dcrat | 8021ac0bcf79ac07ebc356b112f1d90a0db7303c9c9fcba41f9b57b6b9a800a0

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 08:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8021ac0bcf79ac07ebc356b112f1d90a0db7303c9c9fcba41f9b57b6b9a800a0.exe
Size

1.3MB
MD5

972b0db8ae0b8a210689b15c82721795
SHA1

04e0c4cb90442f69abdb9ff86c7044a7a8ab8c54
SHA256

8021ac0bcf79ac07ebc356b112f1d90a0db7303c9c9fcba41f9b57b6b9a800a0
SHA512

bb6f7e4e05109effbc3e6f51d14fc89f1a297fbdc016a348d0ae2f816ee39778294e0211ce5059abda79f83930cb219f9e57d00ff98f3d30f3f7145949a0ee80
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	740	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2452	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2452	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016141-12.dat	dcrat
behavioral1/memory/2740-13-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/1984-52-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/2232-246-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/2912-306-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/692-544-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2164-604-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3048	powershell.exe
1728	powershell.exe
2096	powershell.exe
344	powershell.exe
872	powershell.exe
1036	powershell.exe
2156	powershell.exe
2264	powershell.exe
352	powershell.exe
1768	powershell.exe
556	powershell.exe
2388	powershell.exe
3008	powershell.exe
2508	powershell.exe
2988	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2740	DllCommonsvc.exe
1984	audiodg.exe
1308	audiodg.exe
2232	audiodg.exe
2912	audiodg.exe
804	audiodg.exe
2532	audiodg.exe
2688	audiodg.exe
692	audiodg.exe
2164	audiodg.exe
1468	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2340	cmd.exe
2340	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
36	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\schemas\AvailableNetwork\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\schemas\AvailableNetwork\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\winsxs\wininit.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8021ac0bcf79ac07ebc356b112f1d90a0db7303c9c9fcba41f9b57b6b9a800a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1488	schtasks.exe
2220	schtasks.exe
1520	schtasks.exe
740	schtasks.exe
1092	schtasks.exe
2732	schtasks.exe
1264	schtasks.exe
2192	schtasks.exe
1736	schtasks.exe
2124	schtasks.exe
1920	schtasks.exe
2248	schtasks.exe
2232	schtasks.exe
2656	schtasks.exe
320	schtasks.exe
1492	schtasks.exe
2464	schtasks.exe
3028	schtasks.exe
1844	schtasks.exe
1584	schtasks.exe
2424	schtasks.exe
1720	schtasks.exe
1740	schtasks.exe
2832	schtasks.exe
1352	schtasks.exe
1112	schtasks.exe
2576	schtasks.exe
1580	schtasks.exe
2660	schtasks.exe
1860	schtasks.exe
1428	schtasks.exe
1948	schtasks.exe
2956	schtasks.exe
1340	schtasks.exe
668	schtasks.exe
2904	schtasks.exe
1620	schtasks.exe
1964	schtasks.exe
2620	schtasks.exe
448	schtasks.exe
580	schtasks.exe
2296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2740	DllCommonsvc.exe
556	powershell.exe
1728	powershell.exe
2388	powershell.exe
344	powershell.exe
2988	powershell.exe
3008	powershell.exe
352	powershell.exe
2508	powershell.exe
1768	powershell.exe
2096	powershell.exe
2264	powershell.exe
1036	powershell.exe
3048	powershell.exe
2156	powershell.exe
872	powershell.exe
1984	audiodg.exe
1308	audiodg.exe
2232	audiodg.exe
2912	audiodg.exe
804	audiodg.exe
2532	audiodg.exe
2688	audiodg.exe
692	audiodg.exe
2164	audiodg.exe
1468	audiodg.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	DllCommonsvc.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1984	audiodg.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1308	audiodg.exe
Token: SeDebugPrivilege	2232	audiodg.exe
Token: SeDebugPrivilege	2912	audiodg.exe
Token: SeDebugPrivilege	804	audiodg.exe
Token: SeDebugPrivilege	2532	audiodg.exe
Token: SeDebugPrivilege	2688	audiodg.exe
Token: SeDebugPrivilege	692	audiodg.exe
Token: SeDebugPrivilege	2164	audiodg.exe
Token: SeDebugPrivilege	1468	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2500	1304	JaffaCakes118_8021ac0bcf79ac07ebc356b112f1d90a0db7303c9c9fcba41f9b57b6b9a800a0.exe	30
PID 1304 wrote to memory of 2500	1304	JaffaCakes118_8021ac0bcf79ac07ebc356b112f1d90a0db7303c9c9fcba41f9b57b6b9a800a0.exe	30
PID 1304 wrote to memory of 2500	1304	JaffaCakes118_8021ac0bcf79ac07ebc356b112f1d90a0db7303c9c9fcba41f9b57b6b9a800a0.exe	30
PID 1304 wrote to memory of 2500	1304	JaffaCakes118_8021ac0bcf79ac07ebc356b112f1d90a0db7303c9c9fcba41f9b57b6b9a800a0.exe	30
PID 2500 wrote to memory of 2340	2500	WScript.exe	31
PID 2500 wrote to memory of 2340	2500	WScript.exe	31
PID 2500 wrote to memory of 2340	2500	WScript.exe	31
PID 2500 wrote to memory of 2340	2500	WScript.exe	31
PID 2340 wrote to memory of 2740	2340	cmd.exe	33
PID 2340 wrote to memory of 2740	2340	cmd.exe	33
PID 2340 wrote to memory of 2740	2340	cmd.exe	33
PID 2340 wrote to memory of 2740	2340	cmd.exe	33
PID 2740 wrote to memory of 2156	2740	DllCommonsvc.exe	77
PID 2740 wrote to memory of 2156	2740	DllCommonsvc.exe	77
PID 2740 wrote to memory of 2156	2740	DllCommonsvc.exe	77
PID 2740 wrote to memory of 1768	2740	DllCommonsvc.exe	78
PID 2740 wrote to memory of 1768	2740	DllCommonsvc.exe	78
PID 2740 wrote to memory of 1768	2740	DllCommonsvc.exe	78
PID 2740 wrote to memory of 2264	2740	DllCommonsvc.exe	80
PID 2740 wrote to memory of 2264	2740	DllCommonsvc.exe	80
PID 2740 wrote to memory of 2264	2740	DllCommonsvc.exe	80
PID 2740 wrote to memory of 2096	2740	DllCommonsvc.exe	82
PID 2740 wrote to memory of 2096	2740	DllCommonsvc.exe	82
PID 2740 wrote to memory of 2096	2740	DllCommonsvc.exe	82
PID 2740 wrote to memory of 556	2740	DllCommonsvc.exe	84
PID 2740 wrote to memory of 556	2740	DllCommonsvc.exe	84
PID 2740 wrote to memory of 556	2740	DllCommonsvc.exe	84
PID 2740 wrote to memory of 3048	2740	DllCommonsvc.exe	86
PID 2740 wrote to memory of 3048	2740	DllCommonsvc.exe	86
PID 2740 wrote to memory of 3048	2740	DllCommonsvc.exe	86
PID 2740 wrote to memory of 2508	2740	DllCommonsvc.exe	87
PID 2740 wrote to memory of 2508	2740	DllCommonsvc.exe	87
PID 2740 wrote to memory of 2508	2740	DllCommonsvc.exe	87
PID 2740 wrote to memory of 344	2740	DllCommonsvc.exe	89
PID 2740 wrote to memory of 344	2740	DllCommonsvc.exe	89
PID 2740 wrote to memory of 344	2740	DllCommonsvc.exe	89
PID 2740 wrote to memory of 3008	2740	DllCommonsvc.exe	91
PID 2740 wrote to memory of 3008	2740	DllCommonsvc.exe	91
PID 2740 wrote to memory of 3008	2740	DllCommonsvc.exe	91
PID 2740 wrote to memory of 1036	2740	DllCommonsvc.exe	92
PID 2740 wrote to memory of 1036	2740	DllCommonsvc.exe	92
PID 2740 wrote to memory of 1036	2740	DllCommonsvc.exe	92
PID 2740 wrote to memory of 352	2740	DllCommonsvc.exe	93
PID 2740 wrote to memory of 352	2740	DllCommonsvc.exe	93
PID 2740 wrote to memory of 352	2740	DllCommonsvc.exe	93
PID 2740 wrote to memory of 1728	2740	DllCommonsvc.exe	94
PID 2740 wrote to memory of 1728	2740	DllCommonsvc.exe	94
PID 2740 wrote to memory of 1728	2740	DllCommonsvc.exe	94
PID 2740 wrote to memory of 2388	2740	DllCommonsvc.exe	95
PID 2740 wrote to memory of 2388	2740	DllCommonsvc.exe	95
PID 2740 wrote to memory of 2388	2740	DllCommonsvc.exe	95
PID 2740 wrote to memory of 872	2740	DllCommonsvc.exe	96
PID 2740 wrote to memory of 872	2740	DllCommonsvc.exe	96
PID 2740 wrote to memory of 872	2740	DllCommonsvc.exe	96
PID 2740 wrote to memory of 2988	2740	DllCommonsvc.exe	97
PID 2740 wrote to memory of 2988	2740	DllCommonsvc.exe	97
PID 2740 wrote to memory of 2988	2740	DllCommonsvc.exe	97
PID 2740 wrote to memory of 1984	2740	DllCommonsvc.exe	107
PID 2740 wrote to memory of 1984	2740	DllCommonsvc.exe	107
PID 2740 wrote to memory of 1984	2740	DllCommonsvc.exe	107
PID 1984 wrote to memory of 1504	1984	audiodg.exe	109
PID 1984 wrote to memory of 1504	1984	audiodg.exe	109
PID 1984 wrote to memory of 1504	1984	audiodg.exe	109
PID 1504 wrote to memory of 1508	1504	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8021ac0bcf79ac07ebc356b112f1d90a0db7303c9c9fcba41f9b57b6b9a800a0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8021ac0bcf79ac07ebc356b112f1d90a0db7303c9c9fcba41f9b57b6b9a800a0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\include\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\AvailableNetwork\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
    - - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1508
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        8⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2424
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"
        10⤵
        
        PID:2240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2132
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"
        12⤵
        
        PID:692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2024
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
        14⤵
        
        PID:896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2668
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat"
        16⤵
        
        PID:668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2736
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
        18⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2696
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
        20⤵
        
        PID:2640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1928
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"
        22⤵
        
        PID:2076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1160
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat"
        24⤵
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\AvailableNetwork\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\schemas\AvailableNetwork\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ModemLogs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b4d00dee780516f5a8b444ce676c9c3b

SHA1
d4c69acf1ed2a6d56d238092b28e55be8b9e0f52

SHA256
44ecced68ba0cd8c93b3f4a01fcfb975aab3ded8fffec0d23fde052ffb1fd923

SHA512
da036fd4f0b3a13ccb6428890d7bb89440b263ae26dd8cca82e8d472e0faf639123b677806d8245d84833eb072d239f71487fe64ad6566ce60a67781b1a851de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c69410db75125c0bcf9a750770863667

SHA1
be7b3945da2ef43c7321af90720e4fad64e134ae

SHA256
43109d57d79aa48b9e0eaf6af1cbc00aab4f6013fca7225d00eb1dbcd46929a0

SHA512
f93a4706f350dfb9304e984f565d07c39515dd84ebecc6a034c737859ada9a56e5c036cef3dfd9fc689ed096233161b3502850ed514b46f3c0f06ef6d27eaf26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59b0581a3ba052dcc08ed457cd28f976

SHA1
f81cb8c85f03b8269a25930850ec4b15d170722d

SHA256
31436842761d02e3da75632628672cb33ed539bcc79b4bab9dcdbf2654429eaa

SHA512
d8a028a81adb60bbc419bfdd905eeb55ee3f2204e602cc7d76ded61688e89471d21c2e0fc7592ef8522fbc8d25ed11233a719b11a4d3a7d7888c937dbdad24ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41579a97bac43a3b9b1eab648814165e

SHA1
51bc2dfde589e766766f79a5845fca98e17ed5cf

SHA256
60a8844f025ce5ca27660d90d402e2fb40da4eaa904edbfc99113a6f857fb705

SHA512
bf049210d1a805934ef19fd4606454a06073f324fb1832d0d20c59a8adc9cfbc1883892401be9a7932beae9af956c0376a6be1edff5eaa0859cbfdf483a75ab2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f64c7f074705ef110eda22d87c27a46

SHA1
a63c33092d39d61d6dd78fa2b843204a9fd1b389

SHA256
d4f9cedb7b3e64ca781c56af5f534ef5955d0571fa3b2cdf74ac6c1689a7942c

SHA512
888ce7b92b87e8546622579f73f383740a993ae3d0fb4633e9162a035f9fa4d4c2bc28b34554256e0464240d6dc0a8860e860cefb9b7565a52b64687beccccff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4ed0f362635c2751d1de7c331ffff24

SHA1
7f9534b148ffad1e79efbc5ab980b9b0ada4f2b6

SHA256
8646c75ec8ccbb101410c50e82227cd0653dda3a0d1fa0c678343b9d96f47785

SHA512
dd8b8f7b01e0a162c971d1d37493934329ad9a5be7cc1d8b0d3792146d58e700f518405ee4aa6b2ad4e746a28d6c7cab33736a2239855703e0bc0db3c094d8ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be831c4853d87aa33f17b36bce346de7

SHA1
91b52c53b9585b4efe455803cdd3fbfa293c5adc

SHA256
4b2af699902d7c676d54c10c1c80c12f5be964fc5bc4e951ddc488c5f38bf502

SHA512
c078a18239732cf4fd651387729344f3cd24818be62b94af0fddaeb056217d2f68e947b942825d6c0762d4ec286b1c2af6245c220ebc798b5596520e382a4fc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4ef18f78fb9c8e6407edb8ecbb56339

SHA1
f0bb95a09808ef6d9c11216809be16a21b3bfa56

SHA256
ba4454b51487f74b44eabe50b1a6ecb17d344a0a7ef07cb35d86ed2f0d6a6ab2

SHA512
753a7fd98b2465972da5ce25e321436d2cce05f010ff206831b7a45c008dfb3b2080f1dde235215bbb1796174a40ea3b324735bdb3e39b60ab5f3e4f0acd8c36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
440909dc7ce64eda844f9d96e19ee14f

SHA1
1d04af0fc386ff357198f180c199474d12cdeea7

SHA256
5e0fbf46791224cc48afec9f9f8069252a14a2c5c4a136ae489e2bcd3a527be3

SHA512
9a6a46bc751f979753184e1c46c002974d7b6657c7065da23906e2c48c716b88bbafffe5f5b1453c571ef1e3fabd9ee779936e0b0caecd39365ed36411fe338c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat

Filesize
239B

MD5
2f87d625dad21be8d3159f4a346e67e9

SHA1
782ef06a73d12b9a8f45de388c5445f6604f4ac2

SHA256
1e6c94562a1208e337e4e66322720a3a5163c769d8e6aeafdf4cfe632c627f5f

SHA512
5c227290b3326d5c9d43ab8c0fbd1c20329021a4e985b73ab563b36002b7c10fcc12a8a0126a14f613c9cd741ac92b84b0e9b41e77749dd3eb4b33f4ac58d2d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat

Filesize
239B

MD5
d795aaaf6fdb3cd0b282a4d3be08b2c2

SHA1
4ab4dd80b9a9953df3d259ed7cedc0bdfb78b244

SHA256
f26cb78c279edc7aad2c6ba361d2ed181550993e2ea6631b7ce6e4ecd9c8f163

SHA512
32aa08df11665c38ec3989dfe1e0e0a0020cc15b2d06ee26bb9dc0a06a4e6e1e6d0bea1682a60851100120b46d9fdc7b2e162e0a828592cd1e7425f321ad5282

Download Submit
C:\Users\Admin\AppData\Local\Temp\2wrSnsL5gc.bat

Filesize
239B

MD5
4a8bf5be95548de29936fe14a8ea8096

SHA1
eec292ec1ee4a7953f6d7ae08ff4774aeb7204dc

SHA256
467a761414d37070e40bf38c553f51bd69c0a2242de845d7e5c6c93e2a6c68e0

SHA512
db8b36cc9960e1de66e056686c1f789e052602b1ecddb5cf7a82270d1326e28e79814d6ef95125e8f04da1216219df7f985fe888690947953bbd9ae4c4710b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat

Filesize
239B

MD5
7676d6c73cf5bd51b2215ee50447949c

SHA1
c2765ff4eb2cd96667560307f6a8f966e7239a55

SHA256
14973f65b11dd385a782b1df873516522675b2189f3cfa8794180ef4e8c2c6ce

SHA512
4947518e8bc2f03cf4d68afbeabf07a16facbb5ba27a9e3d6cfb86ef9cf4edd7b6c387f29df1c7e084f10291d0861c1a56245527849f24791a56fb1a66cc7a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCF52.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

Filesize
239B

MD5
84599df5eced373da0facb35de9e8d6a

SHA1
5a23277d10c380da1c91aa3d9732a6247d31df9c

SHA256
a69b6da6a24a8ac0385a66a2b7b886819383bbdc0a336484432f569459662dad

SHA512
4ad4cce148c3e8e15dd54331a0bc22730d5f63fd68b4eb6d2fef505131b88b3061cf850a4f9ab6fa212d22e055a3df3791774a228230a4cbfa1e7c5425af1693

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat

Filesize
239B

MD5
a6c9661f9299f15cc81ce0e65bbd9c68

SHA1
12036a18b7f6401aaf111b090f12e23c876cfa3b

SHA256
f65513a6345a7b7d84910a791ed14a9ab073d67591457d81d037f31f47299f03

SHA512
41e039f68b8c993d661f24bf353a5fd0a1f5b0301ba7a17a56429e21d18005b7c37d6cf1c24d03f6358c14c3f337126171e0796b1f9058385030e2f78519864c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ST975DOJvB.bat

Filesize
239B

MD5
2423d16eb3d6415614544842fe8fe487

SHA1
a70155bf813dd7da815b14393edb4c7b07f48098

SHA256
2ff2b0e106544930c1a704bcfef6b99f2459c4df237ecca1ffe1c1b029e1c4ab

SHA512
ee79b39318159fbb43bb32014a1be569e33f8abfa5e6628d7406888f69b6ca8ee428dff4ba2c9f3291d30fd149183e24dd2b2bd40464e971b18808b4a684b24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF65.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
239B

MD5
1ff10393012e889eece7180bfd0646a3

SHA1
2930af4f41ec74ca6acc1f2b897aeeec97868ac7

SHA256
6f269f7351a33a4dfab8c583a4e8547c000cfa4197eae4dcb97814b15401bb3a

SHA512
d4312392ce632eaa8517383fd9026a58e67e0f4f94dcec6f4020f0a97fd4568b87a3abf0f5a12248e58de81c68fd32a608a3d55cb6c441faa2b5e4501ed02e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
239B

MD5
3afad777bfafe5a8557218997c586fe8

SHA1
76a221af76c96fb7fc9930e6fdc276f0e69c067e

SHA256
2db308e766883013c07971a9fdc9244b88d9ed49099e901b853e697784b0d9fe

SHA512
556891fb239f6988a6ca009eed6eda5416615167bc1c8a8adb7c7edd02ef71c4418c678d2ad0e0e366588fdd1f9499d0d0e4b5a6a93d75ffbc3cf0d1e2a37c11

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat

Filesize
239B

MD5
f681fdfa7a1e14d14e611114b12d2211

SHA1
a6caa01807ebf7436bb38de0deaee71f4d28177b

SHA256
5d4cda3012de123aa2448984c12a53411dc7ff9cf9cb0571d889b7382f2458ba

SHA512
2f8aedc443a7e6fd81c49b61a2fbde09cb34e91aad86697ec10c9a0662e1b19431b68bc593fce2eb3504194ad0ff47e70f88dfec1f89024df3135827c9eaa01f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JS1HVR5ITWIKGRSVYPYH.temp

Filesize
7KB

MD5
a62e5de1bac8b906d35af2ac10a8a960

SHA1
1bc2f96b9879bb69ed8487e953af6c544131e8ad

SHA256
e632c7bf44c2c3bd440280eb565ef805abababb7864660c6f639a7caaa4a542a

SHA512
6628e4fed027f3ff66c49f20efba1111b14f010315b864861acd342003b4e1db03984caa6eca0d4543cb5c7750c5faadb1e011a1dde97bb63bd96eb8fd9b2228

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/556-83-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/692-544-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/804-366-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1984-52-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2164-605-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2164-604-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/2232-246-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/2740-17-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/2740-16-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/2740-15-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/2740-14-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/2740-13-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/2912-306-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/2988-82-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download