dcrat | a6750406d98a4b69fcc09e23db221eee4b76bf8f97d508d2ecfb586b21a18141

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a6750406d98a4b69fcc09e23db221eee4b76bf8f97d508d2ecfb586b21a18141.exe
Size

1.3MB
MD5

08dfa02836924e1208cd87c50079122b
SHA1

a8ec5f7f6f0fd4e4f450a3528852b0729584815c
SHA256

a6750406d98a4b69fcc09e23db221eee4b76bf8f97d508d2ecfb586b21a18141
SHA512

7382da67791799e575a42c431e1a9825abca9b020daa04d7ae8ef141b7ce6a576eed4f35f9592c8888cd8e8ce3ac8117cf1bd63d323e9bb5e0956ab309bccee5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2604	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001612f-9.dat	dcrat
behavioral1/memory/2568-13-0x0000000000A20000-0x0000000000B30000-memory.dmp	dcrat
behavioral1/memory/2644-120-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2432-179-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/1772-357-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/2192-417-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2148-477-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/2548-656-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2336-716-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2392	powershell.exe
2268	powershell.exe
796	powershell.exe
700	powershell.exe
2004	powershell.exe
2960	powershell.exe
2364	powershell.exe
1752	powershell.exe
1012	powershell.exe
1396	powershell.exe
2816	powershell.exe
1004	powershell.exe
1844	powershell.exe
1540	powershell.exe
2200	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2568	DllCommonsvc.exe
2644	audiodg.exe
2432	audiodg.exe
2664	audiodg.exe
2704	audiodg.exe
1772	audiodg.exe
2192	audiodg.exe
2148	audiodg.exe
2532	audiodg.exe
1908	audiodg.exe
2548	audiodg.exe
2336	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2968	cmd.exe
2968	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
41	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\c5b4cb5e9653cc	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ebf1f9fa8afd6d	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\fr-FR\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\PLA\Reports\de-DE\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Reports\de-DE\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\AppPatch\fr-FR\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a6750406d98a4b69fcc09e23db221eee4b76bf8f97d508d2ecfb586b21a18141.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1296	schtasks.exe
1144	schtasks.exe
1624	schtasks.exe
1920	schtasks.exe
2184	schtasks.exe
1092	schtasks.exe
1384	schtasks.exe
1724	schtasks.exe
1040	schtasks.exe
2108	schtasks.exe
1260	schtasks.exe
2904	schtasks.exe
620	schtasks.exe
2428	schtasks.exe
1916	schtasks.exe
2432	schtasks.exe
1112	schtasks.exe
3056	schtasks.exe
2956	schtasks.exe
1348	schtasks.exe
808	schtasks.exe
1928	schtasks.exe
2376	schtasks.exe
576	schtasks.exe
2168	schtasks.exe
912	schtasks.exe
2032	schtasks.exe
1640	schtasks.exe
1900	schtasks.exe
2740	schtasks.exe
1036	schtasks.exe
1284	schtasks.exe
588	schtasks.exe
2360	schtasks.exe
2104	schtasks.exe
2852	schtasks.exe
1720	schtasks.exe
812	schtasks.exe
2084	schtasks.exe
1324	schtasks.exe
2404	schtasks.exe
2276	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2568	DllCommonsvc.exe
2568	DllCommonsvc.exe
2568	DllCommonsvc.exe
2568	DllCommonsvc.exe
2568	DllCommonsvc.exe
2568	DllCommonsvc.exe
2568	DllCommonsvc.exe
2568	DllCommonsvc.exe
2568	DllCommonsvc.exe
796	powershell.exe
2392	powershell.exe
700	powershell.exe
2004	powershell.exe
1004	powershell.exe
2816	powershell.exe
1752	powershell.exe
1844	powershell.exe
1540	powershell.exe
2960	powershell.exe
2200	powershell.exe
2364	powershell.exe
1012	powershell.exe
2268	powershell.exe
1396	powershell.exe
2644	audiodg.exe
2432	audiodg.exe
2664	audiodg.exe
2704	audiodg.exe
1772	audiodg.exe
2192	audiodg.exe
2148	audiodg.exe
2532	audiodg.exe
1908	audiodg.exe
2548	audiodg.exe
2336	audiodg.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	DllCommonsvc.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1012	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2644	audiodg.exe
Token: SeDebugPrivilege	2432	audiodg.exe
Token: SeDebugPrivilege	2664	audiodg.exe
Token: SeDebugPrivilege	2704	audiodg.exe
Token: SeDebugPrivilege	1772	audiodg.exe
Token: SeDebugPrivilege	2192	audiodg.exe
Token: SeDebugPrivilege	2148	audiodg.exe
Token: SeDebugPrivilege	2532	audiodg.exe
Token: SeDebugPrivilege	1908	audiodg.exe
Token: SeDebugPrivilege	2548	audiodg.exe
Token: SeDebugPrivilege	2336	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2792	1940	JaffaCakes118_a6750406d98a4b69fcc09e23db221eee4b76bf8f97d508d2ecfb586b21a18141.exe	30
PID 1940 wrote to memory of 2792	1940	JaffaCakes118_a6750406d98a4b69fcc09e23db221eee4b76bf8f97d508d2ecfb586b21a18141.exe	30
PID 1940 wrote to memory of 2792	1940	JaffaCakes118_a6750406d98a4b69fcc09e23db221eee4b76bf8f97d508d2ecfb586b21a18141.exe	30
PID 1940 wrote to memory of 2792	1940	JaffaCakes118_a6750406d98a4b69fcc09e23db221eee4b76bf8f97d508d2ecfb586b21a18141.exe	30
PID 2792 wrote to memory of 2968	2792	WScript.exe	31
PID 2792 wrote to memory of 2968	2792	WScript.exe	31
PID 2792 wrote to memory of 2968	2792	WScript.exe	31
PID 2792 wrote to memory of 2968	2792	WScript.exe	31
PID 2968 wrote to memory of 2568	2968	cmd.exe	33
PID 2968 wrote to memory of 2568	2968	cmd.exe	33
PID 2968 wrote to memory of 2568	2968	cmd.exe	33
PID 2968 wrote to memory of 2568	2968	cmd.exe	33
PID 2568 wrote to memory of 2816	2568	DllCommonsvc.exe	77
PID 2568 wrote to memory of 2816	2568	DllCommonsvc.exe	77
PID 2568 wrote to memory of 2816	2568	DllCommonsvc.exe	77
PID 2568 wrote to memory of 2364	2568	DllCommonsvc.exe	78
PID 2568 wrote to memory of 2364	2568	DllCommonsvc.exe	78
PID 2568 wrote to memory of 2364	2568	DllCommonsvc.exe	78
PID 2568 wrote to memory of 2392	2568	DllCommonsvc.exe	79
PID 2568 wrote to memory of 2392	2568	DllCommonsvc.exe	79
PID 2568 wrote to memory of 2392	2568	DllCommonsvc.exe	79
PID 2568 wrote to memory of 1752	2568	DllCommonsvc.exe	80
PID 2568 wrote to memory of 1752	2568	DllCommonsvc.exe	80
PID 2568 wrote to memory of 1752	2568	DllCommonsvc.exe	80
PID 2568 wrote to memory of 1540	2568	DllCommonsvc.exe	81
PID 2568 wrote to memory of 1540	2568	DllCommonsvc.exe	81
PID 2568 wrote to memory of 1540	2568	DllCommonsvc.exe	81
PID 2568 wrote to memory of 2268	2568	DllCommonsvc.exe	82
PID 2568 wrote to memory of 2268	2568	DllCommonsvc.exe	82
PID 2568 wrote to memory of 2268	2568	DllCommonsvc.exe	82
PID 2568 wrote to memory of 796	2568	DllCommonsvc.exe	83
PID 2568 wrote to memory of 796	2568	DllCommonsvc.exe	83
PID 2568 wrote to memory of 796	2568	DllCommonsvc.exe	83
PID 2568 wrote to memory of 1012	2568	DllCommonsvc.exe	84
PID 2568 wrote to memory of 1012	2568	DllCommonsvc.exe	84
PID 2568 wrote to memory of 1012	2568	DllCommonsvc.exe	84
PID 2568 wrote to memory of 1004	2568	DllCommonsvc.exe	85
PID 2568 wrote to memory of 1004	2568	DllCommonsvc.exe	85
PID 2568 wrote to memory of 1004	2568	DllCommonsvc.exe	85
PID 2568 wrote to memory of 1396	2568	DllCommonsvc.exe	86
PID 2568 wrote to memory of 1396	2568	DllCommonsvc.exe	86
PID 2568 wrote to memory of 1396	2568	DllCommonsvc.exe	86
PID 2568 wrote to memory of 700	2568	DllCommonsvc.exe	87
PID 2568 wrote to memory of 700	2568	DllCommonsvc.exe	87
PID 2568 wrote to memory of 700	2568	DllCommonsvc.exe	87
PID 2568 wrote to memory of 1844	2568	DllCommonsvc.exe	88
PID 2568 wrote to memory of 1844	2568	DllCommonsvc.exe	88
PID 2568 wrote to memory of 1844	2568	DllCommonsvc.exe	88
PID 2568 wrote to memory of 2200	2568	DllCommonsvc.exe	89
PID 2568 wrote to memory of 2200	2568	DllCommonsvc.exe	89
PID 2568 wrote to memory of 2200	2568	DllCommonsvc.exe	89
PID 2568 wrote to memory of 2004	2568	DllCommonsvc.exe	91
PID 2568 wrote to memory of 2004	2568	DllCommonsvc.exe	91
PID 2568 wrote to memory of 2004	2568	DllCommonsvc.exe	91
PID 2568 wrote to memory of 2960	2568	DllCommonsvc.exe	92
PID 2568 wrote to memory of 2960	2568	DllCommonsvc.exe	92
PID 2568 wrote to memory of 2960	2568	DllCommonsvc.exe	92
PID 2568 wrote to memory of 2636	2568	DllCommonsvc.exe	104
PID 2568 wrote to memory of 2636	2568	DllCommonsvc.exe	104
PID 2568 wrote to memory of 2636	2568	DllCommonsvc.exe	104
PID 2636 wrote to memory of 536	2636	cmd.exe	109
PID 2636 wrote to memory of 536	2636	cmd.exe	109
PID 2636 wrote to memory of 536	2636	cmd.exe	109
PID 2636 wrote to memory of 2644	2636	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6750406d98a4b69fcc09e23db221eee4b76bf8f97d508d2ecfb586b21a18141.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a6750406d98a4b69fcc09e23db221eee4b76bf8f97d508d2ecfb586b21a18141.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\de-DE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\fr-FR\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\SpeechEngines\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ErLC8AtReh.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:536
      - C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat"
        7⤵
        
        PID:1332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1928
        
        C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
        9⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2404
        
        C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
        11⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1152
        
        C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
        13⤵
        
        PID:1852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1144
        
        C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"
        15⤵
        
        PID:576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:960
        
        C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        17⤵
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2620
        
        C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
        19⤵
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1984
        
        C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        21⤵
        
        PID:2044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1764
        
        C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"
        23⤵
        
        PID:1260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1048
        
        C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
        25⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2208
        
        C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe
        
        "C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat"
        27⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\Office14\1033\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Links\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default\Links\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Links\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\PLA\Reports\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Reports\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\fr-FR\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\AppPatch\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\SpeechEngines\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Common Files\SpeechEngines\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\SpeechEngines\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d01b588d316b402dc651cef3156f1836

SHA1
fa1c0ea60ba0ea98c8352911bf864728aee938a9

SHA256
ec87ef03ead3a2cd818594e0c42c7989cf3389f2761f925a64678330de182941

SHA512
aa1254bdc5b085a9d6a79cde03083b5646d83c5cd5c4084ada8335c73f40bcd1a95841d7bc6ead9dd10958ab0ead8ab46099491af21a8cb135e082a489a46c2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e8d562e87db64eff926fecb1172c9e4

SHA1
a8c83601a0a9261de74ae6569d70022808066e75

SHA256
8566aaf30f877200974051381a3550292b680871e2e4a72afac2b194ee25669d

SHA512
f790dd5c47deb1e7f65eb33a46052f5e2a05a8dfee127439cdee0ee2680ace9e70b765b4324b87fa15bf7d8214aa9a8bb9e99caca34859861ecf44537e6ff32d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
791821628e762899be88606694025cae

SHA1
0ea55e8598cf50864ba6649737adc70dca0a4085

SHA256
39f525c8e17e534452e97d35f5b8873295708a96c33a590770a8897f89e45818

SHA512
3bbc4a8ad5ee7030024104d9e8d089ba8aa88bc17a0d9de9a22362b7747f70fe379fbe776e27a5c12695423cc8016011eccf0c29d414056274191fb93cb77d21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f4a99916ef177c3e8e8c46840daa7a5

SHA1
d2a1390eba2f04b05aa2981291e432777652e38e

SHA256
d479482ff0642fdfbe3805ced4b45623dcd7d749cc20de4c16d75e49060f5f3c

SHA512
542f076d549230a53f0ea365bc9319b86f97768d5e0a68239f33d6367c5f53f9c8f31b6bb267b630958587f0541eb9ea9d6b4b92a2948bd98b934ae2da62e26b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0480484a67dbc6a6491c8e01813a0cc7

SHA1
d3a461d068fbcfec873528d6ed1093044666172d

SHA256
71fe6396b6f7fb64a2d67f1c49b1bc9d6a2beafc73760661387da8c173131826

SHA512
ad407ec79e09f600580999ce0ca059acaa0e3c52894f651905740dd63e9254ea0128781a4fb67247be0d42e15e83e2fe79146088e59b51956e058a6b53044299

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea12343dabce188277c1ae916ba6af44

SHA1
c784c8976a894e37fa78880d8239e2896ff14a68

SHA256
868980777f8a5bd35818ec3366ff3ff9eb8ddf66d11b4f4ef500abca706bb6d0

SHA512
5ce7e07d27062e7e3debf62c715971b2319dfa69b451705666861d46ceda6c4a651d8aa5f0ba16a52a0245d061552fc8ee75a12abb9e9e2b96e5c561d21d9626

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ab46acfceea42bb84547f66a91e5b16

SHA1
f051283c2b5563099f87af6160e087a61f9de6df

SHA256
63a551b6ef619e32a6cfc346a5e54c94a8f10ad7bd05aa242c10929956014bdb

SHA512
5c219a5c1f6a9088df87fc87dfb36c2da3824b018815a933af1df3a18f35f8811aba9c2c4f96306746f5ee2b0f56290d149f7eb6c9d2fcf9ccd65fd92e6be382

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e12fa088fb4befcd84dc3437bf3bd72

SHA1
a5525b3f16a4230174c19b5b7f35080145d9b436

SHA256
5141c6212c6b7f5a21974b7d7ffd1ff8cdd6d173de7f4323c985117de19043db

SHA512
3517f0dce46811f5618dbb69afcbb9ace3bbb09fa9d2aa7c00b5815556f18ba5285c6aac46d5d356234718c9fc6a20d5373f2b54d1572d8244390a5ba78e04a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c672859b370db2afca5ab5f2ba1938f

SHA1
d788c8c0db14506c78e1d7b2414ebfcbc6f38829

SHA256
f1ac5498291641c65e1102a3b48f2ea77fed834b4e9604cd47d6a0237a0f8ec4

SHA512
64689fec53bab50e2b95ef5e6883786bd199eeb603873639fea083e2f81514c2c3e8f327dc14f9512c5817fe5946329ef0de5bd13b98cdfd0164b9f287f3e986

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0fdd9c13722f42c51bcfa06687ca8729

SHA1
b6fce58cb344a2a963af09ed6f7890f5479465f3

SHA256
691b1ba71e89cb11e2229dde2780a32a16a3b95db0213f5e9753319caca0a2de

SHA512
e84044737d10e7856ba243eca9f338c90bf2746f13b43a1f5a4a6df755e732fe69a4d95273c053f8845dad3d16c54535f6baf9b43811798d483c38b3f5429078

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CKPPXbanu.bat

Filesize
224B

MD5
af6f67e69e63adcce2df925fd6afe3b1

SHA1
206f1e4b052df764c15c2d27ef7245f9feb871f2

SHA256
84671d030b53cb33353797eed6da819c5ebb00be8c6801d225d48004013fb2b5

SHA512
c3faa24c8ef8faca91c993cff95e0a0dc48529e44525e13bad3ca8eb2804c25e1e2f7b6c27eeaaa607a61dd892bbe85283fcacbd305c73bb8b2f10f33e551d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

Filesize
224B

MD5
89f5a63575b93e45f571cd23819e6ff7

SHA1
f272f91a30fa96b316ba4d495137487a2382c273

SHA256
bad2e1d894e1f05b57e963e290f7aa0c3cabea3bebab0fe705668436dd6cd375

SHA512
e692d9f496d23e8592449b8935e0363709122fc71195987f97e339bf8a8a7306444c00d457f800e9a578dce9fa244f91310c5c5d89e8f647169d31f4f1c19108

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5CE1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CxpWyGgMb4.bat

Filesize
224B

MD5
ddbbffbd5c584633001829f496084397

SHA1
f1ff0520e1125c97ac4bf95b027203129d7ee2bd

SHA256
d42cbc7367b27075f0710e0f7e8bb726133bbeaaa8b88738580d359f0c8840e2

SHA512
0557031b77e6a1e92336a323d6b37d1a8f1f91274b266b02fc03f07253211702356ce0afd2c2b9e778ea3aba498911ce35cbf642371b5806b8ba1f14c8923233

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
224B

MD5
6410553247aeed550fc245b6939bf755

SHA1
be1efef159f77aabf600f7c56b6c5e10b3915e64

SHA256
fdbb33fd4cc8203f5814c4afa74b59c2c99199fc0454a97a2c5c7f44759c51ac

SHA512
55424e389139594c4ca4a242336399d7703972a6b691d5fccc045784609b77506a8eeac8df610da164103e8fdfc1c503213aee5b7a8b7fa657d4b29d1c79549d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErLC8AtReh.bat

Filesize
224B

MD5
0c093371d837341524944dd782fb332b

SHA1
f83d078953f8cf9f2b51db69efa880b1e1360c51

SHA256
c38123aec97a2488bdd71e6311088782c5a44a59ade268647d174128c1ef6054

SHA512
5b9c5897566b5717f0ec8467353ff984876d22462bb43ff268ea22bd43ba11bca8de09a6545ef55d147983f1fb78a6d63733695f41c64728f707c48bd589aebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

Filesize
224B

MD5
0eeb7b37341f811736f881473daa0325

SHA1
3467d1e3e91ee7cd1a2212699ba1e934c4bb9b78

SHA256
ac39d6a54c8907077c534b35420c228e40f24d752c26e80a0b36df74a00a626d

SHA512
8e54b5d7cdfadcd534b5d97070883356a9b1851bec0fab120ab83b76821dfe3a2b0575d150f54723fb016f4137cb6d584485e138bacca9cde7ef18b5ba8bb47f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
224B

MD5
73243bcc1f058e5e4e7656e6075bddfb

SHA1
e86c1e131dbdb271a42f4cb16aadec03311d5e75

SHA256
78deca5a0271d3789753420225dad047384c04954e50ad6824dfe76f92d0f49a

SHA512
f8896916db4aa88957a956dc151910d6d6364696d6d2bdc67e86fda9dabf1052ae5d3c12dd1fe1834db2cc0771e33efe6f0bd001633b1ec28719dc5ddbd3a9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5CF4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat

Filesize
224B

MD5
1b221988fcaeb0eccbbfa449375610dd

SHA1
3d25b82ef5fa62f6d008c91d1555ea0e1b2d3081

SHA256
e6898e1732f693e32b748ec4234d1a24c7c5084b4c3401882408c522025bb9a9

SHA512
2d90d108da753d2aa77d2d26bd7b459146750fb556522c0b5cae64b307c409c42446b9fa0afc8e0c9922c914df612be5cbeedb8678253c56bf2bacaed3f7114f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

Filesize
224B

MD5
cec1b81c85e64f82628d869eff34adde

SHA1
179583fb9b18f9193e08a2bad7f6bded7a32ba0f

SHA256
1f99511a56f478dd4026f0a4eb1c0fef8c4da67cef367fd000223fc1bcc0c8ce

SHA512
22c835fc884167087b6889b96713a16b15231dcd842fa878c0a01741c6b0651899e078020e8584dff2f3b23a8dc72297421d0034ea8fe65ac82a7096d41f25c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

Filesize
224B

MD5
a06e9400d4214297eee9d97a0d7a1b29

SHA1
1275cbf97647f567856aac3cd89012dca78bc04f

SHA256
9a591f2f7578630fcb38fafb0d761ad8238b777c0d4dfce63c8d2fbba1282d4b

SHA512
30d30ffdea2595aecdae6815f277840f678c04ee656f93832ca6269477ed25a64cbb610e03cbd8001fc49114c1d7c1e89664b0f5fc54a9653f847b2b1e52d020

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

Filesize
224B

MD5
b904c6e664a76fa977b2b3372ef2759c

SHA1
f2cf739a0ed1780f70662f48f23300bbd4aaa31d

SHA256
d85b9e4e9519ad5150091e12cc634ba3c67839fa2470e95cf363f821793524a3

SHA512
f5bb082a806b31b08ad90d62161ef673216dce774244cfa8281c0d3de0520f68f6cd4cabe4202b6fdb6ede1a186f13cb562d3a25fc3d6e6f82ea207cd555d98e

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

Filesize
224B

MD5
bb5653607cc15f4e4e8de040ce24bdf9

SHA1
bf2e833aeca6a89d6431560d43554cfa12410a50

SHA256
61d90b67f0e989c26fc5055e5e57b2bf2be3c2a1017370b1592adb2320a292ff

SHA512
c4f28acb1bcff44ba23097d161f04e1ba767332dbffb793f76a766cce71f5013156ded8efc321523e982456a8dc515313785e58b936909bb82bd09f05db45395

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
287b2d5cfb27b2463aa1d832f8c112d5

SHA1
0b3f20f08593937a3428d661b5bd8d8ecc78a572

SHA256
30c8203c953254bf7896527e61633f7d32aa50c1355abf9129d665f413f064d7

SHA512
00fe19edf45310b5789bb2b2c22b3011291e06297393941377e349c60e3249cb0f60d9e810e9a0be6fbf2061422efeca036a4ad25ac12ca4be139c9f32fb802c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/700-64-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/796-65-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1772-357-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2148-477-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2192-417-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/2336-716-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2432-179-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2532-537-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2548-656-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2568-15-0x0000000000430000-0x000000000043C000-memory.dmp

Filesize
48KB

Download
memory/2568-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2568-16-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2568-13-0x0000000000A20000-0x0000000000B30000-memory.dmp

Filesize
1.1MB

Download
memory/2568-17-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2644-120-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download