dcrat | ff721a3bf08dcdcb743b248bee6fb4907c40d31838cc86652e0191a95b29d9c6

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ff721a3bf08dcdcb743b248bee6fb4907c40d31838cc86652e0191a95b29d9c6.exe
Size

1.3MB
MD5

3b02d4c2526240f96b35c528db73ce99
SHA1

e07ca4d5b32d28366a2f6b62afc553b9e1cae4c8
SHA256

ff721a3bf08dcdcb743b248bee6fb4907c40d31838cc86652e0191a95b29d9c6
SHA512

05a65b2e0ef5b2dd5d49bd2be9ec303eba172de152e8bfb42d034b3cef158e468ae14d2137ff623e76d774b06f58e228a8d0c260571f53a9d5cc377bdb967931
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2152	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001926b-12.dat	dcrat
behavioral1/memory/2844-13-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat
behavioral1/memory/588-136-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/1160-196-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat
behavioral1/memory/2260-257-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2736-318-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/memory/3052-378-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/memory/1436-497-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/1948-558-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/2980-618-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat
behavioral1/memory/1552-678-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1392	powershell.exe
1896	powershell.exe
996	powershell.exe
1496	powershell.exe
892	powershell.exe
1512	powershell.exe
880	powershell.exe
1736	powershell.exe
1788	powershell.exe
2424	powershell.exe
1676	powershell.exe
1084	powershell.exe
2408	powershell.exe
2108	powershell.exe
2320	powershell.exe
1076	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2844	DllCommonsvc.exe
588	audiodg.exe
1160	audiodg.exe
2260	audiodg.exe
2736	audiodg.exe
3052	audiodg.exe
2748	audiodg.exe
1436	audiodg.exe
1948	audiodg.exe
2980	audiodg.exe
1552	audiodg.exe
780	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	cmd.exe
2832	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
26	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Journal\Templates\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ff721a3bf08dcdcb743b248bee6fb4907c40d31838cc86652e0191a95b29d9c6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2448	schtasks.exe
1556	schtasks.exe
2380	schtasks.exe
784	schtasks.exe
3012	schtasks.exe
2208	schtasks.exe
616	schtasks.exe
2912	schtasks.exe
1796	schtasks.exe
908	schtasks.exe
2480	schtasks.exe
1760	schtasks.exe
2996	schtasks.exe
444	schtasks.exe
1660	schtasks.exe
2436	schtasks.exe
1976	schtasks.exe
2212	schtasks.exe
1096	schtasks.exe
1108	schtasks.exe
1432	schtasks.exe
2260	schtasks.exe
2124	schtasks.exe
2836	schtasks.exe
1128	schtasks.exe
2352	schtasks.exe
676	schtasks.exe
2540	schtasks.exe
2592	schtasks.exe
2232	schtasks.exe
1056	schtasks.exe
2388	schtasks.exe
2384	schtasks.exe
636	schtasks.exe
2868	schtasks.exe
2268	schtasks.exe
1352	schtasks.exe
760	schtasks.exe
2188	schtasks.exe
1964	schtasks.exe
1500	schtasks.exe
344	schtasks.exe
592	schtasks.exe
952	schtasks.exe
860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
880	powershell.exe
1736	powershell.exe
1512	powershell.exe
1392	powershell.exe
2408	powershell.exe
2108	powershell.exe
1084	powershell.exe
1496	powershell.exe
996	powershell.exe
1788	powershell.exe
2320	powershell.exe
2424	powershell.exe
1896	powershell.exe
1076	powershell.exe
1676	powershell.exe
892	powershell.exe
588	audiodg.exe
1160	audiodg.exe
2260	audiodg.exe
2736	audiodg.exe
3052	audiodg.exe
2748	audiodg.exe
1436	audiodg.exe
1948	audiodg.exe
2980	audiodg.exe
1552	audiodg.exe
780	audiodg.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	DllCommonsvc.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	588	audiodg.exe
Token: SeDebugPrivilege	1160	audiodg.exe
Token: SeDebugPrivilege	2260	audiodg.exe
Token: SeDebugPrivilege	2736	audiodg.exe
Token: SeDebugPrivilege	3052	audiodg.exe
Token: SeDebugPrivilege	2748	audiodg.exe
Token: SeDebugPrivilege	1436	audiodg.exe
Token: SeDebugPrivilege	1948	audiodg.exe
Token: SeDebugPrivilege	2980	audiodg.exe
Token: SeDebugPrivilege	1552	audiodg.exe
Token: SeDebugPrivilege	780	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2788	2660	JaffaCakes118_ff721a3bf08dcdcb743b248bee6fb4907c40d31838cc86652e0191a95b29d9c6.exe	30
PID 2660 wrote to memory of 2788	2660	JaffaCakes118_ff721a3bf08dcdcb743b248bee6fb4907c40d31838cc86652e0191a95b29d9c6.exe	30
PID 2660 wrote to memory of 2788	2660	JaffaCakes118_ff721a3bf08dcdcb743b248bee6fb4907c40d31838cc86652e0191a95b29d9c6.exe	30
PID 2660 wrote to memory of 2788	2660	JaffaCakes118_ff721a3bf08dcdcb743b248bee6fb4907c40d31838cc86652e0191a95b29d9c6.exe	30
PID 2788 wrote to memory of 2832	2788	WScript.exe	31
PID 2788 wrote to memory of 2832	2788	WScript.exe	31
PID 2788 wrote to memory of 2832	2788	WScript.exe	31
PID 2788 wrote to memory of 2832	2788	WScript.exe	31
PID 2832 wrote to memory of 2844	2832	cmd.exe	33
PID 2832 wrote to memory of 2844	2832	cmd.exe	33
PID 2832 wrote to memory of 2844	2832	cmd.exe	33
PID 2832 wrote to memory of 2844	2832	cmd.exe	33
PID 2844 wrote to memory of 2424	2844	DllCommonsvc.exe	80
PID 2844 wrote to memory of 2424	2844	DllCommonsvc.exe	80
PID 2844 wrote to memory of 2424	2844	DllCommonsvc.exe	80
PID 2844 wrote to memory of 996	2844	DllCommonsvc.exe	81
PID 2844 wrote to memory of 996	2844	DllCommonsvc.exe	81
PID 2844 wrote to memory of 996	2844	DllCommonsvc.exe	81
PID 2844 wrote to memory of 1392	2844	DllCommonsvc.exe	82
PID 2844 wrote to memory of 1392	2844	DllCommonsvc.exe	82
PID 2844 wrote to memory of 1392	2844	DllCommonsvc.exe	82
PID 2844 wrote to memory of 1496	2844	DllCommonsvc.exe	83
PID 2844 wrote to memory of 1496	2844	DllCommonsvc.exe	83
PID 2844 wrote to memory of 1496	2844	DllCommonsvc.exe	83
PID 2844 wrote to memory of 2108	2844	DllCommonsvc.exe	84
PID 2844 wrote to memory of 2108	2844	DllCommonsvc.exe	84
PID 2844 wrote to memory of 2108	2844	DllCommonsvc.exe	84
PID 2844 wrote to memory of 1076	2844	DllCommonsvc.exe	85
PID 2844 wrote to memory of 1076	2844	DllCommonsvc.exe	85
PID 2844 wrote to memory of 1076	2844	DllCommonsvc.exe	85
PID 2844 wrote to memory of 892	2844	DllCommonsvc.exe	86
PID 2844 wrote to memory of 892	2844	DllCommonsvc.exe	86
PID 2844 wrote to memory of 892	2844	DllCommonsvc.exe	86
PID 2844 wrote to memory of 1512	2844	DllCommonsvc.exe	87
PID 2844 wrote to memory of 1512	2844	DllCommonsvc.exe	87
PID 2844 wrote to memory of 1512	2844	DllCommonsvc.exe	87
PID 2844 wrote to memory of 1084	2844	DllCommonsvc.exe	88
PID 2844 wrote to memory of 1084	2844	DllCommonsvc.exe	88
PID 2844 wrote to memory of 1084	2844	DllCommonsvc.exe	88
PID 2844 wrote to memory of 1676	2844	DllCommonsvc.exe	89
PID 2844 wrote to memory of 1676	2844	DllCommonsvc.exe	89
PID 2844 wrote to memory of 1676	2844	DllCommonsvc.exe	89
PID 2844 wrote to memory of 1788	2844	DllCommonsvc.exe	90
PID 2844 wrote to memory of 1788	2844	DllCommonsvc.exe	90
PID 2844 wrote to memory of 1788	2844	DllCommonsvc.exe	90
PID 2844 wrote to memory of 880	2844	DllCommonsvc.exe	91
PID 2844 wrote to memory of 880	2844	DllCommonsvc.exe	91
PID 2844 wrote to memory of 880	2844	DllCommonsvc.exe	91
PID 2844 wrote to memory of 1736	2844	DllCommonsvc.exe	92
PID 2844 wrote to memory of 1736	2844	DllCommonsvc.exe	92
PID 2844 wrote to memory of 1736	2844	DllCommonsvc.exe	92
PID 2844 wrote to memory of 1896	2844	DllCommonsvc.exe	93
PID 2844 wrote to memory of 1896	2844	DllCommonsvc.exe	93
PID 2844 wrote to memory of 1896	2844	DllCommonsvc.exe	93
PID 2844 wrote to memory of 2320	2844	DllCommonsvc.exe	94
PID 2844 wrote to memory of 2320	2844	DllCommonsvc.exe	94
PID 2844 wrote to memory of 2320	2844	DllCommonsvc.exe	94
PID 2844 wrote to memory of 2408	2844	DllCommonsvc.exe	95
PID 2844 wrote to memory of 2408	2844	DllCommonsvc.exe	95
PID 2844 wrote to memory of 2408	2844	DllCommonsvc.exe	95
PID 2844 wrote to memory of 2596	2844	DllCommonsvc.exe	112
PID 2844 wrote to memory of 2596	2844	DllCommonsvc.exe	112
PID 2844 wrote to memory of 2596	2844	DllCommonsvc.exe	112
PID 2596 wrote to memory of 1948	2596	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff721a3bf08dcdcb743b248bee6fb4907c40d31838cc86652e0191a95b29d9c6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff721a3bf08dcdcb743b248bee6fb4907c40d31838cc86652e0191a95b29d9c6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uKqKypk5j2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2596
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1948
      - C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
        7⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2308
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat"
        9⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1668
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
        11⤵
        
        PID:916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1128
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"
        13⤵
        
        PID:340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1096
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        15⤵
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2484
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat"
        17⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1656
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"
        19⤵
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2164
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"
        21⤵
        
        PID:1900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1496
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"
        23⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2480
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
        25⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3036
        
        C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\PolicyDefinitions\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3fc418a2272f239666cf723237e44fd

SHA1
71c90075b7f74fc790e472dc7cf741162fe5e607

SHA256
e3ae742f2947f49537442d0c2874656c1e32602f4ce7e5b24e03519946f9dca9

SHA512
27bed4b82de9eaa926c3c8a46ae45122a1a3e66a0afa52571f904fac65e97a497c9fcc3e2728fe63a98695f8a0920288518dcf9af9d1a9982e266d6bfdd82cdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9979f186a85e2d3b2916e696224462cd

SHA1
c937dac08e6373a10b3fd93f90713166ee181020

SHA256
bdec7f911da2c42fa7c9da9e5dec7ea31d66b2505c6762b2d0f525c78ff30c54

SHA512
fea4f108f8e4a3dfc8d017d123300209b37ae4d4a0c7f35f829f734bffddb168503d740cab47a7241f6f71c90898a0e7251887b9ffe0f04190463146f9768d3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c95081220b3893e253c1e5f62b2aee27

SHA1
f1a87e861556633d9ef342002d321334472bcbe4

SHA256
70c5bd59c564df6a792a6cd9220f38a99ce19ae071e6ff12e78c680a718f3fae

SHA512
28da5c56c6290891b2276b7bf3ade84feefe51ec5c9a794c16c8b02d6cb0be5d9cc35eb2f568809cc3e096c817741937b27b2fc0e4f9a548eb02cc06879f0120

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20276a3844f8fcf27eb5639a701c3422

SHA1
63e76f501a13aa72894b6981bb94d2b4dc724e88

SHA256
16cdebe2213b8b108358166d7a2411f20c5d56a864e72d5096b97e165b93050c

SHA512
cb6dbaf9c9eac787e1f1ee523d6840320e75a689e43a7d593fffde55954ed1439d39c4c757cbe9b0556bebbefce3e75567c3d602affbc237c28d1d5e4e08e393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3faf830a31dce95fb48729ef6fd9bd2

SHA1
59fc1637616aada81889f82d2eed9540ae0d9c87

SHA256
7e651f384b2a9784a7cdf589c194740b90c6f11f023f7f23ea7d9221601ebb03

SHA512
9f66f266a93ecbd063a32ad6081a9a7b1bdefeaf2fcde327ddc101888b8ddcd80e4b4d8742b01125e842a49eb460080f03059ada56d81296bee377605fed1a1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13b67c61e8286a37c656306a1bc62457

SHA1
e2088a4463ea31ea809f01f59b4d936a97d1ab67

SHA256
ba5611cc98b0873db5d994352918cdde1395a0b166adfd7e09711143084640e5

SHA512
36836b5efc5b6e5ed7a69298ce04bf70e9b0b9e38f3a9daf742dde78c2c730520489947d0c451c532cb79d2f09cbf81492b45c0bab140f9dd2972017be79e194

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10253a080e0cf9ada8c9d11e659b4192

SHA1
453b3faa66c29887d71b6de9fbee331319de4ca8

SHA256
d743d6fdd37575b284b7c2ddc2d2c502dca4e0ed1fab19258e5f685984a7aca6

SHA512
6b53b488398106dce0cbcdde6c855432e2472faa513a5618e0902a5b86b7f22b29c32d55b078ded9a07274c8694eb30e4f893600fd64f8343b79055ed68b9c3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8324fc49d81bef7928436844fb393597

SHA1
8c34d417a7d8d719a6485d1d8f58a104f3c82d4d

SHA256
42ebec688dcd0dcebd31bcc8ffed732bfa40bab438deb78c9983a572da56a114

SHA512
01a607c66cf6ae85876755e21cedbcefe1e7fbafd4b09487f778aa88934e20c62b9a613701187537f998867142806744c3969692fe55a6464f395455698f7248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
734a1e85407e720ca5f0ab0cc04abce0

SHA1
df358e49c58428fa59bd8be40ebb6119dd4d298d

SHA256
36fddd2a552771ee071cfe81ca66691662cd511338c356a41ab13eaf4dc84c00

SHA512
7f96eca904310b7719ffd724912f24a17421f88707461505285d57f6921735582413e8417b9f579a661430c34766e9703da39144caa8c059b4b66245d414b3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8632.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat

Filesize
239B

MD5
93eb48000aaba69e7536af2d4e706c06

SHA1
4e3c904be3627be388fde4cf9c6e28ac4d6f0233

SHA256
77c19faa2e2627024a1573d9ccdc2875eb2686de1794245622d839868dcf8224

SHA512
8d0addd1d10c2baafedd3f930b3f7795ccd8e4ddf7001c08725177565f18550817abd23d2a5a1d4e63dc9bd66615ca9b007bcdd8870e5e8b568dfe5c54056109

Download Submit
C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat

Filesize
239B

MD5
a1c274aa9fde4cbdb3cd72783e2864e7

SHA1
9c2ca18469c6994d7847111fd635ded8a9253dbe

SHA256
c48c60a4719df9bc754e534a2af6e3ce742706ba581b59283db6e839c6dcf553

SHA512
05563aa1e3196128a5bfc1095f6776ad6751c65a50d4122d9ffa2b893ef1858b840bfda572148faf53d1e59f0ab3b69e311ada70fa07bf76ac64cec5fb0f4f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXo39smTXJ.bat

Filesize
239B

MD5
c8b28b4bf1b14442c40ffe6691577a2a

SHA1
3ce28f4a42115ed3bba972312f8e53251daca173

SHA256
ab0542e6b6c68c25f4cdc80213941399efadd12f0734683f483bac6a8c18cc5e

SHA512
87aa77ff382ef0fa04b71bf80f66ebeb14914454431bcc39c8e0b4372d4e6cd0e7c9816400898e9158fb4c34ab828af265fb686cef651fb83b2240628b9b89fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8635.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

Filesize
239B

MD5
95e5e16039d9e762bc4dcfc02736f135

SHA1
c6d65e0602ac49bb206d1f8cbc0f8ecd96b592f2

SHA256
97672e2de8b776f40841a38ffafb7251fc25f4b5c4c352d0cae4a012b058c23b

SHA512
7bc764d00be13091dbc6f5e72a44c0494008103bf4ad5818da73a33773d618681dc886d136d2ac06e5161d098eebfd37ea22ee55696636e1a9651ab618169fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

Filesize
239B

MD5
8b281ffe84c9d0f9b992328eb25cb2ef

SHA1
4e5ac2685c9c111866b38fd04a29e3429edec4a0

SHA256
51c4ff1fdd79dca6de6a2105d3be949469f413f6115edc4a8efab9777abde9b8

SHA512
ff46603777830abc128087c92aaba617c46ec0b9849891789641a9a014163cb5be004cca47122790160d53ec1bd4a80072756a0481f2dfc1e814bf63519f449f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

Filesize
239B

MD5
0455ccd27a5305bdadbec9d783026b6c

SHA1
1f17ebb86da355b6488c97f2fcb4b980827adc23

SHA256
a18500a05de016ec265c4e6692419407a26a21775f8b6cf4b7fc07448cb38153

SHA512
259b53aec54abc4d1b4b445786d93fd1f1d4824b6606b01b6a56ee7e389ce68e4cb169e047fe4122f9df5fd7b842e1c8dffd9780d82d14e29245f32e9898e0e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

Filesize
239B

MD5
ec86fc64452ffd9283eace73741cefff

SHA1
da05aaaba2357a3a2e9cf841de492946e5086c1f

SHA256
66d91ecdefe645525fc970fe2d372761790d9d66570b232f616280f99867f2c5

SHA512
55ef2a7080c8dec8edac8ced1b72ac7829bbbbfdb8988bcdc70bd6b5342195b62bd10ca90f79ab6b457b17be630f598658b7d3981d9bd02e80faf01099c9737c

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat

Filesize
239B

MD5
659005c3d1d196c60241e04be7aa4714

SHA1
4dbfce283c65d0b0ea403c8484ecdbcee107656d

SHA256
ade51a4f0ce0f254707a921ebee46e36db68cd927dfefb811c706198450d5938

SHA512
603e41e8b57a7368469a55f444f0977be474c203ffbbbdb9d5af28b1867a9722a732b218ce616fa2c5ef106ec7ddfaf4c16600e6fb4fed592b401bc91d4a76dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat

Filesize
239B

MD5
b60316a3b367e5959d9dd9bf1228f6bc

SHA1
b881dfcaf049c92e4f9cfaedfc11e6673c5356b1

SHA256
e8888fec3ae38a2c548de88d4da702693883ccedb73c00db15c31ee28447167a

SHA512
22b7208121a267ed891bfdc56b349e07b9c5e1181203a971d323903d6ec0f7efc3f7e35f6d214c9be0254fcd5bb8bb1e786a69fa7bfa934fc787cd976a22538e

Download Submit
C:\Users\Admin\AppData\Local\Temp\uKqKypk5j2.bat

Filesize
239B

MD5
4c9ad7a3f2d7c3c2c36e9b48eece6630

SHA1
2180939583d10b34c4ef4cb65c7fa533888068a6

SHA256
2c14c19f7bb830fb666661b14298d9990ff365bad44c4ef7884ebfd07ca3c629

SHA512
90a8010ae8636654b7c59ca5a16813e7fc3ca249f6e742ef40ca25b369bd5604cac536cb026a20874d3dba66c897113d2811a931952b36a76ead48afd6f94e48

Download Submit
C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat

Filesize
239B

MD5
d32c1ae85a28a0e4cd45c0c8775f0b18

SHA1
cdd509dbe17bdaaf87be1af865628dce8a8d5927

SHA256
e0d53fc78bdfb9af0e06e2b1271b09e85fed226a4215a5800b298c0de5a15bf4

SHA512
a17ed31be017af18c5b8afb38c54f75412dc35ff59ae41d4b7ea71529ccbafc3194517e423f132456b0cbc7ff4b9290732192987c1caa3e163f1df05b2492d27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1a9d23c28d52e1d3538e605946762085

SHA1
cf1aa2d1a314b0b1153d71c2e28e8cc84c3f0e20

SHA256
0b1e40d788e4119a6b7e8f36f3460194bb4b37a78d71c691e215303de7c5fc83

SHA512
dff85ab6a1c0b089e403c730c2f08e997d6e98235f1daac536f9f880945d5fc5fcba7f0119271e16474408c01c0f038e90b9a49588769525d38104a42db0d375

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/588-137-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/588-136-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/880-89-0x0000000001D80000-0x0000000001D88000-memory.dmp

Filesize
32KB

Download
memory/1160-197-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1160-196-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/1436-497-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/1436-498-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1552-678-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/1788-88-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1948-558-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/2260-258-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/2260-257-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2736-318-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/2844-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2844-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2844-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2844-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2844-13-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/2980-618-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/3052-378-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download