dcrat | a93c3cb19e826a5a7967bb83bb96afd928414a959aeece22f2201f1e73ddde6a

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a93c3cb19e826a5a7967bb83bb96afd928414a959aeece22f2201f1e73ddde6a.exe
Size

1.3MB
MD5

dc218bb1b055e78630f6e1a87565bbd3
SHA1

5791de31cd40a6beb926a6288565ea96def4d58a
SHA256

a93c3cb19e826a5a7967bb83bb96afd928414a959aeece22f2201f1e73ddde6a
SHA512

ee229650a38f64dc7dae27bbd6c4e6856cdddf79c1e31d3d7e77e36d664cc5971937a6e37c7cdaa66fdea47bbd32b5d5a3e5ce64fa81b02a1ee9e022f2518219
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	492	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1932	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	1932	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018634-12.dat	dcrat
behavioral1/memory/2748-13-0x0000000000BA0000-0x0000000000CB0000-memory.dmp	dcrat
behavioral1/memory/2580-52-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/memory/2952-245-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/2464-305-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/1316-365-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/2292-425-0x0000000000BE0000-0x0000000000CF0000-memory.dmp	dcrat
behavioral1/memory/2288-485-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/480-545-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/2944-606-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/1544-667-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/3012-727-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/2076-787-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2272	powershell.exe
556	powershell.exe
2228	powershell.exe
1652	powershell.exe
1532	powershell.exe
2288	powershell.exe
1132	powershell.exe
1052	powershell.exe
304	powershell.exe
2208	powershell.exe
976	powershell.exe
1732	powershell.exe
2480	powershell.exe
1272	powershell.exe
376	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2748	DllCommonsvc.exe
2580	csrss.exe
2920	csrss.exe
2952	csrss.exe
2464	csrss.exe
1316	csrss.exe
2292	csrss.exe
2288	csrss.exe
480	csrss.exe
2944	csrss.exe
1544	csrss.exe
3012	csrss.exe
2076	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	cmd.exe
2128	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
19	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\system\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-content-filter-rtf_31bf3856ad364e35_7.0.7600.16385_none_dc1c5135f1c8fa0a\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\56085415360792	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a93c3cb19e826a5a7967bb83bb96afd928414a959aeece22f2201f1e73ddde6a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
948	schtasks.exe
2328	schtasks.exe
2876	schtasks.exe
1960	schtasks.exe
1156	schtasks.exe
2372	schtasks.exe
2432	schtasks.exe
1536	schtasks.exe
2060	schtasks.exe
1060	schtasks.exe
884	schtasks.exe
1316	schtasks.exe
2828	schtasks.exe
2352	schtasks.exe
2932	schtasks.exe
540	schtasks.exe
2500	schtasks.exe
1076	schtasks.exe
1656	schtasks.exe
492	schtasks.exe
2884	schtasks.exe
2164	schtasks.exe
2020	schtasks.exe
2124	schtasks.exe
1684	schtasks.exe
2536	schtasks.exe
1552	schtasks.exe
860	schtasks.exe
1516	schtasks.exe
1888	schtasks.exe
2728	schtasks.exe
2440	schtasks.exe
2100	schtasks.exe
1804	schtasks.exe
1092	schtasks.exe
2488	schtasks.exe
2532	schtasks.exe
2560	schtasks.exe
1004	schtasks.exe
1976	schtasks.exe
1948	schtasks.exe
2984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
1532	powershell.exe
2288	powershell.exe
376	powershell.exe
1132	powershell.exe
1052	powershell.exe
556	powershell.exe
304	powershell.exe
2208	powershell.exe
2480	powershell.exe
1732	powershell.exe
1652	powershell.exe
2228	powershell.exe
1272	powershell.exe
2272	powershell.exe
976	powershell.exe
2580	csrss.exe
2920	csrss.exe
2952	csrss.exe
2464	csrss.exe
1316	csrss.exe
2292	csrss.exe
2288	csrss.exe
480	csrss.exe
2944	csrss.exe
1544	csrss.exe
3012	csrss.exe
2076	csrss.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	DllCommonsvc.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	2580	csrss.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2920	csrss.exe
Token: SeDebugPrivilege	2952	csrss.exe
Token: SeDebugPrivilege	2464	csrss.exe
Token: SeDebugPrivilege	1316	csrss.exe
Token: SeDebugPrivilege	2292	csrss.exe
Token: SeDebugPrivilege	2288	csrss.exe
Token: SeDebugPrivilege	480	csrss.exe
Token: SeDebugPrivilege	2944	csrss.exe
Token: SeDebugPrivilege	1544	csrss.exe
Token: SeDebugPrivilege	3012	csrss.exe
Token: SeDebugPrivilege	2076	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2824	2668	JaffaCakes118_a93c3cb19e826a5a7967bb83bb96afd928414a959aeece22f2201f1e73ddde6a.exe	30
PID 2668 wrote to memory of 2824	2668	JaffaCakes118_a93c3cb19e826a5a7967bb83bb96afd928414a959aeece22f2201f1e73ddde6a.exe	30
PID 2668 wrote to memory of 2824	2668	JaffaCakes118_a93c3cb19e826a5a7967bb83bb96afd928414a959aeece22f2201f1e73ddde6a.exe	30
PID 2668 wrote to memory of 2824	2668	JaffaCakes118_a93c3cb19e826a5a7967bb83bb96afd928414a959aeece22f2201f1e73ddde6a.exe	30
PID 2824 wrote to memory of 2128	2824	WScript.exe	31
PID 2824 wrote to memory of 2128	2824	WScript.exe	31
PID 2824 wrote to memory of 2128	2824	WScript.exe	31
PID 2824 wrote to memory of 2128	2824	WScript.exe	31
PID 2128 wrote to memory of 2748	2128	cmd.exe	33
PID 2128 wrote to memory of 2748	2128	cmd.exe	33
PID 2128 wrote to memory of 2748	2128	cmd.exe	33
PID 2128 wrote to memory of 2748	2128	cmd.exe	33
PID 2748 wrote to memory of 1272	2748	DllCommonsvc.exe	78
PID 2748 wrote to memory of 1272	2748	DllCommonsvc.exe	78
PID 2748 wrote to memory of 1272	2748	DllCommonsvc.exe	78
PID 2748 wrote to memory of 304	2748	DllCommonsvc.exe	79
PID 2748 wrote to memory of 304	2748	DllCommonsvc.exe	79
PID 2748 wrote to memory of 304	2748	DllCommonsvc.exe	79
PID 2748 wrote to memory of 1652	2748	DllCommonsvc.exe	80
PID 2748 wrote to memory of 1652	2748	DllCommonsvc.exe	80
PID 2748 wrote to memory of 1652	2748	DllCommonsvc.exe	80
PID 2748 wrote to memory of 2208	2748	DllCommonsvc.exe	81
PID 2748 wrote to memory of 2208	2748	DllCommonsvc.exe	81
PID 2748 wrote to memory of 2208	2748	DllCommonsvc.exe	81
PID 2748 wrote to memory of 2272	2748	DllCommonsvc.exe	82
PID 2748 wrote to memory of 2272	2748	DllCommonsvc.exe	82
PID 2748 wrote to memory of 2272	2748	DllCommonsvc.exe	82
PID 2748 wrote to memory of 1532	2748	DllCommonsvc.exe	83
PID 2748 wrote to memory of 1532	2748	DllCommonsvc.exe	83
PID 2748 wrote to memory of 1532	2748	DllCommonsvc.exe	83
PID 2748 wrote to memory of 556	2748	DllCommonsvc.exe	84
PID 2748 wrote to memory of 556	2748	DllCommonsvc.exe	84
PID 2748 wrote to memory of 556	2748	DllCommonsvc.exe	84
PID 2748 wrote to memory of 2288	2748	DllCommonsvc.exe	85
PID 2748 wrote to memory of 2288	2748	DllCommonsvc.exe	85
PID 2748 wrote to memory of 2288	2748	DllCommonsvc.exe	85
PID 2748 wrote to memory of 976	2748	DllCommonsvc.exe	86
PID 2748 wrote to memory of 976	2748	DllCommonsvc.exe	86
PID 2748 wrote to memory of 976	2748	DllCommonsvc.exe	86
PID 2748 wrote to memory of 1132	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 1132	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 1132	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 1052	2748	DllCommonsvc.exe	88
PID 2748 wrote to memory of 1052	2748	DllCommonsvc.exe	88
PID 2748 wrote to memory of 1052	2748	DllCommonsvc.exe	88
PID 2748 wrote to memory of 376	2748	DllCommonsvc.exe	89
PID 2748 wrote to memory of 376	2748	DllCommonsvc.exe	89
PID 2748 wrote to memory of 376	2748	DllCommonsvc.exe	89
PID 2748 wrote to memory of 1732	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 1732	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 1732	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 2228	2748	DllCommonsvc.exe	92
PID 2748 wrote to memory of 2228	2748	DllCommonsvc.exe	92
PID 2748 wrote to memory of 2228	2748	DllCommonsvc.exe	92
PID 2748 wrote to memory of 2480	2748	DllCommonsvc.exe	93
PID 2748 wrote to memory of 2480	2748	DllCommonsvc.exe	93
PID 2748 wrote to memory of 2480	2748	DllCommonsvc.exe	93
PID 2748 wrote to memory of 2580	2748	DllCommonsvc.exe	108
PID 2748 wrote to memory of 2580	2748	DllCommonsvc.exe	108
PID 2748 wrote to memory of 2580	2748	DllCommonsvc.exe	108
PID 2580 wrote to memory of 1768	2580	csrss.exe	109
PID 2580 wrote to memory of 1768	2580	csrss.exe	109
PID 2580 wrote to memory of 1768	2580	csrss.exe	109
PID 1768 wrote to memory of 2356	1768	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a93c3cb19e826a5a7967bb83bb96afd928414a959aeece22f2201f1e73ddde6a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a93c3cb19e826a5a7967bb83bb96afd928414a959aeece22f2201f1e73ddde6a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\1033\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
    - - C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2356
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
        8⤵
        
        PID:1076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2132
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
        10⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2948
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat"
        12⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2932
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        14⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2568
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"
        16⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1336
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
        18⤵
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:604
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat"
        20⤵
        
        PID:2588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1996
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"
        22⤵
        
        PID:888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2772
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
        24⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2480
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        26⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:288
        
        C:\MSOCache\All Users\csrss.exe
        
        "C:\MSOCache\All Users\csrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\system\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\system\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\system\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76826400c6c7e836fc39ff999377f969

SHA1
d885afee1c3902dfc125fda39f0ac509c41f47b7

SHA256
0ca54cdcd7b642b1a55cf6b8a7c9dd0bf01c5cdcc71c0514fdb4289885511c2e

SHA512
6acb5da297650bc2a0a53c786ba70051636401cf4874b3c9560fd27988399b46e9bffd47db5318d84386e8df98843bb5e201981dab8cc1196743f14684507158

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f186a7125b6f7705943a637c60eebbab

SHA1
e87a50a2e8fbdda88b497bc21ae49e6126b414b0

SHA256
8284d244fb290d038df005bde48be2e372c5f9363c7a07878bd02faf6a2a2762

SHA512
990b0c3099086e4be72dfcaa091596d4ce93fd566ec82c72e21743446706239ff21d2826a37067f6e5e9fdf1686bbb86b2c1ace0cc9c8f94b55cee283e4ec319

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed4cc9cc9959d1164c8867d38b223a5b

SHA1
e5846bebf95fbe398a63cb925976911a22f0ce33

SHA256
f97ed67d78ee796970ef552f4968e8ad6463740a2f98e9d616bbb5ac1a211792

SHA512
a6065f674ee71c81d5a9465e7da42df14448b30aef55d54bf8ed3855e98fb31c95704f9d78a159fd9fd50f27b941fc3b323f51a4a239b6422aa6ea590da1c633

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25822ec195f1021b365e7811a6ba89ad

SHA1
13f83764594393ac2a69839f0a6991232f0a94d3

SHA256
5dca65426acfeead9862be89044758d789c4d0fda27f5e8adca81b5e4a9c1c49

SHA512
3161518b8c0d2a9ae6532e08c1f02dbb2927e251b24ac0bb174986ba66673f0a5870c7a05f5b162ef3ff13cee5954d6a2fff9beade5e09772d6a8da60b122c47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2afd5bc3157b9879541c580de85a15c2

SHA1
1dd21f376f5030e381361480a5ce7762e815756b

SHA256
6d3793eded5ca970f2f9569639bd2b2ef83b4cd95b38e18996781d123d62aa31

SHA512
ac47f6e60b708e755682433e1a74b2feb67a060abdf9b312416d321551fab3a9deb49d8ecbd35aac8676cbf9e2ffe301d0327b240e2744690a6072d1fb0fcde8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79c76dbfe953ebfdda9b97412bc812ec

SHA1
88eb5688f059acf7fb9c8811523bfc3b245200d1

SHA256
bc6a413a5dcba4597cbc2288d848447d5c6eb0ea672bb9239ad30de7e0e647ca

SHA512
54dbc8a0eca227802b9ddee7e5c6ac0a5a5c7ff6b19de1b4762f8578435c92dc9ace4de3e04c3360cb3f809dd370a17ab64427ef957d893c5152327de1c13b34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b2579f6aa8a026c733ad2b6af374f90

SHA1
f0791f30df000d33ec35de5a6452307eb93273c3

SHA256
9e06cb6da1b0802cfbfe26499dfa4e51ed8b498ee5b87942f02ad186bee984b7

SHA512
17549c0f8f628dff758e62d78f736cd80434826f997af4075f8b3d1dfb620c3c7e63131edf3378b36ea57f9422b4797d0d80a8c899a1b3a33ccf090d054d08b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1a2f08979ac08e2ff1c70a18fa6f60e

SHA1
2b6debe90f3604bf7a048a1d382a6530b0b2147a

SHA256
6b6ba649170dc3b8e15312b1acf92b4bf0a9178409dbfb5a98e3f3c0079c3d29

SHA512
5875ef33b360ab103785e0757c3c1804bb64556feebc06aa7b99e5da1bc26375385078a2eddab51bc1d11a4a34611a152cfc33d19daa3a69320504cdf68e147c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44916e9fe9755e71437f5e1b5c253814

SHA1
e83f77f59c10b2abfb1a7a84f0992613b9339e7f

SHA256
7332ef6164feb6d286cf944a5326fb26c9986c7b01826a1825c2c657f3f2b992

SHA512
c1ec09156009cfedcaf1d6fcda88425f6dad2770f39fb9c3061c964554aac72098ca3b19e3ba307556bf7df4657727d86d03ab1f79dafe5deffaa37e5eaf0610

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d52cdeb1f3910f5ac26df7206cf6a545

SHA1
2982d5c11d03164230a67584144d332d3df03298

SHA256
aca3ed549a01e815ea5920f008d72d316e2fa76d5b7316fb10bf34e64fe9c6e3

SHA512
6ec1861daa1b1d747c12e153a35435ef079a2afe227e71922933dc5c16f38bd5478fcba13db752c97183f7fd52bab89d98765f308af9f5bc34f963fabbf2376d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

Filesize
196B

MD5
5151612792b8084976035f855febdf89

SHA1
9f8fb51ffca139aae7f2b8b85d596ce2582e05a3

SHA256
a9114c2b55f3d4bba3a5d420110074460d977b41754719e0b926a64a488407fa

SHA512
5ed45af06dd91c27a6caddacdb1867154e71e6c6fda8456d643a25fd7b8861d7e349e685371191acb01e97ace03726757c8c107a75e45a1ee8296872216dd02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\A1nTHBcTHH.bat

Filesize
196B

MD5
5fe7b8cc3e8d3b9bb2b9df795b7ffef6

SHA1
b3b7b5c14c6df99bdea941e8ead2ec051941318e

SHA256
f352a14b83c9871bb02bd9e3541eb19a200e27b37eed7584683b1b2de7dd88a5

SHA512
b17542a2a2efa8c7695aa0f49040b4073d853223c214e7eb48383a186b938878488d5e13015f58d5bc1ec7da5a87eb1a0cdd90c5fc8cc9c024350c2809374dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6E8D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

Filesize
196B

MD5
dbfa7161b3ff89c330fc6b15f02d9053

SHA1
bac5b285d988d199e2639f93d98f1ab315fcd49d

SHA256
a6a9a4251fc4701faf28e964673a2115a8303e4c1f35d690c6800f87a7d08988

SHA512
1569128c1cc081dd8d91af548add1d63025b3c0e83ed96ed50bdae699349a732a86ed13a4829dc16c859ae92f1ea0393ee1a0076f82bff5df516d1196edb7294

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

Filesize
196B

MD5
09e40afe26fbb1bcbae26485900b9780

SHA1
bd2360410c74a5620002c11208f28da2623f28b1

SHA256
65de5ffedeaa6bf9016d083b7c72557ef0f37e630653f2c8c1b4166694426ae5

SHA512
40e16ff4ad9e0ef93285765038686b145589ce807a6bcede351f635d6735ddb871aab04ea81837ac123904dd385a0334a052f9e388f0bc8f0f4e82f0d40e0ff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

Filesize
196B

MD5
1dc23c0473b091d6289824c57072de74

SHA1
7dbe80943f2ab14e9ea39cdfa0b9ff1f030c13a8

SHA256
40a7a25fa22b5d7243c75dfbd3e61cf3eebe286290cc3a71aa36660d2975376f

SHA512
f8ef5d25812618784c1e86cdc254514031984ca74d662337675b3f0c97b195c9497cf909dfc0af7d0a89445136c58f4c8445633fb48b441cd2ef7e4865ce28df

Download Submit
C:\Users\Admin\AppData\Local\Temp\NczlPfxoCy.bat

Filesize
196B

MD5
73f67983fb129c50970733280aa97ad5

SHA1
dc94d88e722cee34ef2f206d2230ed6d91a8ff25

SHA256
8617f3dd2c9fcf9fd208a3bb71c3817f8280909bf1a60cfdc9b25084f52dffc4

SHA512
9efa8a51391a0d89ee7bb6afb52b6a4af3bda5ce1d65f8a25836b744b6bdadb5a3046800e0022869c104aece73876c82e8b24b666678d33c653189a44724567f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6EA0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

Filesize
196B

MD5
a4f4c36100e4bd1c853d1a81ccb7ba39

SHA1
472ec2ca3b177fb2148f676bcc90099398a0e77e

SHA256
9d275f0976042544eade63eb013b951a6509a95f5f4a88f16fe932caadc1e142

SHA512
f7f89e4d15935be68ff93ab3c72149c80de0ef023798935b1b7e3c2944f24c0b833c6cebb41d69366a0f49f161cb2afa41358ea3983319e4229027a1b1289cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
196B

MD5
d461fa7e09a59e6e4e37f1566e3946a2

SHA1
ecde22bd7295a1729f8d9333b8e7b814168b72ac

SHA256
532fd63092655408d95c661fdf52683a98193133a190d945f0b2a962bcb335a8

SHA512
cdabb1da84fef3fa72c6b16e5246aaccf234599c269b04ec9e9cc9ddf0a814817b389af4a8e6c19502b7ae3649ef67a846ed25ec7e84f89d1bf5cdb92a8e0c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
196B

MD5
34a3c44ae7a5af845e4ca7dd1abda7e0

SHA1
e76d1988119279fa2b683c28c2cec1b3809625f3

SHA256
aff22d1f2dc6710ccfcd45f194b07cd21b0dd654477553ad605269624ca92446

SHA512
c00a04301edcb640d9ffdacc3fbc660578ec4fb9f66fbd6a6dfb500a89c9261aeef59cbcae30de6c6cf6155681961809ec43933ed302b31ffb98098eab9c1a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat

Filesize
196B

MD5
3607333a7c1cc79e72c3987f1f49b189

SHA1
3313e931b9a05ad8054df832339dd7be75b32f6f

SHA256
dd16cb32b4569ca10c9a928c09b6a9132263b6fd70279f72dc6de8ca23d0294d

SHA512
72621a26aeffe4b4aa7e18455b3da3e9b747d0e144ced623453659791519c632779020da394c2ebf1ccda39067299ca8ad07471aac21cc6ec96c27c9c58dcda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat

Filesize
196B

MD5
744b9e4e2c365a3c066fb3b9d43118f3

SHA1
6d7ef4797cb0aa4c60a14621c144b50e9deb9130

SHA256
e6636462551c71aabc4f391c96ab1c397a06c4302d995258f65a582a5ce3927b

SHA512
57f79c63f8cfaa2684a42ef220f3ae7a746bd75661398ca7a0b69f7e2645c3ef74ea8cd52d40490149dde7bf7f29a50cfc08f76c8be9aabf43dea825a8fa51a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f6d41559837b1c888af6a178393e41c5

SHA1
2e28085ddc844ced00c7ef6f1887be2b570cc885

SHA256
79eaf3f6a12642bc94aee83050275f7264eb4a5b9c431752690f846f6ac700fd

SHA512
fa1d2024f0558e16fbfe13b851e51dd86d09398f37dd81e00f63a467bbe6a1751775653149f1d3cf7484480f47661ad72f1ecd850d1c48842c62d3cd1c36e4bf

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/376-87-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/480-545-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/480-546-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/1316-365-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/1532-88-0x0000000002230000-0x0000000002238000-memory.dmp

Filesize
32KB

Download
memory/1544-667-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/2076-787-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2288-485-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/2292-425-0x0000000000BE0000-0x0000000000CF0000-memory.dmp

Filesize
1.1MB

Download
memory/2464-305-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2580-52-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download
memory/2748-13-0x0000000000BA0000-0x0000000000CB0000-memory.dmp

Filesize
1.1MB

Download
memory/2748-14-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2748-15-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2748-17-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2748-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2920-185-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2944-606-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/2944-607-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2952-245-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/3012-727-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download