dcrat | 5a9d7e9a8a5ea303d3359ec2da8fdf0ffd5e465ed7946e52c8a0b36ad25dbb9a

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5a9d7e9a8a5ea303d3359ec2da8fdf0ffd5e465ed7946e52c8a0b36ad25dbb9a.exe
Size

1.3MB
MD5

fef927b48de4d8411d402a3e6b4ec355
SHA1

7a90d124246c2ecae5a66944394063bb92e7d9f2
SHA256

5a9d7e9a8a5ea303d3359ec2da8fdf0ffd5e465ed7946e52c8a0b36ad25dbb9a
SHA512

2a21f219f943434cbd59c4faa16bf41fa6c764b245385905e9fa0912aefa96417ed7f2f79698d7367e9c3671ad60a3fa01df1dd427dd44f86367827e187c9e8b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	3024	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	3024	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001686c-12.dat	dcrat
behavioral1/memory/2244-13-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/980-120-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/2760-179-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/792-419-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/1428-479-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2844-539-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat
behavioral1/memory/2372-658-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2348-719-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1476	powershell.exe
1428	powershell.exe
2420	powershell.exe
2116	powershell.exe
2004	powershell.exe
2372	powershell.exe
2036	powershell.exe
2268	powershell.exe
1208	powershell.exe
2868	powershell.exe
1472	powershell.exe
2240	powershell.exe
796	powershell.exe
2236	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2244	DllCommonsvc.exe
980	audiodg.exe
2760	audiodg.exe
2344	audiodg.exe
964	audiodg.exe
1640	audiodg.exe
792	audiodg.exe
1428	audiodg.exe
2844	audiodg.exe
2416	audiodg.exe
2372	audiodg.exe
2348	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	cmd.exe
2936	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
40	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\ja-JP\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5a9d7e9a8a5ea303d3359ec2da8fdf0ffd5e465ed7946e52c8a0b36ad25dbb9a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2248	schtasks.exe
1440	schtasks.exe
2620	schtasks.exe
2324	schtasks.exe
2884	schtasks.exe
408	schtasks.exe
1788	schtasks.exe
2920	schtasks.exe
2816	schtasks.exe
2272	schtasks.exe
1884	schtasks.exe
1520	schtasks.exe
604	schtasks.exe
1624	schtasks.exe
2564	schtasks.exe
2588	schtasks.exe
1272	schtasks.exe
1740	schtasks.exe
1616	schtasks.exe
2340	schtasks.exe
1876	schtasks.exe
2720	schtasks.exe
2716	schtasks.exe
2024	schtasks.exe
2472	schtasks.exe
644	schtasks.exe
1720	schtasks.exe
1848	schtasks.exe
2952	schtasks.exe
2440	schtasks.exe
2332	schtasks.exe
1852	schtasks.exe
1288	schtasks.exe
2296	schtasks.exe
1200	schtasks.exe
668	schtasks.exe
2644	schtasks.exe
2584	schtasks.exe
1572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2244	DllCommonsvc.exe
2244	DllCommonsvc.exe
2244	DllCommonsvc.exe
2244	DllCommonsvc.exe
2244	DllCommonsvc.exe
2236	powershell.exe
2116	powershell.exe
2420	powershell.exe
796	powershell.exe
2004	powershell.exe
2868	powershell.exe
1472	powershell.exe
1428	powershell.exe
2240	powershell.exe
2372	powershell.exe
2036	powershell.exe
1476	powershell.exe
2268	powershell.exe
1208	powershell.exe
980	audiodg.exe
2760	audiodg.exe
2344	audiodg.exe
964	audiodg.exe
1640	audiodg.exe
792	audiodg.exe
1428	audiodg.exe
2844	audiodg.exe
2416	audiodg.exe
2372	audiodg.exe
2348	audiodg.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	DllCommonsvc.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	796	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	980	audiodg.exe
Token: SeDebugPrivilege	2760	audiodg.exe
Token: SeDebugPrivilege	2344	audiodg.exe
Token: SeDebugPrivilege	964	audiodg.exe
Token: SeDebugPrivilege	1640	audiodg.exe
Token: SeDebugPrivilege	792	audiodg.exe
Token: SeDebugPrivilege	1428	audiodg.exe
Token: SeDebugPrivilege	2844	audiodg.exe
Token: SeDebugPrivilege	2416	audiodg.exe
Token: SeDebugPrivilege	2372	audiodg.exe
Token: SeDebugPrivilege	2348	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2980	2204	JaffaCakes118_5a9d7e9a8a5ea303d3359ec2da8fdf0ffd5e465ed7946e52c8a0b36ad25dbb9a.exe	30
PID 2204 wrote to memory of 2980	2204	JaffaCakes118_5a9d7e9a8a5ea303d3359ec2da8fdf0ffd5e465ed7946e52c8a0b36ad25dbb9a.exe	30
PID 2204 wrote to memory of 2980	2204	JaffaCakes118_5a9d7e9a8a5ea303d3359ec2da8fdf0ffd5e465ed7946e52c8a0b36ad25dbb9a.exe	30
PID 2204 wrote to memory of 2980	2204	JaffaCakes118_5a9d7e9a8a5ea303d3359ec2da8fdf0ffd5e465ed7946e52c8a0b36ad25dbb9a.exe	30
PID 2980 wrote to memory of 2936	2980	WScript.exe	32
PID 2980 wrote to memory of 2936	2980	WScript.exe	32
PID 2980 wrote to memory of 2936	2980	WScript.exe	32
PID 2980 wrote to memory of 2936	2980	WScript.exe	32
PID 2936 wrote to memory of 2244	2936	cmd.exe	34
PID 2936 wrote to memory of 2244	2936	cmd.exe	34
PID 2936 wrote to memory of 2244	2936	cmd.exe	34
PID 2936 wrote to memory of 2244	2936	cmd.exe	34
PID 2244 wrote to memory of 2268	2244	DllCommonsvc.exe	75
PID 2244 wrote to memory of 2268	2244	DllCommonsvc.exe	75
PID 2244 wrote to memory of 2268	2244	DllCommonsvc.exe	75
PID 2244 wrote to memory of 2240	2244	DllCommonsvc.exe	76
PID 2244 wrote to memory of 2240	2244	DllCommonsvc.exe	76
PID 2244 wrote to memory of 2240	2244	DllCommonsvc.exe	76
PID 2244 wrote to memory of 1476	2244	DllCommonsvc.exe	77
PID 2244 wrote to memory of 1476	2244	DllCommonsvc.exe	77
PID 2244 wrote to memory of 1476	2244	DllCommonsvc.exe	77
PID 2244 wrote to memory of 796	2244	DllCommonsvc.exe	78
PID 2244 wrote to memory of 796	2244	DllCommonsvc.exe	78
PID 2244 wrote to memory of 796	2244	DllCommonsvc.exe	78
PID 2244 wrote to memory of 2236	2244	DllCommonsvc.exe	79
PID 2244 wrote to memory of 2236	2244	DllCommonsvc.exe	79
PID 2244 wrote to memory of 2236	2244	DllCommonsvc.exe	79
PID 2244 wrote to memory of 1208	2244	DllCommonsvc.exe	80
PID 2244 wrote to memory of 1208	2244	DllCommonsvc.exe	80
PID 2244 wrote to memory of 1208	2244	DllCommonsvc.exe	80
PID 2244 wrote to memory of 1428	2244	DllCommonsvc.exe	81
PID 2244 wrote to memory of 1428	2244	DllCommonsvc.exe	81
PID 2244 wrote to memory of 1428	2244	DllCommonsvc.exe	81
PID 2244 wrote to memory of 2004	2244	DllCommonsvc.exe	83
PID 2244 wrote to memory of 2004	2244	DllCommonsvc.exe	83
PID 2244 wrote to memory of 2004	2244	DllCommonsvc.exe	83
PID 2244 wrote to memory of 2116	2244	DllCommonsvc.exe	85
PID 2244 wrote to memory of 2116	2244	DllCommonsvc.exe	85
PID 2244 wrote to memory of 2116	2244	DllCommonsvc.exe	85
PID 2244 wrote to memory of 2036	2244	DllCommonsvc.exe	88
PID 2244 wrote to memory of 2036	2244	DllCommonsvc.exe	88
PID 2244 wrote to memory of 2036	2244	DllCommonsvc.exe	88
PID 2244 wrote to memory of 2372	2244	DllCommonsvc.exe	90
PID 2244 wrote to memory of 2372	2244	DllCommonsvc.exe	90
PID 2244 wrote to memory of 2372	2244	DllCommonsvc.exe	90
PID 2244 wrote to memory of 2420	2244	DllCommonsvc.exe	92
PID 2244 wrote to memory of 2420	2244	DllCommonsvc.exe	92
PID 2244 wrote to memory of 2420	2244	DllCommonsvc.exe	92
PID 2244 wrote to memory of 2868	2244	DllCommonsvc.exe	95
PID 2244 wrote to memory of 2868	2244	DllCommonsvc.exe	95
PID 2244 wrote to memory of 2868	2244	DllCommonsvc.exe	95
PID 2244 wrote to memory of 1472	2244	DllCommonsvc.exe	96
PID 2244 wrote to memory of 1472	2244	DllCommonsvc.exe	96
PID 2244 wrote to memory of 1472	2244	DllCommonsvc.exe	96
PID 2244 wrote to memory of 380	2244	DllCommonsvc.exe	103
PID 2244 wrote to memory of 380	2244	DllCommonsvc.exe	103
PID 2244 wrote to memory of 380	2244	DllCommonsvc.exe	103
PID 380 wrote to memory of 2296	380	cmd.exe	105
PID 380 wrote to memory of 2296	380	cmd.exe	105
PID 380 wrote to memory of 2296	380	cmd.exe	105
PID 380 wrote to memory of 980	380	cmd.exe	106
PID 380 wrote to memory of 980	380	cmd.exe	106
PID 380 wrote to memory of 980	380	cmd.exe	106
PID 980 wrote to memory of 2928	980	audiodg.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a9d7e9a8a5ea303d3359ec2da8fdf0ffd5e465ed7946e52c8a0b36ad25dbb9a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a9d7e9a8a5ea303d3359ec2da8fdf0ffd5e465ed7946e52c8a0b36ad25dbb9a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Music\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\ja-JP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h4Pasc1pAC.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:380
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2296
      - C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat"
        7⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:948
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        9⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1516
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat"
        11⤵
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1936
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
        13⤵
        
        PID:2640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2308
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
        15⤵
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1644
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
        17⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2208
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        19⤵
        
        PID:1884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2464
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat"
        21⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:900
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
        23⤵
        
        PID:1212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1980
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat"
        25⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1020
        
        C:\providercommon\audiodg.exe
        
        "C:\providercommon\audiodg.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
        27⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Documents\My Music\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Music\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Documents\My Music\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Journal\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Journal\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0f6d944e8236424ed78f57322a7c938

SHA1
1b412872b204c9a4dbf436a69d6e7b8a2f6d68b6

SHA256
4f02006bd46d21fb6392fd71f96f6384259ac41695acaae447939d0f27642a0c

SHA512
6548233cf0b76c6660d847930b80dbc5aadfd7aeb4a5d73bda0a3383c62a9c00d0eac58eeeabc5967658dff0403ace6c178e2e5ca7d768604aede2be6e8e1613

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c474ec85ebbf84de4e3225dc1ee0b4bf

SHA1
029d40a26446e11866a3e164e6c9639f222acc99

SHA256
6bd7879968a97a548b372fca766c25531b0d82f441215ec86011d2bc374f7245

SHA512
43ecb83837c0aa98ce61783aaf3df514ace3c3e23db5e4784ce2fd91035b4bf6d92fe401f00ff382cb02cf641f38dda7caa88e34304f1b95922a13a7a311839b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cd5619d6cb3c9b198cb6e81815c0628

SHA1
25a2b543313e2dbff787906a0dcb419e463afb3b

SHA256
c47f08025e429434accabc7a28559f5744cd9006bba5559bf8c4a861534f3ca1

SHA512
62cb899adc82bdf6e6d4e58a6158e46b2c6b29293747b3030bb9a41ea8ddce40e87f8070b5c940f8d6876a1adb32b35af8672f7cff71f5b7f071a1809ee1b919

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd4ceec4700bcc942969826dff0c7b8e

SHA1
bf3e329e957906760299626cc6e429c700e43435

SHA256
d310035261d4bae767d002145422e6afd4c95820fadb6961fa2422a5189c990a

SHA512
2a6e7fcc5ec7f768ef7dd5f41f93225e84f61fa40b7d530b89a5bd04cce8555b25b20b88cc24ebdc6737cc8e33e45a3032e2d3ca6ce358736d924e6564a747d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46fb4d056035d26c591b1b0a9290ee2e

SHA1
5e5b037cb1a4d48f9fbe3949616cb75f32cf0b82

SHA256
c8734f7245a8fbc111e933ec141a943526e8991a7140e168bd2be5e94db9b3f2

SHA512
b464bd82350e1eabf9c0256bf0d9f4e8dbd01bda3271382d03ec60b6bc5ea6ffec30eb86ae9417a1194eb70e5b799fa1ecdedd6443c7c3a7e0361c1dbda9b581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20bc16d92212da169e4f13063382eaa4

SHA1
3e5fd148e45346927ba3cc43fab61722551f84a3

SHA256
b376d38a9ecee6ee1e5081d45c7811797f299617f7e103a8c946ecb4210f62b0

SHA512
ad009f32b4f08e7b3ca3dd8d35a08c3b03c67200dcd7b47f793f27696af63f5ec8896c8e3d572f725721f48b207f629c82b86212d96829a9884cc53f50852af0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d27adbfed0c8d33d68f6adbf1d37e8a

SHA1
5358d02858f73cc34f91f855a375d831ecceaac5

SHA256
ebbe6b3c5b1c2d3bc62995863e507d168dd5d1057da7c4c6c8407ff3b1bd02eb

SHA512
526be0bb19b6578c9ab6b5f8aaafb511ac5dd2a260e6c018ccab0cf54c88fc811b6f9cf0dba1946a82d4397ba595c62f153511c04a8506f272ee4fb02a02656a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
688bd5719807d60af37fad3bf025adb7

SHA1
d514e38040ff1a68fa358583630d9289ea594a40

SHA256
b21502651495b11987a6642679775969b3d26cb6373a5545be40d24ebdd3b122

SHA512
517167b22196c6d968b49c2a89758e7d5bab1e923ef81d7e05de0bceab0e0fc13582de730874e4113233868c870e92a5bbb8797497c971b6aa6975b176ef1d3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5491b91035aa7e0d01fd2d774f63e2b2

SHA1
0c532a3c88e32862b039d3f386980c0785a500bc

SHA256
e49e7ee44565c37f4cd1c9234aa0c1c10ffe6eb61e075aa94915831f56475985

SHA512
cd4bee919f492165afdaf3234f05dd82227ea3e06d868078000872cca125331b9b10f785af91716c57273e29739f01a10d5790298bb03d96c3c03bad09f680da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0c2ed282bffdccedf8a2d2b9b4ec7e2

SHA1
e591c689c28e7d16dce37dcf76651c2485957e07

SHA256
16300b9836ae7640a9bad0717ce673ccbb8ba5864b8bdb4d70394b3b08496c93

SHA512
907a531ed5017313991038ad25cac77ef396781c1761c17d2304751b6b46b511c47bd3e8d25740dc0aa5864d4e1ae7b1a2ed89188fce505f3b69e2e7f9816af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

Filesize
194B

MD5
6f9bc7baed3421aa659d38c738207f73

SHA1
2232d4738c6eaf3ff19ca59c2fca275e78a3b744

SHA256
2cbe819eea2b64ebd470f8f63831e29e53e465354f549590e5c10665ad67f2be

SHA512
ab6a335b16827c37446c0d3fe1ea5383661075f6b855f3f46efe38ab7cec570e7a12f69fad007661092f0376591716d02630846ca2df5af414fea359cd2fcfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

Filesize
194B

MD5
df8cf870483b614cc789f1e5ae01d95c

SHA1
e7da6994bb0b6ce5ddc240a9e4508ea675db9a4d

SHA256
ec83e076737ab47a1ff5f380bc9f8f3068668f7a0bfe6c6d48e8e12e0442ae75

SHA512
10cbe224af1c91d6576f8d3caad56ec13c7265f5c61ef9b722f83b56dd11eb41d0be4d0e81c3d25a38c67c93e2c27b6659ac44b0a1e9f16344f29fcfb8543b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\5Ad8adCyX4.bat

Filesize
194B

MD5
29505213786b30100eaf5c9ad0f71225

SHA1
501c669a33599b8b96d1168a14da4b91696630fe

SHA256
c980fcd60bb1b8e9a8aadf7d74e54a8d0ff12549a42e29c405f34483451ba9d8

SHA512
a2ae70dedfdc3f4dd79080c6357d0f70222bd3789f61d004476ca9f8a728f5faeb21f55eed6c567db1b2617f40fcefc144455a289bf79b37e850260f7dd8d19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
194B

MD5
fd0d0936afd38e1c0f9930b3a059896e

SHA1
fc23e20a9522feb22ae27a9c220d00a55592b860

SHA256
9d9a0dca33163a43f9aa386d847b17f3e349d5b30cd654186efe6c7677e69812

SHA512
93695dc998e9e981d43c4e7fd670485253c91a0dd240289903bc0d59bca3542599940281a54042929c000b7a5a6558b54bd885520397904eaf16979dac925657

Download Submit
C:\Users\Admin\AppData\Local\Temp\95TPLp0dsP.bat

Filesize
194B

MD5
b5120aff0ee3abd1f73c028df49cda40

SHA1
721e41bcee5493e906e699b92e04a136ddc0440f

SHA256
4377c588e34482965940d5570cba589e5c05e27f3df23117564340d96d0ed59b

SHA512
94a3b586a0e7506c5af5048b71319f61b21d94676bc7c95813bc3ac9d5ee4591d5709ea13f4b935016da49866077398879d995b37a64ee2fa793f5f0052b69b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2657.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

Filesize
194B

MD5
2c63025b2923ff32aa207f02c02c84f8

SHA1
6f4b3facff0165356f4bf1a07a95d08a54a4ea63

SHA256
1894e87f479260768405cb18842a81ddf1f1a54a51b25b1a1008f57ee40d87a4

SHA512
8edd23365f0dd91ca325261e0550d2bd5a6dc5d6caa6bd04155487a5a9f2ce775ddc2c39337c6635117dfdf9f6644ae4a23c9c8d2265842cf4200f1b05c740ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat

Filesize
194B

MD5
d19855baa4a64b1a7412967ca7582d4a

SHA1
f8a8ebe04b2e8170c08b0b41e6e7bae5443b84d2

SHA256
48792dad81cb3f5560ae5a77fcc4c76996bb94076b848c56d7a99b5bbb73a187

SHA512
57375374f16a3b65d3b5e42ac1bd350eab87042753b1ad7dea65997abff0eb5ba8b50b6211504b898e197df2fc2dff4ca8b662a87d19009afa4f28a43ea40de5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar266A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VJj2LbMAw3.bat

Filesize
194B

MD5
84c1df2059b4641a0a55c020d0721fd0

SHA1
c4f26d1ed8099a8e12515aa8a22048fe9be17fee

SHA256
2eef50a65c9f7baacc4988c72a50a03d7d3fac1194027ef8fbb624cea3ef9493

SHA512
e5e3802ddd91f396cfcaf6e9520240ddfb3be97a6e067f42e0b873639cd14c2b33cc964658d20f86ef29ae67a246e93de348a3ab2b4211a7eae7990cb53419d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

Filesize
194B

MD5
da9a674f1fb792d8ccfc9ea540c269ac

SHA1
27614946cd8fd76463260c51b878b45af7bd6ffd

SHA256
a67f9a5a3a5ac752b175e0c188428e62962c2b546392d4e67d7c1a73813e9659

SHA512
25ac7b0c632d24b432b5bb87e6e6434ad6fb5c97ded1d8ad52a4d1ad42f1fdc0cbd8afd27d7091401cb011a48d068057e2657fcfc176c63fd06f6c75a2dab049

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4Pasc1pAC.bat

Filesize
194B

MD5
fae8e00da7f8798ce295e473b62cdd91

SHA1
6f124800e4f21db4eac3dfb6204d69cbf441709b

SHA256
c4c993ae6910e8c962a42b42b7035846fbf4eaa487f3eae626f40159a8bef2d3

SHA512
00a90d19a74f231ad823679ddcdc5fb8d9248cfac3f6560888a8339ead08e14c60dd19674de62ab7cf652af7e763e88ff20ea380a5bb97c9c09da279e95db877

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
194B

MD5
3078335d0ed7d05b5fb1535f51f46b09

SHA1
a736a222c658d5c3cfb0e85e7b069ade13d15ac8

SHA256
4074aacd0bd053a752bf67480d99822a82146168a33c59d95d364541d7839b51

SHA512
25e713ceaa54be979b823afc9db1833eaf0fe361702252a20a5f141711b1eb1da4300b5213109418c43af51f65f79ee0cf9accfea6b3002ac1684bdb4b9f3529

Download Submit
C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

Filesize
194B

MD5
c86ca4d788c7bb6bdd26c8a15ad3114e

SHA1
e0c2ceac82de5446829c116e9541019d8ec44c17

SHA256
14c92775219eb6b52e3b86024bcb51d63d47c736d3cfc08a2ef94d701721e7e6

SHA512
2b9dd961ac0c521d0eed947ec9b0e7289ef9c7b5fc805e3cffcd650d41d1cb2e3065f0aa852151ad77589d215f834eaf5b2dc31b76c0c50e6cc39842605f1b24

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9ba97759d75dc54ab0accf5057831515

SHA1
89d3bfc640c80fb50618b89d969a655ca6046237

SHA256
55b725272f94ee847778c72720652ae4b8e34cff3a29accfd7dac1f355e000eb

SHA512
6f9ba2dd23209e0d280c806e0b87dff980245a7b904cfaf21823654e3947578176c44421611c1cdfa6f898b58ba5fb105d6a28ef88709f3c5e46dc541f173623

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/792-419-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/964-299-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/980-120-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/1428-479-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/1640-359-0x0000000000190000-0x00000000001A2000-memory.dmp

Filesize
72KB

Download
memory/2236-59-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/2236-58-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2244-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2244-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2244-15-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2244-14-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2244-13-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2344-239-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2348-719-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2372-658-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2372-659-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2760-179-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2844-539-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download