dcrat | 335029e75432121cf28f4223287a22cbb0dc7309fdce4b50cd2718aa56edc896

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 06:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_335029e75432121cf28f4223287a22cbb0dc7309fdce4b50cd2718aa56edc896.exe
Size

1.3MB
MD5

799d593d4eba6e206886abc56d331d70
SHA1

9e3edbafbde51b85ff6369f9ad9104eb5f644a9f
SHA256

335029e75432121cf28f4223287a22cbb0dc7309fdce4b50cd2718aa56edc896
SHA512

a049a1a26d50e9e395f871a04a364266f887766d036325c11bffe8d08307192f6903d04b580fafc86be64060d3b4b02dc2998980bb0ca2dc4040d670f7051e1d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2620	schtasks.exe	34

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016b86-12.dat	dcrat
behavioral1/memory/2648-13-0x0000000000C30000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/2848-150-0x0000000000160000-0x0000000000270000-memory.dmp	dcrat
behavioral1/memory/664-209-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1728	powershell.exe
2776	powershell.exe
2744	powershell.exe
3032	powershell.exe
1528	powershell.exe
2696	powershell.exe
2792	powershell.exe
1948	powershell.exe
2676	powershell.exe
2800	powershell.exe
2808	powershell.exe
2804	powershell.exe
2880	powershell.exe
2940	powershell.exe
2764	powershell.exe
2656	powershell.exe
2704	powershell.exe
2876	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2648	DllCommonsvc.exe
2848	csrss.exe
664	csrss.exe
1876	csrss.exe
2720	csrss.exe
1552	csrss.exe
2448	csrss.exe
1932	csrss.exe
2076	csrss.exe
2396	csrss.exe
2764	csrss.exe
2532	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2824	cmd.exe
2824	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
35	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
4	raw.githubusercontent.com
18	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\lua\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\Cursors\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\ShellNew\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_335029e75432121cf28f4223287a22cbb0dc7309fdce4b50cd2718aa56edc896.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2952	schtasks.exe
1300	schtasks.exe
796	schtasks.exe
1504	schtasks.exe
1404	schtasks.exe
2068	schtasks.exe
1764	schtasks.exe
2116	schtasks.exe
2644	schtasks.exe
2172	schtasks.exe
1692	schtasks.exe
1808	schtasks.exe
3068	schtasks.exe
1012	schtasks.exe
2288	schtasks.exe
3000	schtasks.exe
776	schtasks.exe
616	schtasks.exe
264	schtasks.exe
672	schtasks.exe
2388	schtasks.exe
1964	schtasks.exe
1924	schtasks.exe
2392	schtasks.exe
2308	schtasks.exe
2748	schtasks.exe
2980	schtasks.exe
1720	schtasks.exe
2988	schtasks.exe
1868	schtasks.exe
1172	schtasks.exe
2528	schtasks.exe
2732	schtasks.exe
2364	schtasks.exe
2200	schtasks.exe
1544	schtasks.exe
1984	schtasks.exe
2384	schtasks.exe
2224	schtasks.exe
1812	schtasks.exe
2168	schtasks.exe
1976	schtasks.exe
1992	schtasks.exe
832	schtasks.exe
1004	schtasks.exe
1972	schtasks.exe
3020	schtasks.exe
2352	schtasks.exe
1788	schtasks.exe
1364	schtasks.exe
3040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2648	DllCommonsvc.exe
2648	DllCommonsvc.exe
2648	DllCommonsvc.exe
2648	DllCommonsvc.exe
2648	DllCommonsvc.exe
1728	powershell.exe
2744	powershell.exe
2804	powershell.exe
2776	powershell.exe
2696	powershell.exe
2792	powershell.exe
2656	powershell.exe
2808	powershell.exe
2704	powershell.exe
2880	powershell.exe
2676	powershell.exe
2800	powershell.exe
2940	powershell.exe
1528	powershell.exe
2764	powershell.exe
1948	powershell.exe
3032	powershell.exe
2876	powershell.exe
2848	csrss.exe
664	csrss.exe
1876	csrss.exe
2720	csrss.exe
1552	csrss.exe
2448	csrss.exe
1932	csrss.exe
2076	csrss.exe
2396	csrss.exe
2764	csrss.exe
2532	csrss.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	DllCommonsvc.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	2848	csrss.exe
Token: SeDebugPrivilege	664	csrss.exe
Token: SeDebugPrivilege	1876	csrss.exe
Token: SeDebugPrivilege	2720	csrss.exe
Token: SeDebugPrivilege	1552	csrss.exe
Token: SeDebugPrivilege	2448	csrss.exe
Token: SeDebugPrivilege	1932	csrss.exe
Token: SeDebugPrivilege	2076	csrss.exe
Token: SeDebugPrivilege	2396	csrss.exe
Token: SeDebugPrivilege	2764	csrss.exe
Token: SeDebugPrivilege	2532	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2876	2092	JaffaCakes118_335029e75432121cf28f4223287a22cbb0dc7309fdce4b50cd2718aa56edc896.exe	30
PID 2092 wrote to memory of 2876	2092	JaffaCakes118_335029e75432121cf28f4223287a22cbb0dc7309fdce4b50cd2718aa56edc896.exe	30
PID 2092 wrote to memory of 2876	2092	JaffaCakes118_335029e75432121cf28f4223287a22cbb0dc7309fdce4b50cd2718aa56edc896.exe	30
PID 2092 wrote to memory of 2876	2092	JaffaCakes118_335029e75432121cf28f4223287a22cbb0dc7309fdce4b50cd2718aa56edc896.exe	30
PID 2876 wrote to memory of 2824	2876	WScript.exe	31
PID 2876 wrote to memory of 2824	2876	WScript.exe	31
PID 2876 wrote to memory of 2824	2876	WScript.exe	31
PID 2876 wrote to memory of 2824	2876	WScript.exe	31
PID 2824 wrote to memory of 2648	2824	cmd.exe	33
PID 2824 wrote to memory of 2648	2824	cmd.exe	33
PID 2824 wrote to memory of 2648	2824	cmd.exe	33
PID 2824 wrote to memory of 2648	2824	cmd.exe	33
PID 2648 wrote to memory of 1528	2648	DllCommonsvc.exe	86
PID 2648 wrote to memory of 1528	2648	DllCommonsvc.exe	86
PID 2648 wrote to memory of 1528	2648	DllCommonsvc.exe	86
PID 2648 wrote to memory of 2696	2648	DllCommonsvc.exe	87
PID 2648 wrote to memory of 2696	2648	DllCommonsvc.exe	87
PID 2648 wrote to memory of 2696	2648	DllCommonsvc.exe	87
PID 2648 wrote to memory of 2676	2648	DllCommonsvc.exe	88
PID 2648 wrote to memory of 2676	2648	DllCommonsvc.exe	88
PID 2648 wrote to memory of 2676	2648	DllCommonsvc.exe	88
PID 2648 wrote to memory of 2804	2648	DllCommonsvc.exe	89
PID 2648 wrote to memory of 2804	2648	DllCommonsvc.exe	89
PID 2648 wrote to memory of 2804	2648	DllCommonsvc.exe	89
PID 2648 wrote to memory of 2800	2648	DllCommonsvc.exe	90
PID 2648 wrote to memory of 2800	2648	DllCommonsvc.exe	90
PID 2648 wrote to memory of 2800	2648	DllCommonsvc.exe	90
PID 2648 wrote to memory of 2792	2648	DllCommonsvc.exe	91
PID 2648 wrote to memory of 2792	2648	DllCommonsvc.exe	91
PID 2648 wrote to memory of 2792	2648	DllCommonsvc.exe	91
PID 2648 wrote to memory of 2808	2648	DllCommonsvc.exe	92
PID 2648 wrote to memory of 2808	2648	DllCommonsvc.exe	92
PID 2648 wrote to memory of 2808	2648	DllCommonsvc.exe	92
PID 2648 wrote to memory of 1728	2648	DllCommonsvc.exe	93
PID 2648 wrote to memory of 1728	2648	DllCommonsvc.exe	93
PID 2648 wrote to memory of 1728	2648	DllCommonsvc.exe	93
PID 2648 wrote to memory of 2656	2648	DllCommonsvc.exe	94
PID 2648 wrote to memory of 2656	2648	DllCommonsvc.exe	94
PID 2648 wrote to memory of 2656	2648	DllCommonsvc.exe	94
PID 2648 wrote to memory of 1948	2648	DllCommonsvc.exe	95
PID 2648 wrote to memory of 1948	2648	DllCommonsvc.exe	95
PID 2648 wrote to memory of 1948	2648	DllCommonsvc.exe	95
PID 2648 wrote to memory of 2704	2648	DllCommonsvc.exe	96
PID 2648 wrote to memory of 2704	2648	DllCommonsvc.exe	96
PID 2648 wrote to memory of 2704	2648	DllCommonsvc.exe	96
PID 2648 wrote to memory of 2776	2648	DllCommonsvc.exe	97
PID 2648 wrote to memory of 2776	2648	DllCommonsvc.exe	97
PID 2648 wrote to memory of 2776	2648	DllCommonsvc.exe	97
PID 2648 wrote to memory of 2880	2648	DllCommonsvc.exe	98
PID 2648 wrote to memory of 2880	2648	DllCommonsvc.exe	98
PID 2648 wrote to memory of 2880	2648	DllCommonsvc.exe	98
PID 2648 wrote to memory of 2940	2648	DllCommonsvc.exe	99
PID 2648 wrote to memory of 2940	2648	DllCommonsvc.exe	99
PID 2648 wrote to memory of 2940	2648	DllCommonsvc.exe	99
PID 2648 wrote to memory of 2876	2648	DllCommonsvc.exe	100
PID 2648 wrote to memory of 2876	2648	DllCommonsvc.exe	100
PID 2648 wrote to memory of 2876	2648	DllCommonsvc.exe	100
PID 2648 wrote to memory of 2744	2648	DllCommonsvc.exe	101
PID 2648 wrote to memory of 2744	2648	DllCommonsvc.exe	101
PID 2648 wrote to memory of 2744	2648	DllCommonsvc.exe	101
PID 2648 wrote to memory of 3032	2648	DllCommonsvc.exe	102
PID 2648 wrote to memory of 3032	2648	DllCommonsvc.exe	102
PID 2648 wrote to memory of 3032	2648	DllCommonsvc.exe	102
PID 2648 wrote to memory of 2764	2648	DllCommonsvc.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_335029e75432121cf28f4223287a22cbb0dc7309fdce4b50cd2718aa56edc896.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_335029e75432121cf28f4223287a22cbb0dc7309fdce4b50cd2718aa56edc896.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ShellNew\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\lua\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FgCjRYYmGA.bat"
        5⤵
        
        PID:2164
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2924
      - C:\Users\Default\csrss.exe
        
        "C:\Users\Default\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"
        7⤵
        
        PID:964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2168
        
        C:\Users\Default\csrss.exe
        
        "C:\Users\Default\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat"
        9⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2236
        
        C:\Users\Default\csrss.exe
        
        "C:\Users\Default\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"
        11⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2348
        
        C:\Users\Default\csrss.exe
        
        "C:\Users\Default\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        13⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2860
        
        C:\Users\Default\csrss.exe
        
        "C:\Users\Default\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"
        15⤵
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2700
        
        C:\Users\Default\csrss.exe
        
        "C:\Users\Default\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat"
        17⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2212
        
        C:\Users\Default\csrss.exe
        
        "C:\Users\Default\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat"
        19⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2540
        
        C:\Users\Default\csrss.exe
        
        "C:\Users\Default\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat"
        21⤵
        
        PID:568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:340
        
        C:\Users\Default\csrss.exe
        
        "C:\Users\Default\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        23⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2768
        
        C:\Users\Default\csrss.exe
        
        "C:\Users\Default\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"
        25⤵
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2360
        
        C:\Users\Default\csrss.exe
        
        "C:\Users\Default\csrss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\ShellNew\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\ShellNew\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\VLC\lua\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\lua\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\VideoLAN\VLC\lua\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Cursors\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c36b67305123461d1e1d55cd8135d73e

SHA1
a9b456b5938c5d5cb4e164b5079622bc37bccb1f

SHA256
d8052f4b6f4d76a6a8d4663152e7df28fbd493fce471061b2ff5739794d97ee7

SHA512
c9e56fbb938d892538fb35c75546adfa7b02d4944a161b98e9342c3177a12b975143a27bd8152850786a7be4e6feb74249f0655e2bf65718490edcbec210a0af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6320268ea647c8111153c53acf98e299

SHA1
1155b49bd4db6f016a8db33bbea240494bc87688

SHA256
226eb5576da76200ce6049e528e7167088701032f755a4e76b2630fdbcd26cb7

SHA512
28679e714fda8139a5470ac97a399db2b432421119686cd541c009a9faf8aa5ae22f7377a7beae5767d88de42f1c90a59b49448f130f77aa07b114a005dddcb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa35832c50536adbfc354f6a28c1a96f

SHA1
356c66559aac4b6c6c32125e03f435715d1abe38

SHA256
ca7c4a89a9351a1fba862d0c267da025c4afb6ecb7df8d7d11e07e2dd8e9b3ca

SHA512
0ea21374b98c7b95df11f96df06e71e4b47222685e0c4ac38b12ab02bb1a2a82a8776e52b359806f12a47761391a6885cc26706acc4e7bfea2090663afe5193c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0db1e625d4a4d5d58c47b5752aa07f36

SHA1
f353de8980b38b3f33bfab221751718f4afd6f45

SHA256
3c2f278b5e8e0703f9a62c3535a98440812208fb6becab80501023ad327df1e3

SHA512
61b64f3b362777d63c2e880569a7bb811f3ab6e35ec54a08b6c14a066ef9b36ba0a7e556b73058118c6473c2084791b0db712336b6eab53ee265e55c659beab2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c12bd5bd30099b81e51938381485b21d

SHA1
c709e24fd60255152f6a255791648c89328b4126

SHA256
c3514c587d4dae8ba4b6cda30985bdf761a2fde8cc59d1699c74c5560e653903

SHA512
b5212a84fc3f0e8481b4e95dea838b7774db32431d43ea57a45f79d17cdedc462842d2d5d2e51a2c0443aa00d8a4eababfe26fdf7ecd548b243c6c5c92b95d5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d1da3403d30d1869337d7194e3d01a9

SHA1
a8d68a32b6d8b37d4c355a09ab0c03ad0ce363b7

SHA256
0427dc25e19b5762f5b01176f0bf5415de847cc30176e67d245c6bcb73d5e065

SHA512
97eeab01e7bc3eab9bcee8ea61a4cf37c5483b300aa3f9329f22605d5ee7c775b7b993a210d6f166feec7e50d782661ce21632983973112e7230657a51d4c620

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cd6939bbe7d4046f3a13099568bc131

SHA1
9337084d72181e940ceefcd051a8bf26643071f5

SHA256
97ad9e8b733450b7cfee7d8cffe3b992cb4ef28f4313f34c8b5303ccc052062f

SHA512
982b7f65791884eeda9ae1261830dea928ddb8e86b78de5838dc6d58ef8328d95d86cb846de2a3f98a2dd3f90e149b33adcfd0f69409456faec29083c5228142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b855d475b6009c0921c46322972040c4

SHA1
877717f7fa4d3033292c24617bd397f1ad1bac86

SHA256
36e1b169b51c030aced228e55bbfbf1d475f284ebe0ca2c2a68d1c4cbbd79563

SHA512
264090a9a540cf064f0e1ecbc969dd6910958c7102f135f80a265c91859e2d573d28ff96b6ae04cbd376c777a3ed6ad8cb0cc2b1fffee099d44d2e9e21f53967

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11b3638086e047faa65eecd9f327a210

SHA1
66b4817a32c4c5d812932d509c401986180b229b

SHA256
e51e3fc2b715f558d58afcc4e78cebec71059413904a95550d106c22c227ca89

SHA512
3ce11577c7105975d3e720458af429e4f879f5bb58c9f21033124680ed2109cfaaa2a68de058822564d5d793a6ecc46283e2ee297529ecf769379ac0035b7bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab89DA.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat

Filesize
191B

MD5
e98e5f1c988d67f24eecd78f62b422a3

SHA1
d5846cb36e41bea45f52a48c3470f2ed2ac9b9bd

SHA256
b2974520efa5e84b21b6c9f811f89db111a24a9cf97c963620c230acf4ad2157

SHA512
da36f467154d0c6b7b2e307790df57f50dfc5890721087ba4f6517e545ad064c8d3ede80c3b99fe7a11c406ba0858aad15da4b4dafb6db29ea62d9b0ef9bdd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FgCjRYYmGA.bat

Filesize
191B

MD5
0c6d1780451d0c6d2c7a37a432c89414

SHA1
3ce6a6ef9321f0d7078a3056836a1fba851889cc

SHA256
38f94dea03633c3f90d203f52396664107f081d0ad62fcb85ba18f32c14eda0c

SHA512
19c704f98797ebbe7cceead920175a3abbdaf9cdc3fb17de2000e524e73af0dbbc280cbeae3ee01a44e54472437e8946df472116a5ff6269b1cded3ceef0cc18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat

Filesize
191B

MD5
befeff80fc0c282119001eef3ce3a186

SHA1
eb989d45dd150a2f45985f59527f8487e3ee30d8

SHA256
01d0b49dcc78aa13863202cdd91dfb55b180606a842e8f9511c9c9c153f25cca

SHA512
91fde20a77544ce37a56100c5ece225a5e9c27be6fae73c464298790ea0fe675ce4082eaf7927b7cac01998832b3546c0b62b380b40272ba72ee5f3a72a8366e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

Filesize
191B

MD5
6de5f5a6be6dddca2ade48d1d83f8692

SHA1
59fab76f41513b58c6814103c3c922f23dc65068

SHA256
93eee3a7dd4f57fcb5005379c08922f9fd219707fe72f7789b20e2cac3e69068

SHA512
319eff7a3ac170e298f5a3d37672f77fc3ad74583b169790760e6bd2e10e9923363e0170d3df950b915925250e84410767b3a770871c8a69f7aa6b2399e89de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\KxKP0srito.bat

Filesize
191B

MD5
25b63e9a53284a0b5b6033d426737dc9

SHA1
a7d4e47361107b722b5bfd685ad7d4f348080a33

SHA256
8861fc3db557f590f5a51b8db4779f29ad76a0383faf7782b593b54629d6a19e

SHA512
9d3b9785bdb2eeef9bb8e5926131053d3e432967c08ed08164d400824be07aa2cec85e8275a8bc14244ccc17723fa92b9f7ec658fd9b1106e6445440fbd31452

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
191B

MD5
f51ea6ef620d071554eb1ccf85afb306

SHA1
c02c44f83f932ebb967eb000c97e7940392d332c

SHA256
129a14d6b3943f5e74500edef14fd59de3311d233b116d48363a998646658102

SHA512
11c80d49c3f4202fb06baa8dd88767ef20146394a5fceb069be9000916c5482d5f81fafe22f890a4976acaac0ff064effb23d7b71f0598bec18e01005cf87c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat

Filesize
191B

MD5
4067d4f74ed1a126aebfbcb3587ef1f2

SHA1
d15c49fe2e6bd44456c81f02fdeb3a1fe660c7f8

SHA256
a04a8fb5a500293494c0598acf24cd0989855e709ae02eca6eacd9aaf6e11f11

SHA512
975e29457863c510ebaf6bc166990981182345b46774fa25f42777e05c3d63573e4bef4c14ddcbdcd89acd74a5ec661aae6c2419f9e4f0736bb20b8232b0a354

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat

Filesize
191B

MD5
5eb738bed7f53852c54fbe76f05227ae

SHA1
50deafd71fd4bea8c78c6f8394e18ce88a105b14

SHA256
bda211355af2210989e84d65d9faeb1292d17b0edef16afdea215a54353a9610

SHA512
abf71eb1ebca37e3db1288b2f68afd3731584e16ff03aee3c65ad20f0d45a9c132e486d9c28366ed9ce566e75ff237f5c6f565f1e9547f25604df362320ab329

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar89ED.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Yvohz7Nokj.bat

Filesize
191B

MD5
f28cc6f1eb934b8c45b8c4df66ce18b1

SHA1
ad02b1d47ae0c8cc14a3cb61546bdb70f7be0278

SHA256
c907cf34f2792200c3556ae4b5851d65e58f79ee26ed7f6c1070960fddc92336

SHA512
d25737ee5b9fb99efebec9fbfc974befecd819cac5616ced7a91a62422b18f51a293f85991429b235491c3cae72bcd5ae6c1347cb7e662769b99c734d68c8f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

Filesize
191B

MD5
c3751572b9f52c0b839e574d4a1dbdf4

SHA1
532e1b712609666d142b4e8b12112d2f62aa844a

SHA256
26dfcfbc072f777ffdee9f8ad139a9c1c73c54abe704ba028ccccc0d315a0265

SHA512
c3e86b640e50822170eefe2a0ca2e26a8c77f07da397ea4ae577d9f4b3576b7335b92433d145072eff4d4574d4f5f08f95ffa49e334ed5c8dd3011d561344930

Download Submit
C:\Users\Admin\AppData\Local\Temp\qRj2XQE6t6.bat

Filesize
191B

MD5
a90784bfb3566be59e41af5653c8183d

SHA1
04a9065c1620bdfbc868416cb4330d05ea5edad8

SHA256
d75282bcb3c7d4063fae35a4182257d50a2cadce1e7396ecd9a0c129511099d7

SHA512
d3e6047fc7fecb53d74fc00fe8e2d731bd864163460e4d1789d7a73ec3fc6988ce5abf59b44ed8ed3826bf69e211aa558d50920b8679d2649ea2176e8320e513

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f802c55d6e6adc7c72d51cb19c71ffc2

SHA1
c37037df65761864eb44c545d462622817b34819

SHA256
96ab8bb7232fd06f21e5eaafa78db33156b55826472551776dc443e9b14a36de

SHA512
935a509fe2d39b413162794c228c21afaa726e2db068fc7e91656ef2f040d41ad51f2ee17710783027bf13444c52337b90b6bb1df27f0ab140d858c64de97658

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/664-209-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/1728-70-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/1728-76-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1932-505-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2648-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2648-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2648-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2648-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2648-13-0x0000000000C30000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/2848-150-0x0000000000160000-0x0000000000270000-memory.dmp

Filesize
1.1MB

Download