dcrat | a44a63b90dbcc40a07234f6452a3c31135f705d3a58388569d564c298734ccbf

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a44a63b90dbcc40a07234f6452a3c31135f705d3a58388569d564c298734ccbf.exe
Size

1.3MB
MD5

bfc8406b4e6fc4ea7057230eb8b97bcd
SHA1

0d70646e95f1a40e3eda781d60c54a68dc5e4217
SHA256

a44a63b90dbcc40a07234f6452a3c31135f705d3a58388569d564c298734ccbf
SHA512

926ab80b93c83ec9c0633e377c9d5632666a45b6b8c0d627758c33f61455501885bb244f17152ca75ced31c0e7c76a3079de8dcedb96a9660d2fa6b36d91e010
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	812	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2524	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2524	schtasks.exe	32

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000014b28-9.dat	dcrat
behavioral1/memory/2748-13-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/2560-75-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2276-202-0x0000000000860000-0x0000000000970000-memory.dmp	dcrat
behavioral1/memory/2784-262-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2036-322-0x0000000000990000-0x0000000000AA0000-memory.dmp	dcrat
behavioral1/memory/2484-382-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/408-442-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/1648-502-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1732	powershell.exe
1020	powershell.exe
808	powershell.exe
996	powershell.exe
2280	powershell.exe
2444	powershell.exe
768	powershell.exe
2828	powershell.exe
2272	powershell.exe
1044	powershell.exe
1588	powershell.exe
2316	powershell.exe
1516	powershell.exe
2296	powershell.exe
1072	powershell.exe
1956	powershell.exe
2692	powershell.exe
904	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2748	DllCommonsvc.exe
2560	lsass.exe
2276	lsass.exe
2784	lsass.exe
2036	lsass.exe
2484	lsass.exe
408	lsass.exe
1648	lsass.exe
812	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	cmd.exe
2732	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\ja-JP\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\services.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\ja-JP\System.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\ebf1f9fa8afd6d	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ehome\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\ehome\fr-FR\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-l..omebasicn.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a1ee8ceece02f941\cmd.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a44a63b90dbcc40a07234f6452a3c31135f705d3a58388569d564c298734ccbf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2688	schtasks.exe
2032	schtasks.exe
1244	schtasks.exe
2208	schtasks.exe
3064	schtasks.exe
868	schtasks.exe
2096	schtasks.exe
476	schtasks.exe
1844	schtasks.exe
1492	schtasks.exe
2816	schtasks.exe
1712	schtasks.exe
1728	schtasks.exe
2596	schtasks.exe
2680	schtasks.exe
2320	schtasks.exe
1340	schtasks.exe
1228	schtasks.exe
916	schtasks.exe
316	schtasks.exe
2148	schtasks.exe
812	schtasks.exe
2404	schtasks.exe
1028	schtasks.exe
1980	schtasks.exe
2352	schtasks.exe
640	schtasks.exe
2488	schtasks.exe
1932	schtasks.exe
1656	schtasks.exe
796	schtasks.exe
2008	schtasks.exe
2384	schtasks.exe
2380	schtasks.exe
552	schtasks.exe
1336	schtasks.exe
1564	schtasks.exe
1928	schtasks.exe
2520	schtasks.exe
1680	schtasks.exe
280	schtasks.exe
2000	schtasks.exe
2480	schtasks.exe
1004	schtasks.exe
2160	schtasks.exe
700	schtasks.exe
2756	schtasks.exe
1112	schtasks.exe
1760	schtasks.exe
1528	schtasks.exe
2972	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2748	DllCommonsvc.exe
2444	powershell.exe
904	powershell.exe
2280	powershell.exe
1072	powershell.exe
1020	powershell.exe
1588	powershell.exe
1044	powershell.exe
996	powershell.exe
1956	powershell.exe
1516	powershell.exe
1732	powershell.exe
2272	powershell.exe
2296	powershell.exe
2692	powershell.exe
768	powershell.exe
2828	powershell.exe
808	powershell.exe
2560	lsass.exe
2276	lsass.exe
2784	lsass.exe
2036	lsass.exe
2484	lsass.exe
408	lsass.exe
1648	lsass.exe
812	lsass.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	DllCommonsvc.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	808	powershell.exe
Token: SeDebugPrivilege	2560	lsass.exe
Token: SeDebugPrivilege	2276	lsass.exe
Token: SeDebugPrivilege	2784	lsass.exe
Token: SeDebugPrivilege	2036	lsass.exe
Token: SeDebugPrivilege	2484	lsass.exe
Token: SeDebugPrivilege	408	lsass.exe
Token: SeDebugPrivilege	1648	lsass.exe
Token: SeDebugPrivilege	812	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2332	1884	JaffaCakes118_a44a63b90dbcc40a07234f6452a3c31135f705d3a58388569d564c298734ccbf.exe	28
PID 1884 wrote to memory of 2332	1884	JaffaCakes118_a44a63b90dbcc40a07234f6452a3c31135f705d3a58388569d564c298734ccbf.exe	28
PID 1884 wrote to memory of 2332	1884	JaffaCakes118_a44a63b90dbcc40a07234f6452a3c31135f705d3a58388569d564c298734ccbf.exe	28
PID 1884 wrote to memory of 2332	1884	JaffaCakes118_a44a63b90dbcc40a07234f6452a3c31135f705d3a58388569d564c298734ccbf.exe	28
PID 2332 wrote to memory of 2732	2332	WScript.exe	29
PID 2332 wrote to memory of 2732	2332	WScript.exe	29
PID 2332 wrote to memory of 2732	2332	WScript.exe	29
PID 2332 wrote to memory of 2732	2332	WScript.exe	29
PID 2732 wrote to memory of 2748	2732	cmd.exe	31
PID 2732 wrote to memory of 2748	2732	cmd.exe	31
PID 2732 wrote to memory of 2748	2732	cmd.exe	31
PID 2732 wrote to memory of 2748	2732	cmd.exe	31
PID 2748 wrote to memory of 996	2748	DllCommonsvc.exe	84
PID 2748 wrote to memory of 996	2748	DllCommonsvc.exe	84
PID 2748 wrote to memory of 996	2748	DllCommonsvc.exe	84
PID 2748 wrote to memory of 904	2748	DllCommonsvc.exe	85
PID 2748 wrote to memory of 904	2748	DllCommonsvc.exe	85
PID 2748 wrote to memory of 904	2748	DllCommonsvc.exe	85
PID 2748 wrote to memory of 1516	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 1516	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 1516	2748	DllCommonsvc.exe	87
PID 2748 wrote to memory of 768	2748	DllCommonsvc.exe	88
PID 2748 wrote to memory of 768	2748	DllCommonsvc.exe	88
PID 2748 wrote to memory of 768	2748	DllCommonsvc.exe	88
PID 2748 wrote to memory of 1956	2748	DllCommonsvc.exe	89
PID 2748 wrote to memory of 1956	2748	DllCommonsvc.exe	89
PID 2748 wrote to memory of 1956	2748	DllCommonsvc.exe	89
PID 2748 wrote to memory of 1020	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 1020	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 1020	2748	DllCommonsvc.exe	90
PID 2748 wrote to memory of 2316	2748	DllCommonsvc.exe	91
PID 2748 wrote to memory of 2316	2748	DllCommonsvc.exe	91
PID 2748 wrote to memory of 2316	2748	DllCommonsvc.exe	91
PID 2748 wrote to memory of 1588	2748	DllCommonsvc.exe	92
PID 2748 wrote to memory of 1588	2748	DllCommonsvc.exe	92
PID 2748 wrote to memory of 1588	2748	DllCommonsvc.exe	92
PID 2748 wrote to memory of 1732	2748	DllCommonsvc.exe	93
PID 2748 wrote to memory of 1732	2748	DllCommonsvc.exe	93
PID 2748 wrote to memory of 1732	2748	DllCommonsvc.exe	93
PID 2748 wrote to memory of 2272	2748	DllCommonsvc.exe	95
PID 2748 wrote to memory of 2272	2748	DllCommonsvc.exe	95
PID 2748 wrote to memory of 2272	2748	DllCommonsvc.exe	95
PID 2748 wrote to memory of 2296	2748	DllCommonsvc.exe	97
PID 2748 wrote to memory of 2296	2748	DllCommonsvc.exe	97
PID 2748 wrote to memory of 2296	2748	DllCommonsvc.exe	97
PID 2748 wrote to memory of 2444	2748	DllCommonsvc.exe	98
PID 2748 wrote to memory of 2444	2748	DllCommonsvc.exe	98
PID 2748 wrote to memory of 2444	2748	DllCommonsvc.exe	98
PID 2748 wrote to memory of 2280	2748	DllCommonsvc.exe	99
PID 2748 wrote to memory of 2280	2748	DllCommonsvc.exe	99
PID 2748 wrote to memory of 2280	2748	DllCommonsvc.exe	99
PID 2748 wrote to memory of 1044	2748	DllCommonsvc.exe	100
PID 2748 wrote to memory of 1044	2748	DllCommonsvc.exe	100
PID 2748 wrote to memory of 1044	2748	DllCommonsvc.exe	100
PID 2748 wrote to memory of 1072	2748	DllCommonsvc.exe	101
PID 2748 wrote to memory of 1072	2748	DllCommonsvc.exe	101
PID 2748 wrote to memory of 1072	2748	DllCommonsvc.exe	101
PID 2748 wrote to memory of 2692	2748	DllCommonsvc.exe	112
PID 2748 wrote to memory of 2692	2748	DllCommonsvc.exe	112
PID 2748 wrote to memory of 2692	2748	DllCommonsvc.exe	112
PID 2748 wrote to memory of 808	2748	DllCommonsvc.exe	116
PID 2748 wrote to memory of 808	2748	DllCommonsvc.exe	116
PID 2748 wrote to memory of 808	2748	DllCommonsvc.exe	116
PID 2748 wrote to memory of 2828	2748	DllCommonsvc.exe	118

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a44a63b90dbcc40a07234f6452a3c31135f705d3a58388569d564c298734ccbf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a44a63b90dbcc40a07234f6452a3c31135f705d3a58388569d564c298734ccbf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\fr-FR\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"
        6⤵
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2536
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"
        8⤵
        
        PID:2372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1588
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
        10⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2812
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat"
        12⤵
        
        PID:1968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2480
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"
        14⤵
        
        PID:1876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2924
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"
        16⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2300
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
        18⤵
        
        PID:444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1000
        
        C:\MSOCache\All Users\lsass.exe
        
        "C:\MSOCache\All Users\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
        20⤵
        
        PID:2540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\ehome\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\ehome\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\ehome\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\7-Zip\Lang\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bc446f62865b154caf8078647c1eee4

SHA1
cd13d1010e15de8e4cc018117008950e9c267fa9

SHA256
56b492a83af0a27f1314c2641fadf1b0186c60199a7328bff510437484ba1cb3

SHA512
acd3fadeeac7add307e922c3c0f129f401aa2a76b59d00ca290062113082bc3b9d22a177d72dc70045864d88438646a041e508c1e9fa4b47d7dc1c92a164ee99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a8fa0c00a79ab4863f4165e1b9c56ef

SHA1
608c8d3c6a6ab428887a55c0f194c99954d88400

SHA256
f9b820c3b51c174873535c01a6772219226aa53cabb803e1da65ccbb23af1277

SHA512
494328e65ff0a127b2e30addc7581e0220f4ad4af65c6b404a3519e82c4d5acacdcabc96ac467e57a6cc46e756a802974bf51e0bf95dc89958a0520efdd992fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16c65bf98f4d92bd796d94b91df465ef

SHA1
319bc9c8bf73e3d19f0821d4fa28466c6349ac93

SHA256
46114d30c577126bb4bb2ffc10957fe3392cea030dbf77b4590489f04368139b

SHA512
4a1820f7cfdd69a56063060e700fcf88c3877a014b05bb176dc3faa40f3a13116297ab5dd8c4c94eb8347e6aed083d4e5140eb06024308084e534c97b33c8f9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fdf149b847aa0cc0cadc4144b614102

SHA1
35527049964e3ab1989638d26b72ceeff47d989c

SHA256
547add829c3885dfbe594ef6dd8c553b0df90a788113083a269e4df544b111e3

SHA512
3cfeea1118c9f5510255db3567481c31064870eb9ca87b8221e4adf3f15bc1efad384ac850f6c97be822607c44ef03ebdec91ce1a29a0022ff376bb26656fbe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
358a46616b5b23982b3e630fe034d2bd

SHA1
c496d14b4c5c8ddf683d4b0b2ddacf86a733ce63

SHA256
439ee00eb13211243bcda10dad3b0f37bc2c631df8c625b096c5a749d79ff77f

SHA512
ea4e822374b684b3d1d828724667719edced71d4037ca2e2cc27ca3fb380e3ab671a300ec239fe474fafeb41b8c69c0014cd45cde8dfdbbfe52e37bcf459e14c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02b63c641f47654228c03ba7611b5ded

SHA1
f459360660cb38053f3a26c3957b09ea0ded9342

SHA256
dab835b0b0e042b3317f84bd6f7c4d404c351af2cda8fa9b0225e50b5a0ed821

SHA512
62669ed4b2e057bd2dbd29cb02109e9a794b3ff9b0b5f7aa77085491aaf525beb9c047ae8c9b5c739f1d0c07d873f7096e7fd641c65090b61322e144a0d454e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
836ad8fc2f4e79458e05d81c1868106d

SHA1
72c82309618faabfc53abc90b91b4b047cae0924

SHA256
be4737ee87b6d1414a46e8e7edff704b7cecc87e666504d095b17a87bd1e9d69

SHA512
74d00beaed0cdce1a4585bb82809315fdcd94a1ad2be06f411aa41a8a39f0d38771605d97a3b4f71832cb0bf54f780a5edab33b5d3ea0c11603b194719ef1817

Download Submit
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

Filesize
196B

MD5
00311485160691a3ad77e4e71fbca84b

SHA1
231a97048521cd501b4ef23719848a1e78a473e0

SHA256
7aead4898ee7c330e1cccbffe746df4d948f3d98177492a82d5953a15b80c347

SHA512
1899c8e9bdae7a14312d0995c9846aca08f71fca83581fd2f86a9d63532e5d82e658063ff730578ab4472258319a16e3674ad687d952fc4312cf21de998b2ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat

Filesize
196B

MD5
e9a7264ee800bfa0785599935d8ca10e

SHA1
98cdde442c754b1d0ff1f66e45078d5ae516da3c

SHA256
988db03d5eb56cc972b3e793833450684b7f946ed3e8e6b0f7c70e9ab0c378f8

SHA512
c72e0807f6dce1beb41913c9e8f9ee89b53d4eb5f5a3c2f93d3fce33699de566dd2fdda4afa67a265a9b7f04f3a9d144d96ebd1a9b67e8f52f49c73dedf233a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB52E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat

Filesize
196B

MD5
e1883f8cdd17fcda64e8e595fd7eefbd

SHA1
a4c9669bfa34e084ef7afb485e808742676ff387

SHA256
eef0454681cbf9a110ca8e28e8a982b625324e8a396a4c89eecfa89499528982

SHA512
7efefa85e9d42d132d3c1164af5c6703268c31f0694e1571be0b0eed967e48b8dbda40d46425da9a5e53f9cc0f51239fd22a7f3dcaaa9a942fbda19dbc8bc8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat

Filesize
196B

MD5
f097e653f70b78bc33dab84472b0f46f

SHA1
f8a9e6e7e5ec0c7d804efd647135f0ca9724a75c

SHA256
cf660b327882814536f4c63b62e7f860e8c6b83832f614e974fb4975c9fad745

SHA512
244db62a48b353f064b97dc9d9bdc5b3bce880e9b8432f17b20fe56b545eb71007cbfa8d07e0297e3f4becc890201f80dc118241a1f8ddc91dc60758edfb4f7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB540.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z4XVup0LT1.bat

Filesize
196B

MD5
4aad16f65794ef4518cba910eafb10b5

SHA1
202c541902cdf3a837e651688dda6bfbad4e3dd5

SHA256
294c4eb08f2837cb80b481f9b567fb58cc7e80ad3d428462bf34d0620a5ca6c5

SHA512
e558897f2947971d943d2794b579dc0ae1710dfe36410f51abd43fadcec31df0fea7c00e18efd3da2023a72d58ccfc95017f96f8c822a90a039693861dbc896e

Download Submit
C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

Filesize
196B

MD5
df799ace0bef61ee508581edd456a061

SHA1
b5747c653405166adb55452b09dbc71efc55e1c7

SHA256
04fe98180380a50ea5f7a80e7b3be5006784b5518bfd00c5deef5518405c1219

SHA512
1a6994d184d9ccf56bfc27f2782faf969a96503d81e0a766042f59f26ae3c5a7cde14ee31d8008a634e804ba867db61e65e03af8fa6d9bb1923c252869ec3f97

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat

Filesize
196B

MD5
0258a2fc32099d3b860f3354dad3ca54

SHA1
ed4f90e9fc3aeb439df79e88b405aa56a5d20d1c

SHA256
4523b84900a824b077087dedc59bd0ada2d4b50188ec9679930297826d4a0c01

SHA512
a0b589de79b357fac45c03cd6822762d4dc2a85c11f19cbfcb38fd9c53dddc2649cb7157433a881349a244eb4538823afbcdf66afc004116d96c1da2a396cf64

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat

Filesize
196B

MD5
d3bfd0e4fcae496a22837efdb62c935f

SHA1
aefd47e646dd3e22cba39d200de83a7afb25aabf

SHA256
1838c3465e5e87da4267bcb4979f7b8a910e3f5d70bfb05f54a2840f295b1ba7

SHA512
e0b9b464887fa0c416d3bed3969dabe9c9da4bb42fa23c3dfef330648330058d8d27117c36b507545674b7f855d71acadbd3cf19edac02fba1a8860d9f104dfb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b21cfdbfa23b033ae861162166c1e1db

SHA1
f6280d923b86ea3824e95acb90e1f10afa637051

SHA256
fea8470d607a154265c5cb7524d878cc8701d79235c3ba68e81d457bfdb724cb

SHA512
263ce4dd3f76752b5eab71807cc84aeac9a72f0ad1909b9c120b75b50ec23c9eff27f4e6d025966a42938122631492a532a827047a3817672321f06b86f3c8d0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/408-442-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/1648-502-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/2036-322-0x0000000000990000-0x0000000000AA0000-memory.dmp

Filesize
1.1MB

Download
memory/2276-202-0x0000000000860000-0x0000000000970000-memory.dmp

Filesize
1.1MB

Download
memory/2444-66-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2444-67-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2484-382-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2560-75-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2748-17-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/2748-16-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2748-15-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/2748-14-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/2748-13-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/2784-262-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download