dcrat | cfdfe1745ca438101536b3a10ec6ce3389538455c543481e46f8e2406ebc511e

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cfdfe1745ca438101536b3a10ec6ce3389538455c543481e46f8e2406ebc511e.exe
Size

1.3MB
MD5

d5d7324b6f9b92da9d2b74886b17831e
SHA1

bf6cd2aac365dc00e7f4943d2c88670d580b025b
SHA256

cfdfe1745ca438101536b3a10ec6ce3389538455c543481e46f8e2406ebc511e
SHA512

a848fa719d2da943dc0a8f5013fa00bbb5374fa0c1c28594dd18c36375918a3a2768b729a55f7fbbcc7841ad1dd680412dfa75d2d7363d929b8267ed8d2661ba
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2672	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2672	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019438-12.dat	dcrat
behavioral1/memory/2852-13-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/2756-52-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/1664-187-0x0000000000840000-0x0000000000950000-memory.dmp	dcrat
behavioral1/memory/1724-248-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2712-309-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/356-369-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/2632-429-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/1272-489-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/1988-549-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2996	powershell.exe
2472	powershell.exe
1944	powershell.exe
1804	powershell.exe
1952	powershell.exe
2832	powershell.exe
2324	powershell.exe
792	powershell.exe
1932	powershell.exe
1956	powershell.exe
1688	powershell.exe
1940	powershell.exe
896	powershell.exe
2332	powershell.exe
1936	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2852	DllCommonsvc.exe
2756	csrss.exe
1664	csrss.exe
1724	csrss.exe
2712	csrss.exe
356	csrss.exe
2632	csrss.exe
1272	csrss.exe
1988	csrss.exe
1804	csrss.exe
1224	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2804	cmd.exe
2804	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
31	raw.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\include\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\schemas\AvailableNetwork\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\schemas\AvailableNetwork\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cfdfe1745ca438101536b3a10ec6ce3389538455c543481e46f8e2406ebc511e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2500	schtasks.exe
1356	schtasks.exe
3020	schtasks.exe
1336	schtasks.exe
1644	schtasks.exe
536	schtasks.exe
1092	schtasks.exe
1220	schtasks.exe
2284	schtasks.exe
1700	schtasks.exe
1560	schtasks.exe
2076	schtasks.exe
540	schtasks.exe
1284	schtasks.exe
2052	schtasks.exe
1088	schtasks.exe
112	schtasks.exe
1728	schtasks.exe
644	schtasks.exe
1764	schtasks.exe
2344	schtasks.exe
2732	schtasks.exe
2536	schtasks.exe
2256	schtasks.exe
716	schtasks.exe
2876	schtasks.exe
1120	schtasks.exe
1300	schtasks.exe
972	schtasks.exe
2192	schtasks.exe
2208	schtasks.exe
2972	schtasks.exe
2012	schtasks.exe
628	schtasks.exe
2312	schtasks.exe
2264	schtasks.exe
700	schtasks.exe
1028	schtasks.exe
776	schtasks.exe
604	schtasks.exe
408	schtasks.exe
2404	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2852	DllCommonsvc.exe
1688	powershell.exe
1944	powershell.exe
2332	powershell.exe
1940	powershell.exe
1952	powershell.exe
1932	powershell.exe
1936	powershell.exe
1804	powershell.exe
2324	powershell.exe
2472	powershell.exe
792	powershell.exe
1956	powershell.exe
2832	powershell.exe
896	powershell.exe
2756	csrss.exe
2996	powershell.exe
1664	csrss.exe
1724	csrss.exe
2712	csrss.exe
356	csrss.exe
2632	csrss.exe
1272	csrss.exe
1988	csrss.exe
1804	csrss.exe
1224	csrss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	DllCommonsvc.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2756	csrss.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1664	csrss.exe
Token: SeDebugPrivilege	1724	csrss.exe
Token: SeDebugPrivilege	2712	csrss.exe
Token: SeDebugPrivilege	356	csrss.exe
Token: SeDebugPrivilege	2632	csrss.exe
Token: SeDebugPrivilege	1272	csrss.exe
Token: SeDebugPrivilege	1988	csrss.exe
Token: SeDebugPrivilege	1804	csrss.exe
Token: SeDebugPrivilege	1224	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2788	1388	JaffaCakes118_cfdfe1745ca438101536b3a10ec6ce3389538455c543481e46f8e2406ebc511e.exe	31
PID 1388 wrote to memory of 2788	1388	JaffaCakes118_cfdfe1745ca438101536b3a10ec6ce3389538455c543481e46f8e2406ebc511e.exe	31
PID 1388 wrote to memory of 2788	1388	JaffaCakes118_cfdfe1745ca438101536b3a10ec6ce3389538455c543481e46f8e2406ebc511e.exe	31
PID 1388 wrote to memory of 2788	1388	JaffaCakes118_cfdfe1745ca438101536b3a10ec6ce3389538455c543481e46f8e2406ebc511e.exe	31
PID 2788 wrote to memory of 2804	2788	WScript.exe	32
PID 2788 wrote to memory of 2804	2788	WScript.exe	32
PID 2788 wrote to memory of 2804	2788	WScript.exe	32
PID 2788 wrote to memory of 2804	2788	WScript.exe	32
PID 2804 wrote to memory of 2852	2804	cmd.exe	34
PID 2804 wrote to memory of 2852	2804	cmd.exe	34
PID 2804 wrote to memory of 2852	2804	cmd.exe	34
PID 2804 wrote to memory of 2852	2804	cmd.exe	34
PID 2852 wrote to memory of 2332	2852	DllCommonsvc.exe	78
PID 2852 wrote to memory of 2332	2852	DllCommonsvc.exe	78
PID 2852 wrote to memory of 2332	2852	DllCommonsvc.exe	78
PID 2852 wrote to memory of 1952	2852	DllCommonsvc.exe	79
PID 2852 wrote to memory of 1952	2852	DllCommonsvc.exe	79
PID 2852 wrote to memory of 1952	2852	DllCommonsvc.exe	79
PID 2852 wrote to memory of 1936	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 1936	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 1936	2852	DllCommonsvc.exe	80
PID 2852 wrote to memory of 1956	2852	DllCommonsvc.exe	81
PID 2852 wrote to memory of 1956	2852	DllCommonsvc.exe	81
PID 2852 wrote to memory of 1956	2852	DllCommonsvc.exe	81
PID 2852 wrote to memory of 1940	2852	DllCommonsvc.exe	82
PID 2852 wrote to memory of 1940	2852	DllCommonsvc.exe	82
PID 2852 wrote to memory of 1940	2852	DllCommonsvc.exe	82
PID 2852 wrote to memory of 1944	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 1944	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 1944	2852	DllCommonsvc.exe	83
PID 2852 wrote to memory of 792	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 792	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 792	2852	DllCommonsvc.exe	84
PID 2852 wrote to memory of 2832	2852	DllCommonsvc.exe	85
PID 2852 wrote to memory of 2832	2852	DllCommonsvc.exe	85
PID 2852 wrote to memory of 2832	2852	DllCommonsvc.exe	85
PID 2852 wrote to memory of 1688	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 1688	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 1688	2852	DllCommonsvc.exe	86
PID 2852 wrote to memory of 2324	2852	DllCommonsvc.exe	87
PID 2852 wrote to memory of 2324	2852	DllCommonsvc.exe	87
PID 2852 wrote to memory of 2324	2852	DllCommonsvc.exe	87
PID 2852 wrote to memory of 896	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 896	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 896	2852	DllCommonsvc.exe	88
PID 2852 wrote to memory of 2996	2852	DllCommonsvc.exe	89
PID 2852 wrote to memory of 2996	2852	DllCommonsvc.exe	89
PID 2852 wrote to memory of 2996	2852	DllCommonsvc.exe	89
PID 2852 wrote to memory of 1932	2852	DllCommonsvc.exe	90
PID 2852 wrote to memory of 1932	2852	DllCommonsvc.exe	90
PID 2852 wrote to memory of 1932	2852	DllCommonsvc.exe	90
PID 2852 wrote to memory of 1804	2852	DllCommonsvc.exe	91
PID 2852 wrote to memory of 1804	2852	DllCommonsvc.exe	91
PID 2852 wrote to memory of 1804	2852	DllCommonsvc.exe	91
PID 2852 wrote to memory of 2472	2852	DllCommonsvc.exe	92
PID 2852 wrote to memory of 2472	2852	DllCommonsvc.exe	92
PID 2852 wrote to memory of 2472	2852	DllCommonsvc.exe	92
PID 2852 wrote to memory of 2756	2852	DllCommonsvc.exe	101
PID 2852 wrote to memory of 2756	2852	DllCommonsvc.exe	101
PID 2852 wrote to memory of 2756	2852	DllCommonsvc.exe	101
PID 2756 wrote to memory of 2532	2756	csrss.exe	109
PID 2756 wrote to memory of 2532	2756	csrss.exe	109
PID 2756 wrote to memory of 2532	2756	csrss.exe	109
PID 2532 wrote to memory of 688	2532	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfdfe1745ca438101536b3a10ec6ce3389538455c543481e46f8e2406ebc511e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cfdfe1745ca438101536b3a10ec6ce3389538455c543481e46f8e2406ebc511e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\include\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\schemas\AvailableNetwork\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2756
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:688
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
        8⤵
        
        PID:2260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2632
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"
        10⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1900
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
        12⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2732
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat"
        14⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2052
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
        16⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2508
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat"
        18⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:936
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"
        20⤵
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2228
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat"
        22⤵
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2912
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\include\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\include\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Windows\schemas\AvailableNetwork\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\schemas\AvailableNetwork\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\schemas\AvailableNetwork\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\ja-JP\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\ModemLogs\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\ModemLogs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c59d0bac73e4f6140120b1b4484c79d

SHA1
53a32611bad68d32f94976751e31d85205df5acc

SHA256
da57503bd69ecf111ca7a0b6b098826b409486952af97c9dcbf1d1b4d5736b2e

SHA512
30fbb5ec27d5dc3723d936d3720a3909800756c51c321c9f43d6b97970133673c388988714fce4ef1d0b4ed931d2b8cf12522528a80ef264e0973cf1f3c051cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd1f7d20f9bde41f07543d6c84514a35

SHA1
4b11309b521ed42e1ce3000bff47d9a9307c9734

SHA256
f2a33f66297d0232aae76694c1b232e604e813fb914230ce959310230bcd1113

SHA512
4b5c64530dc4e604b49529838efae00ecc311db24abef83751a9bd1b8b55c814946d6600b1c13b770d40e384950f84cf2efda81111a4956f7cca978c99ca9318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad0fa221178164ef288c1593614a0afd

SHA1
22fe3b34a2cc0f86b3dece529ee29d4807907895

SHA256
917a51820bf23d86447fb019294b9399c80f386660612d25034fd5b2ed0841da

SHA512
730480ee36d46d568636b93cfe90c4a2945a49253b9c47d89efbababd1caf5083a61b9f81951ed97e4eca2dc1c763e2149af643091f0b8f12f8e9e75040027f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1dbf790bed9cceb5e9f4774fed632bcf

SHA1
95f5271b1ad234840ed6fcca04be46d0fa452c0e

SHA256
e50f45553000289469f13ee5920df2479f4cae6d20767909e2f665edeccabad5

SHA512
4259e08866a59f2a4ff3ec763bdb964b69294a555f63fd4b0b16226375cbdbe3e4ea9e39257a648f42f986532693d5218b39040c1ada8e5fe92472714a0523d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
728245668a71250bdc7e8049e2890ee2

SHA1
bec69d921548271680371de496f511c9bdeddb08

SHA256
489ff6466f0882aa80608691172d19e2ace9f685cfc6ba91d5fdd04206f6262f

SHA512
29a48c59f77012fed101b92c3ab6cf58ff1ae934dfae03f773f1cd289b4f3dfdcd7bb26c722b3af01f4fd666aab2e4d8a47069d3fbf5afc715e59da9ea6aba28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d010b4aed898f1257155fb056c3b4ce3

SHA1
2c596c418a2ebc7b4c8ab36de1b2bd7eef376ca2

SHA256
95283e88ce13b7d581478e8563c53958896d15fd08f57aee695bbbe3d507ae09

SHA512
48853535938dbe260d84b3bfe92a764970e38ac951ce152e1921ad10e8d140e31d0001a4a9a2bcdaa47f3c57d0732841f85327c7e885782fc56cbe8af3641b9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63f91e2ba47678fa8e4b2f2707794fee

SHA1
c5588b6dd575547da08d08d492c939e5fcd9b7e7

SHA256
3f62c9a83e2b1e35c0398c14b04a14937024854bc891ef5bb230d16ccc739fc7

SHA512
75c05a95943e0f8ec934d603729e5234ac807d1fa56e662cb2188a135e649148a5ffe337d7151d9856773a9499623ef5fefdae23011b13f75bcfaed3172ffeb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b68cebc92cc1e2b19ab8159b250027f8

SHA1
3ab082414fef55a55c6aae0477d7bb8c4871e101

SHA256
400f606a3a55a22bf17e5b1c712e98f1a8d53f3713422910738088ef67378aad

SHA512
6a4c90b174636f70aaafd51ca8c7103d01a09f91ac17a8ca4ecc11dc0245385d66d9a9fd9ce9606ad113d010457f2a43eee218fbe4975d1e5e5defcfcaa8bda0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f215a4437684de1b84f0a0f53bfbf826

SHA1
3be4fb3932120e5a167f38015935e1291082a09b

SHA256
c060fc0cb48a92bf8d56d9236d5d6f31aedfc310dd8e277c66ff52de327690a1

SHA512
4043fc2aaa08a6a7f88aff41cf9df8248ca03d6bfde349d0e63e5e6b7e066f2997aa66ad40dc3c36c1ad7ce155f09c18a729c1fd0daab1eb341d09d17cee8fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Lxx1rvPQX.bat

Filesize
237B

MD5
67fc1d56e88c61c1501b73fff80bfd5c

SHA1
27fd9b6b15dc9dc17e72c743c43067bdc465c1b8

SHA256
87af6aebb8df3189b8b98db7e34bf47bc2a17448924a765082ed10b45dd5ff6c

SHA512
63f72ae62b596170bda3ff831b3424578a7360017d679610ac9f34c7ff30aa55f17d7d6718b61a0bed3a471e8277b9be4c4dbcbc009887f29d05a8ad0ddfe95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDCDGXc9ch.bat

Filesize
237B

MD5
eb64c9943a81ed99ef7c993d91d115db

SHA1
47d853461b18cf269902dcde3ce28bc1c4582313

SHA256
73b7871e7d66096bfc748676f025d02619366c77c58073559669f26c1b4c875a

SHA512
b2d00a29dfc31b5768cc3372f914d39e1f90ee47c3e1925df819d4c29f503474817a5297760fd878d1a29a31ec0ee5ab232c4e87a5a7fb8ae51295211f372e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

Filesize
237B

MD5
58b338cf54d6cb92fa674a813459216b

SHA1
5e04746e90814e12b680df0c4437fad2b88f8916

SHA256
809ec701a559cac7a613b5019f2316bee9ad7937b3c9beb88238c12ba203931a

SHA512
6cd8c8e2f60f4cf43356bbe8416b24ab023f75fc37d47e35862164ef9d0f1341f6247b5e3886d95dac5429d6f95cb2fa3c555f8b37755012750016f7e7cd7715

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B11.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DFgOOKl5EO.bat

Filesize
237B

MD5
6f790ae7374854c2838f025ddd677c6b

SHA1
9c34f6806cdeb8f81390d9aa791a3a105ce7d07e

SHA256
5eb48bb22d39cc86eb83264f18fcac25a983f2cac498304a5fe01715dc4a201b

SHA512
7732c494105bb117425ef25bf7c3c824d40cae7fecb8aa92cd2ed705c6a4862dd547d56cd0c6bd9f1d4e5a227b2974a830984f9bba4a04f17be082ebc9332a0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat

Filesize
237B

MD5
7ddac2a6724f05a656aa0d67699d22e3

SHA1
edf0cf77c0aebfd89b93d648d043d85027a2a611

SHA256
40c3f35b00b4f3cfb2577d881be21d99c8f2f2f8fbe5a939e2207791f7d9053f

SHA512
227cc51035537f1620fec7a28ee1016b8d70118a9524861e50d5e01d04483d5a7754b451ff2af38e9e70fbb8c80ae4fe8d0ec72be12e6e4a13c241e895ee5023

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
237B

MD5
42fffbf6db362b4805bc999ae560d2f5

SHA1
9b5179fd47cf128bc58ad1ad2a22c5a9f40fc7f3

SHA256
872f13ae2dbf9dcaafc703ec506e32f8b237ea8d4f54d24ab4f248a18b320773

SHA512
0de1a7514fc726dba7d4b848f5c0dbfe949766ea20e78726e8d138b68ec134a872fd2e4e7db66fc3c91cdd8e2282992eb097f458634988ae0f23e5ccc9af354b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B43.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

Filesize
237B

MD5
5f0c02a1f5ad75aea747c9605cc3e2a2

SHA1
9248ffad2510a81b69ec4f297cd015344ca66dbc

SHA256
476a9ce25bc60d698d9e469e5b31df18f34e49fcdc5f50331cfcff508f75a424

SHA512
020f9fe15d38d7ba1c3507c142f158b1b469f5bc335bae65fe1b8966e7789395abb122f1a48044ac31f4fda01824092dcfe584f52c17ca32ea825988f5fd0202

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat

Filesize
237B

MD5
2f486ef0ef62989ac625394901ae143c

SHA1
60d46523385cda1f891ab55af4e688c4f1c19e05

SHA256
9dee9c25c142cc856d8db5fb6f44113c8bb2d991e2a005e77534cfd8f5af6c4f

SHA512
34f3be984eb2e80842e96663f1915d2ee4f9c92cb61c5d02a7b71b10c1eb12fd194c8949366d9d67cf366b765f00badf2bdbbed7ef60d5da580fc5573be9dc77

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

Filesize
237B

MD5
0e8fcd46fa971cd93aa7ee4dab0c2010

SHA1
75d727bbe31bc62d59ade779c17e65bcde56dfe4

SHA256
6cba23154fa5c21aeb7e4c0183343866e192ea8530e18820aa422a6f9086d01a

SHA512
e3d30d18865c776de1fe182dc1c84445eb7cf1997e34419708bded57017dac099dca53a649ba51e5123309a18288c535f166aed39a70d3d8fbd7414b0eb380b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e128ae79aba5ff759de43eabe84f8670

SHA1
4ad26953bb6f6aae6906da480adab82729cbe7e4

SHA256
592a8c77e01892dea1c4024c0b2384c44bf6ea91a2812fe7306259e8df63fb5e

SHA512
1f48f7504d5b70a312aa2690537e22cc5d8d7aca005890c76dc1a26da798b694da431bffd88a7eaa3d4b60fea44e05e14fdd18480c308e9e90006895e9d948f8

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/356-369-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/1272-489-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/1664-188-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1664-187-0x0000000000840000-0x0000000000950000-memory.dmp

Filesize
1.1MB

Download
memory/1688-79-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1724-249-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1724-248-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1944-78-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/1988-549-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2632-429-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2712-309-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2756-52-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/2852-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2852-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2852-13-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2852-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2852-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download