dcrat | 0901f1a38bad15eba199124e3d4cd68d5b486c7e3450e01f19e5ef7b83e53c45

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0901f1a38bad15eba199124e3d4cd68d5b486c7e3450e01f19e5ef7b83e53c45.exe
Size

1.3MB
MD5

c977600f7b8f14ed91840d707b78a878
SHA1

e9ed087a9dd4b081626bdc8730f25f2ece3e8233
SHA256

0901f1a38bad15eba199124e3d4cd68d5b486c7e3450e01f19e5ef7b83e53c45
SHA512

e2f100acabe18fc88cf7753f2ff4002087fe19f39e019b9da9bba098b0cc718f50eb13e691a0dab464d38e331ace9712de21adc226139b902ae9845de1b9528c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	3040	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000186fd-9.dat	dcrat
behavioral1/memory/2572-13-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2036-151-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/1572-270-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/292-507-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2828-567-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/2796-627-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2300-687-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1640-747-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2796	powershell.exe
2948	powershell.exe
2776	powershell.exe
2688	powershell.exe
2664	powershell.exe
2128	powershell.exe
2596	powershell.exe
2772	powershell.exe
2696	powershell.exe
2584	powershell.exe
2700	powershell.exe
2748	powershell.exe
2676	powershell.exe
2672	powershell.exe
2684	powershell.exe
1608	powershell.exe
2612	powershell.exe
2620	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2572	DllCommonsvc.exe
2036	dwm.exe
1824	dwm.exe
1572	dwm.exe
1872	dwm.exe
1520	dwm.exe
2000	dwm.exe
292	dwm.exe
2828	dwm.exe
2796	dwm.exe
2300	dwm.exe
1640	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2764	cmd.exe
2764	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
28	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\fr-FR\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\fr-FR\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\system\56085415360792	DllCommonsvc.exe
File created	C:\Windows\Media\Garden\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Garden\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Panther\UnattendGC\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\UnattendGC\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0901f1a38bad15eba199124e3d4cd68d5b486c7e3450e01f19e5ef7b83e53c45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
744	schtasks.exe
3000	schtasks.exe
1528	schtasks.exe
2904	schtasks.exe
1656	schtasks.exe
2960	schtasks.exe
2360	schtasks.exe
1580	schtasks.exe
2204	schtasks.exe
1476	schtasks.exe
1244	schtasks.exe
2344	schtasks.exe
1180	schtasks.exe
2132	schtasks.exe
2368	schtasks.exe
756	schtasks.exe
1524	schtasks.exe
300	schtasks.exe
2648	schtasks.exe
1216	schtasks.exe
644	schtasks.exe
1008	schtasks.exe
2916	schtasks.exe
2884	schtasks.exe
1900	schtasks.exe
1408	schtasks.exe
1604	schtasks.exe
1132	schtasks.exe
1960	schtasks.exe
1968	schtasks.exe
264	schtasks.exe
2384	schtasks.exe
328	schtasks.exe
2256	schtasks.exe
952	schtasks.exe
3060	schtasks.exe
2988	schtasks.exe
1868	schtasks.exe
2632	schtasks.exe
1616	schtasks.exe
2124	schtasks.exe
2592	schtasks.exe
1444	schtasks.exe
1680	schtasks.exe
2328	schtasks.exe
2640	schtasks.exe
332	schtasks.exe
1732	schtasks.exe
2508	schtasks.exe
2088	schtasks.exe
1464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2572	DllCommonsvc.exe
1608	powershell.exe
2796	powershell.exe
2676	powershell.exe
2612	powershell.exe
2700	powershell.exe
2664	powershell.exe
2584	powershell.exe
2748	powershell.exe
2948	powershell.exe
2772	powershell.exe
2128	powershell.exe
2688	powershell.exe
2776	powershell.exe
2620	powershell.exe
2684	powershell.exe
2596	powershell.exe
2672	powershell.exe
2696	powershell.exe
2036	dwm.exe
1824	dwm.exe
1572	dwm.exe
1872	dwm.exe
1520	dwm.exe
2000	dwm.exe
292	dwm.exe
2828	dwm.exe
2796	dwm.exe
2300	dwm.exe
1640	dwm.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	DllCommonsvc.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2688	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2036	dwm.exe
Token: SeDebugPrivilege	1824	dwm.exe
Token: SeDebugPrivilege	1572	dwm.exe
Token: SeDebugPrivilege	1872	dwm.exe
Token: SeDebugPrivilege	1520	dwm.exe
Token: SeDebugPrivilege	2000	dwm.exe
Token: SeDebugPrivilege	292	dwm.exe
Token: SeDebugPrivilege	2828	dwm.exe
Token: SeDebugPrivilege	2796	dwm.exe
Token: SeDebugPrivilege	2300	dwm.exe
Token: SeDebugPrivilege	1640	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 2700	2688	JaffaCakes118_0901f1a38bad15eba199124e3d4cd68d5b486c7e3450e01f19e5ef7b83e53c45.exe	30
PID 2688 wrote to memory of 2700	2688	JaffaCakes118_0901f1a38bad15eba199124e3d4cd68d5b486c7e3450e01f19e5ef7b83e53c45.exe	30
PID 2688 wrote to memory of 2700	2688	JaffaCakes118_0901f1a38bad15eba199124e3d4cd68d5b486c7e3450e01f19e5ef7b83e53c45.exe	30
PID 2688 wrote to memory of 2700	2688	JaffaCakes118_0901f1a38bad15eba199124e3d4cd68d5b486c7e3450e01f19e5ef7b83e53c45.exe	30
PID 2700 wrote to memory of 2764	2700	WScript.exe	31
PID 2700 wrote to memory of 2764	2700	WScript.exe	31
PID 2700 wrote to memory of 2764	2700	WScript.exe	31
PID 2700 wrote to memory of 2764	2700	WScript.exe	31
PID 2764 wrote to memory of 2572	2764	cmd.exe	33
PID 2764 wrote to memory of 2572	2764	cmd.exe	33
PID 2764 wrote to memory of 2572	2764	cmd.exe	33
PID 2764 wrote to memory of 2572	2764	cmd.exe	33
PID 2572 wrote to memory of 2796	2572	DllCommonsvc.exe	86
PID 2572 wrote to memory of 2796	2572	DllCommonsvc.exe	86
PID 2572 wrote to memory of 2796	2572	DllCommonsvc.exe	86
PID 2572 wrote to memory of 2948	2572	DllCommonsvc.exe	87
PID 2572 wrote to memory of 2948	2572	DllCommonsvc.exe	87
PID 2572 wrote to memory of 2948	2572	DllCommonsvc.exe	87
PID 2572 wrote to memory of 2772	2572	DllCommonsvc.exe	88
PID 2572 wrote to memory of 2772	2572	DllCommonsvc.exe	88
PID 2572 wrote to memory of 2772	2572	DllCommonsvc.exe	88
PID 2572 wrote to memory of 2676	2572	DllCommonsvc.exe	89
PID 2572 wrote to memory of 2676	2572	DllCommonsvc.exe	89
PID 2572 wrote to memory of 2676	2572	DllCommonsvc.exe	89
PID 2572 wrote to memory of 2776	2572	DllCommonsvc.exe	90
PID 2572 wrote to memory of 2776	2572	DllCommonsvc.exe	90
PID 2572 wrote to memory of 2776	2572	DllCommonsvc.exe	90
PID 2572 wrote to memory of 2688	2572	DllCommonsvc.exe	91
PID 2572 wrote to memory of 2688	2572	DllCommonsvc.exe	91
PID 2572 wrote to memory of 2688	2572	DllCommonsvc.exe	91
PID 2572 wrote to memory of 2696	2572	DllCommonsvc.exe	92
PID 2572 wrote to memory of 2696	2572	DllCommonsvc.exe	92
PID 2572 wrote to memory of 2696	2572	DllCommonsvc.exe	92
PID 2572 wrote to memory of 2584	2572	DllCommonsvc.exe	93
PID 2572 wrote to memory of 2584	2572	DllCommonsvc.exe	93
PID 2572 wrote to memory of 2584	2572	DllCommonsvc.exe	93
PID 2572 wrote to memory of 2748	2572	DllCommonsvc.exe	94
PID 2572 wrote to memory of 2748	2572	DllCommonsvc.exe	94
PID 2572 wrote to memory of 2748	2572	DllCommonsvc.exe	94
PID 2572 wrote to memory of 2128	2572	DllCommonsvc.exe	95
PID 2572 wrote to memory of 2128	2572	DllCommonsvc.exe	95
PID 2572 wrote to memory of 2128	2572	DllCommonsvc.exe	95
PID 2572 wrote to memory of 2672	2572	DllCommonsvc.exe	96
PID 2572 wrote to memory of 2672	2572	DllCommonsvc.exe	96
PID 2572 wrote to memory of 2672	2572	DllCommonsvc.exe	96
PID 2572 wrote to memory of 2664	2572	DllCommonsvc.exe	97
PID 2572 wrote to memory of 2664	2572	DllCommonsvc.exe	97
PID 2572 wrote to memory of 2664	2572	DllCommonsvc.exe	97
PID 2572 wrote to memory of 2700	2572	DllCommonsvc.exe	98
PID 2572 wrote to memory of 2700	2572	DllCommonsvc.exe	98
PID 2572 wrote to memory of 2700	2572	DllCommonsvc.exe	98
PID 2572 wrote to memory of 2684	2572	DllCommonsvc.exe	99
PID 2572 wrote to memory of 2684	2572	DllCommonsvc.exe	99
PID 2572 wrote to memory of 2684	2572	DllCommonsvc.exe	99
PID 2572 wrote to memory of 2596	2572	DllCommonsvc.exe	100
PID 2572 wrote to memory of 2596	2572	DllCommonsvc.exe	100
PID 2572 wrote to memory of 2596	2572	DllCommonsvc.exe	100
PID 2572 wrote to memory of 1608	2572	DllCommonsvc.exe	101
PID 2572 wrote to memory of 1608	2572	DllCommonsvc.exe	101
PID 2572 wrote to memory of 1608	2572	DllCommonsvc.exe	101
PID 2572 wrote to memory of 2612	2572	DllCommonsvc.exe	102
PID 2572 wrote to memory of 2612	2572	DllCommonsvc.exe	102
PID 2572 wrote to memory of 2612	2572	DllCommonsvc.exe	102
PID 2572 wrote to memory of 2620	2572	DllCommonsvc.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0901f1a38bad15eba199124e3d4cd68d5b486c7e3450e01f19e5ef7b83e53c45.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0901f1a38bad15eba199124e3d4cd68d5b486c7e3450e01f19e5ef7b83e53c45.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\fr-FR\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Garden\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\UnattendGC\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHxTOCez5H.bat"
        5⤵
        
        PID:1160
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1516
      - C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat"
        7⤵
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:536
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
        9⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:684
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
        11⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2352
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"
        13⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1408
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat"
        15⤵
        
        PID:3052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2700
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
        17⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2260
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"
        19⤵
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2996
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        21⤵
        
        PID:876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1620
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
        23⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:756
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
        25⤵
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2724
        
        C:\MSOCache\All Users\dwm.exe
        
        "C:\MSOCache\All Users\dwm.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\fr-FR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Windows\system\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Public\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\Media\Garden\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\Garden\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Garden\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\UnattendGC\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Panther\UnattendGC\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Panther\UnattendGC\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c422c8e97b5913f685ffa1f9aab20ea

SHA1
f0c83237378fd821a21d48c9d0ebb2636703a1a2

SHA256
5ebf7167247fd6d09fe89a56b9291e4568ad9786f4f12fe88b780a24d2822229

SHA512
3e59babcb58099d3274da51f5ce65a155c9f5546d7b4b5708175738ff496b9b5d54487b10421780d7db3334fb8f749968f8bf3278fafaf61066dd6343394abd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
084153cea089493886f3c9784a3c35a3

SHA1
1767299f0280853b09e597432f0d06b1da4ef267

SHA256
5de58bf5e5c8b248b4265da84f811326e9a66ac588097280f0e4e6e620e29da0

SHA512
d797620133fd24d121be3246d6a5cb6a77f308eafdb955c34b699260961fbfaf8d583b2fd6ea77b813a7dca2b7655f19e9c70da248d17e0387cd9467e0c21ef4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da3b1ec49795b930f65090768af9bae5

SHA1
bb69e670088230ec02ee83fafb32b773485b38c9

SHA256
2b5a5682308ef4045df9c8bbab8615ad7add30919521c8b2b2b32ae3be42c4a5

SHA512
169ff2d59b87043765fcc992e20ee8360939aaccebad310ac22304aa939b586b8d31a5439554893b55b32d4d3b35a600132eb7d16425973b0c39d05c4e7adbf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcf123cb7985ee8fef1dc7e9682ae759

SHA1
133263d7f8556c64b90c65b8e68c2801ea4d7a66

SHA256
13c81fb4ecfb7b2b1a5650b94c5064de72b44eea3131bb33d15bc5d46bfc3711

SHA512
a55d170ce15f4608b6843d13373076f8bd98a3726fdcad38c5b86ad12be5977e9878c944115d4a6dbea7e585cd84c53464c415b032a7617144a26bb235584e43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
274dedf28f2bc61fc60f729f63b2bc5b

SHA1
f6d45937667ce9a6ed34450ef87a2f6da7c2287b

SHA256
51e99f7a6f4aa1db4965617647c792d24e028571a51929e234057a183caa363b

SHA512
77d1e0d937f5866f26434264a05834fc9d4c445538df7b08a68c1e90afdb2b071f416609d6e660b005c453a1f0d73b89b06ef7e2cac4c41e47c7a756e9e9dd54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c90617d4f6946ffe58f4f2a899a335a

SHA1
bbea7ec4869f8a1af559b44a4cfa82bbb76e1337

SHA256
7b4525ce9e03e418c12264ef7094b96e2ca6040d02f9546fdebd5c5cfeeb2be5

SHA512
43862032edddcc91e3d2d3383809010c47a84fcb07423ca9e96019b09561557b3fda876e8f44e706b0e3ff39509c292e6d26a02d2c226103c5c7e5e9fe3f66eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1b354e2a2b5380c1f18eda99a2b9cf2

SHA1
220bac70de5161d9051fa021339425c8d2b8f6cd

SHA256
d2199421636eeb042530a42728fba361ebbe2c8e8fbf0e64bfbe8a9af99c13cb

SHA512
32532bb558705d07f2235a64ea5ca9c2aa18bad79d4c3211f8b9dd757ab56078a5d2770c50cbec22bb9df8f5361195e94729e23241c5bcb02228693b2b0a88be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62f9c1ed32b98860d5a826453d93ad6c

SHA1
883a6c2aec5f88d86c126a6c2bcaa3b0e5c1cd1a

SHA256
7d92543fd5d7c76422364de87aad9a6c6443f1adb2d7939fb955a492e7ef46c7

SHA512
f51941168d6f5ce5d6f02e83948f94c1e9b38bcfd90d56c8b62f651f5cd85042b2d5676e1ee18b15e0bae4a3361b71078441e925eacfa9d056cd5f43beb9f7e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b03766ebc38ad2e014bbad97d559f33

SHA1
ced4801d53a998fea0f486735981586c79f3d976

SHA256
3bf0037650fd18cf32e0f202f1d90999f95e801555d8d144cfdc31ac35122202

SHA512
8018232e250bfe550fdbcf76d1bace5869178fe9db938a6121a41af9866fe4193c40772a44935e0f9566254c5be579be7eb6d31db0c67ac5c2f63b8880c4be9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

Filesize
194B

MD5
4e1ff6964d57d5d754f750ffbeba0c98

SHA1
c0c3c1d12f026a40d44880af7a96e9f5ea2347e7

SHA256
81ba9ce2bf1f0f3d81b8c3ca911b897e9057c9291b967c5bae1d9aa94c30bc61

SHA512
ca2d4d94c5a4d22a725bbbc24b7632b032f5c28feb8844d257a82962ac475531866eb206985121137589c1283395b98969701bbb1b00b1740ee0fdb8ef01ff7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

Filesize
194B

MD5
1bb504971d79ae706a244a858efe9e59

SHA1
4f9cf25a13ec50f01eb1fdcb2ef099a205653a2c

SHA256
1a1c813c3ac55448a90f38a320b459a91d90a4beef7c9a13567c90fdf5d5438c

SHA512
f3730ebae0fc2ab6b9159f30cae595f7d05768e3c6be5a431aaa5b8daf2ec5780ba317627275ab4f560f418973cab42e1706b1a43440c90df5b01cd2c67424ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\8Lq6d7xQt2.bat

Filesize
194B

MD5
53494362fc32c5052b653da92b7b4110

SHA1
5392a4ab8937f022ed58480a8f5812c3666d352e

SHA256
7669456f81a4cd5e5cc8683aa08af767f2ae3f2ff5e500dc378222c208f441c1

SHA512
787af55e2f5c8763bd510f477e9c961e757ac800aaa86ace761959c1ff8fa2cfcb8b4131dd5f5b001b0c35ac9803093018cb34a218810db705c993ce17196255

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab459A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat

Filesize
194B

MD5
0b3126b4cdca08c35cd3c90b5f6e217a

SHA1
3890f6f46228cc25d01025afa2c63b2776b39e1d

SHA256
b8a8d869d3a7ac0f7d5ea491d5e9bc56a9e7083798d80e5234ac1de05f840f4b

SHA512
d7f4003c2cc8d970a4407eac51867b0afe78f1a6f43c4bfceaafe1367dda0be42e3312ccfd5fd52164139c6570c2b57206d1a3772d15ed0b324dfd53deadb6e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

Filesize
194B

MD5
d9b29945a5f1e2fd60b8a4365f721305

SHA1
5c3ef7b838baa7888b8a3bc10f7ac39e27eeed7a

SHA256
626609ac670b97861fda3691ed6bd1463b66907054cef2729c94eaf2309d55cb

SHA512
bf1b2bbe3c961624a6638b7eef05328fc360b71fc2946b550cabed1f73cf2d6b4119cca886a5881b306457e38a593714092e6896be5c42d532f2204fa4f10c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

Filesize
194B

MD5
b8f204b170321888d1de1b03fa2d7439

SHA1
1851eedca75f97d76ccac38ec0a287f8677695e6

SHA256
133f33544d52f8812a313b81351180b59b455f88c0f9ec22e85ffd3191bb2f24

SHA512
0a6b9c42f3637c0147a86f8cb3af41b9b55d88ea29e83cf5ae5064c346ef9221cb1d147dc9197b0d45b4ef11c01746e98fe5ceffc05afb591b76b0c26b60dc19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar45AD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
194B

MD5
ba2ecec961b8b7641e549d6b9acab249

SHA1
15f976461d80135ed1642f4fad0cfe73907c1f8e

SHA256
bfdf16ef25c062ade2b55cb057af29554913b01fd9247deca3be89adbd6dd8b8

SHA512
332d992eec6607e80853ed641c27318528eb957c41c096b545ac41bc1fcade3d8fe257dad9bd51c9a0b6a8401f4515fd539f03bc9210c56159f772046b124f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat

Filesize
194B

MD5
8e9953cb813ce57d86d107423a96cc88

SHA1
03e20cb2ade21c7a71c89e2dc28beb64546c2347

SHA256
3e1e5e498a80159093b089ee78e21ff69f7c8b9296f96aa703fc6a8c32f6f92d

SHA512
72f51967856d895abf50d74094d052a35e2f62c4acd85af98949d84b3fe2ef9d39feb0f5891e9a65d2fda90a127d7b6e2606892a66ac58b24a5066cdef4d37c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHxTOCez5H.bat

Filesize
194B

MD5
f92cac2cc0d3c576824935fcba47fffe

SHA1
66d37a510e00934b551145e29cb1d8368a5d8f8f

SHA256
c94fef6ca75c9c2750872bf19a943e44dacf32873a0432aa2f07129f8bab835f

SHA512
2451c5e63db9d7b6b2b859655e7ccbd142993c2eec9ae809252d92aae2ae864854e5fe3a8c1434f17209be608780fbd768c55702e18332db9c25085c530cb991

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

Filesize
194B

MD5
9b1706e947b80f8d757e789d7a418c5c

SHA1
f6010bc28d96be734c18df34d98f488434e28503

SHA256
6a5225bc014ee6fc182a541af981a7173689e9970aad9600a9c86a4959391e1b

SHA512
ad8d70f9100d003bf603f0ade6e0de5c3c3c107f578c4126a1629e68287935cab67f05c03ce36154e83785e713e6fad8d1ab366c92519e9c4033f16591df576a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat

Filesize
194B

MD5
77eac7dc4cdedebd101ef77ca74958e4

SHA1
67972f0575242268a107745bdf914f7a9d6c2f59

SHA256
04389ba540a9028beb44a9445e80b667f1d8ea6a071de412cd4ec2c6b39cb0f9

SHA512
4bb57915b89ed863eb784a255149e8a03baaf2495f15280767739364e99827719c243a5fe55682a4682b86cdf9a3edfa2060af9de61c6a9a4f172d1a04474179

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
97cb0ede2baaa5eec860d0807f81f396

SHA1
e5922d3eb99b81fe71c61ea17ee384d0780e35ac

SHA256
08d26625147da4bbf28e8db62e0f3a6a65984e8cfff4d913023e8ffbcbed66d0

SHA512
2ede5fec96c46e0ed5568f90c5d9fb902deb4fdbc6650e6d80e4c607bf703ed1c8275eb5e09970f54a8644275498f09365842743be47f5ae52587f32a143d69b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/292-507-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-270-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/1640-747-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/2036-151-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/2036-152-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/2300-687-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2572-13-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2572-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2572-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2572-16-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2572-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2796-627-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2796-83-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2796-78-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2828-567-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download