06d29391b33e

SHA1
834963654fce4d9d0fa85d6f15e7b1e6d69679c6

SHA256
cd44c6a90cf2747d35c35dce960160492905651277ee92c397065d81b2bcfb22

SHA512
9ff2341d26031b491934ef0c16d07705487db92c26373cf22dba781500944c456be56c7fb7f9e8a824eb1bb4c56c2f2e4b7006b52a73761e1be35b22e66239ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

Filesize
244B

MD5
8640f3967b82c66734fe0165911f4d06

SHA1
42d93cd78e095c27ca8e68fc4b292a4e6a35f0cd

SHA256
1dd3e574018b8eab075e1680176c145b76ace54706e00878c6dc3f4a5c91c61c

SHA512
e9321c63da38514ace81e41a0d4d5c6aac4d191f9120fd35464ce533f090bc4ef6a8f9b14c74301f6eb8acdd5a531bfbca47f3ce682d01181f9095f743a0a679

Download Submit
C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

Filesize
244B

MD5
5cfe30cc1b7263437b2dac33e6f4602c

SHA1
2f5181bc3b2121b626c7a0a601b70d1020470a58

SHA256
66ab5d2a4916e0838e49962dac02940aca20d87f70690044950030928de68f50

SHA512
d7e83dfedab9738272efae79bafdbeed63a7e3dce8e2307ed1651dbcb014f0c9c3be257ade30d2bdd996505785e3e32860a11c3358ae6220578e6cdaedaae08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hJP5Gj8VmP.bat

Filesize
244B

MD5
fb378721ad828cde9070079874bd4133

SHA1
bc84c80da86518c33f14d6f3e07c646e951f54c2

SHA256
874281d149bf9c571059211abb818a4155a88490a13199a5e75d5b71e11db975

SHA512
d7d211e6726ee63bf43bd9c9354af4ccbed3d4990e6d6e5442b0ccfce473e236843fd14a54d01d17899c30c611d9d9e2eda2d4c85c33a9bb9d35f1fa8e356da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
244B

MD5
b8b61eaebb8156b3d42af1227f8e8e87

SHA1
214fa7f7fd0ad85f309d513fab8ca53fe83a5a99

SHA256
0aa224aed57169f0121817a1ba0a850afb672e3374149c7f811014fef8cf1a1c

SHA512
03e3995eca8a43c3bec14e83fa3f4779ba9a4390fe5f1c9e2ec851d683041ecc42ab0b65120f92fbe7c6d223c0d70b8be16029923fe58b272330c2fd297fc35f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1cd35fcb0b78da0014fe0b729358d815

SHA1
c8faf3c5d5f71121dbc0586bb97f4269ff865d8b

SHA256
f1bfd8f23dd733f3acfcdefe99e6f24fc7e46987fcc2655af42abb6d5340f9ee

SHA512
584d344d63a0a7e1d1acce1533d3487e5d3b011ae9c9cf41485c27bf1397d7f99b8a8bff3cc55234cc49561960c273178297ffed046f99370748b89c6ee73541

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1528-59-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/1528-60-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1676-293-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1720-413-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/1760-174-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1760-173-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/2452-593-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2624-353-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/2644-533-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2668-712-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2760-13-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2760-17-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2760-16-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2760-15-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2760-14-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2880-473-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/3008-48-0x0000000000970000-0x0000000000A80000-memory.dmp

Filesize
1.1MB

Download