dcrat | bc2349e52b4345d3d2784d54acf3840db439146cbc14a73f6d1916226ab3600b

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bc2349e52b4345d3d2784d54acf3840db439146cbc14a73f6d1916226ab3600b.exe
Size

1.3MB
MD5

baf7e1c40cea6055fe0ac4eac4057b8a
SHA1

4c2db7110b29f84acc677791dd8185685eeee023
SHA256

bc2349e52b4345d3d2784d54acf3840db439146cbc14a73f6d1916226ab3600b
SHA512

d68d6f0f0fbfc65841b2fa36ab4b4f20c0e75bc50726f168e3925fd4efe1526efe652143f20da129d3f47b5b59e772918db8177b66925c3fcdeda5546be60183
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	3040	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	3040	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018634-12.dat	dcrat
behavioral1/memory/2740-13-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/740-131-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/2544-191-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/2856-369-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1072-429-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/912-489-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/2996-549-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2232-609-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/2760-669-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
976	powershell.exe
1724	powershell.exe
1668	powershell.exe
2768	powershell.exe
2480	powershell.exe
1572	powershell.exe
2320	powershell.exe
340	powershell.exe
868	powershell.exe
1056	powershell.exe
2288	powershell.exe
2472	powershell.exe
1660	powershell.exe
1072	powershell.exe
2232	powershell.exe
2776	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2740	DllCommonsvc.exe
740	services.exe
2544	services.exe
2764	services.exe
2740	services.exe
2856	services.exe
1072	services.exe
912	services.exe
2996	services.exe
2232	services.exe
2760	services.exe
2368	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	cmd.exe
2888	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
35	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\de-DE\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\SpeechEngines\Microsoft\TTS20\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\de-DE\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\WmiPrvSE.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\ehome\CreateDisc\SonicResources\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\ehome\CreateDisc\SonicResources\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bc2349e52b4345d3d2784d54acf3840db439146cbc14a73f6d1916226ab3600b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2204	schtasks.exe
2112	schtasks.exe
1748	schtasks.exe
2980	schtasks.exe
1488	schtasks.exe
2168	schtasks.exe
596	schtasks.exe
624	schtasks.exe
2524	schtasks.exe
2300	schtasks.exe
2260	schtasks.exe
3048	schtasks.exe
1984	schtasks.exe
1740	schtasks.exe
1856	schtasks.exe
2484	schtasks.exe
3020	schtasks.exe
1420	schtasks.exe
1136	schtasks.exe
2896	schtasks.exe
2008	schtasks.exe
2280	schtasks.exe
2160	schtasks.exe
1636	schtasks.exe
2056	schtasks.exe
1736	schtasks.exe
2384	schtasks.exe
1908	schtasks.exe
2876	schtasks.exe
1928	schtasks.exe
1944	schtasks.exe
2880	schtasks.exe
2904	schtasks.exe
1156	schtasks.exe
820	schtasks.exe
788	schtasks.exe
2120	schtasks.exe
2528	schtasks.exe
1652	schtasks.exe
1036	schtasks.exe
2620	schtasks.exe
2856	schtasks.exe
2088	schtasks.exe
2100	schtasks.exe
1436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2740	DllCommonsvc.exe
2740	DllCommonsvc.exe
2740	DllCommonsvc.exe
868	powershell.exe
2288	powershell.exe
1572	powershell.exe
976	powershell.exe
2768	powershell.exe
1668	powershell.exe
2480	powershell.exe
1056	powershell.exe
1724	powershell.exe
2320	powershell.exe
2776	powershell.exe
1072	powershell.exe
2472	powershell.exe
2232	powershell.exe
340	powershell.exe
740	services.exe
2544	services.exe
2764	services.exe
2740	services.exe
2856	services.exe
1072	services.exe
912	services.exe
2996	services.exe
2232	services.exe
2760	services.exe
2368	services.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	DllCommonsvc.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2480	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	740	services.exe
Token: SeDebugPrivilege	2544	services.exe
Token: SeDebugPrivilege	2764	services.exe
Token: SeDebugPrivilege	2740	services.exe
Token: SeDebugPrivilege	2856	services.exe
Token: SeDebugPrivilege	1072	services.exe
Token: SeDebugPrivilege	912	services.exe
Token: SeDebugPrivilege	2996	services.exe
Token: SeDebugPrivilege	2232	services.exe
Token: SeDebugPrivilege	2760	services.exe
Token: SeDebugPrivilege	2368	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2940	2028	JaffaCakes118_bc2349e52b4345d3d2784d54acf3840db439146cbc14a73f6d1916226ab3600b.exe	30
PID 2028 wrote to memory of 2940	2028	JaffaCakes118_bc2349e52b4345d3d2784d54acf3840db439146cbc14a73f6d1916226ab3600b.exe	30
PID 2028 wrote to memory of 2940	2028	JaffaCakes118_bc2349e52b4345d3d2784d54acf3840db439146cbc14a73f6d1916226ab3600b.exe	30
PID 2028 wrote to memory of 2940	2028	JaffaCakes118_bc2349e52b4345d3d2784d54acf3840db439146cbc14a73f6d1916226ab3600b.exe	30
PID 2940 wrote to memory of 2888	2940	WScript.exe	31
PID 2940 wrote to memory of 2888	2940	WScript.exe	31
PID 2940 wrote to memory of 2888	2940	WScript.exe	31
PID 2940 wrote to memory of 2888	2940	WScript.exe	31
PID 2888 wrote to memory of 2740	2888	cmd.exe	33
PID 2888 wrote to memory of 2740	2888	cmd.exe	33
PID 2888 wrote to memory of 2740	2888	cmd.exe	33
PID 2888 wrote to memory of 2740	2888	cmd.exe	33
PID 2740 wrote to memory of 976	2740	DllCommonsvc.exe	80
PID 2740 wrote to memory of 976	2740	DllCommonsvc.exe	80
PID 2740 wrote to memory of 976	2740	DllCommonsvc.exe	80
PID 2740 wrote to memory of 2288	2740	DllCommonsvc.exe	81
PID 2740 wrote to memory of 2288	2740	DllCommonsvc.exe	81
PID 2740 wrote to memory of 2288	2740	DllCommonsvc.exe	81
PID 2740 wrote to memory of 2320	2740	DllCommonsvc.exe	82
PID 2740 wrote to memory of 2320	2740	DllCommonsvc.exe	82
PID 2740 wrote to memory of 2320	2740	DllCommonsvc.exe	82
PID 2740 wrote to memory of 340	2740	DllCommonsvc.exe	83
PID 2740 wrote to memory of 340	2740	DllCommonsvc.exe	83
PID 2740 wrote to memory of 340	2740	DllCommonsvc.exe	83
PID 2740 wrote to memory of 1072	2740	DllCommonsvc.exe	84
PID 2740 wrote to memory of 1072	2740	DllCommonsvc.exe	84
PID 2740 wrote to memory of 1072	2740	DllCommonsvc.exe	84
PID 2740 wrote to memory of 1724	2740	DllCommonsvc.exe	85
PID 2740 wrote to memory of 1724	2740	DllCommonsvc.exe	85
PID 2740 wrote to memory of 1724	2740	DllCommonsvc.exe	85
PID 2740 wrote to memory of 2232	2740	DllCommonsvc.exe	86
PID 2740 wrote to memory of 2232	2740	DllCommonsvc.exe	86
PID 2740 wrote to memory of 2232	2740	DllCommonsvc.exe	86
PID 2740 wrote to memory of 868	2740	DllCommonsvc.exe	87
PID 2740 wrote to memory of 868	2740	DllCommonsvc.exe	87
PID 2740 wrote to memory of 868	2740	DllCommonsvc.exe	87
PID 2740 wrote to memory of 1056	2740	DllCommonsvc.exe	88
PID 2740 wrote to memory of 1056	2740	DllCommonsvc.exe	88
PID 2740 wrote to memory of 1056	2740	DllCommonsvc.exe	88
PID 2740 wrote to memory of 2480	2740	DllCommonsvc.exe	89
PID 2740 wrote to memory of 2480	2740	DllCommonsvc.exe	89
PID 2740 wrote to memory of 2480	2740	DllCommonsvc.exe	89
PID 2740 wrote to memory of 2472	2740	DllCommonsvc.exe	90
PID 2740 wrote to memory of 2472	2740	DllCommonsvc.exe	90
PID 2740 wrote to memory of 2472	2740	DllCommonsvc.exe	90
PID 2740 wrote to memory of 1660	2740	DllCommonsvc.exe	91
PID 2740 wrote to memory of 1660	2740	DllCommonsvc.exe	91
PID 2740 wrote to memory of 1660	2740	DllCommonsvc.exe	91
PID 2740 wrote to memory of 1572	2740	DllCommonsvc.exe	94
PID 2740 wrote to memory of 1572	2740	DllCommonsvc.exe	94
PID 2740 wrote to memory of 1572	2740	DllCommonsvc.exe	94
PID 2740 wrote to memory of 1668	2740	DllCommonsvc.exe	95
PID 2740 wrote to memory of 1668	2740	DllCommonsvc.exe	95
PID 2740 wrote to memory of 1668	2740	DllCommonsvc.exe	95
PID 2740 wrote to memory of 2776	2740	DllCommonsvc.exe	96
PID 2740 wrote to memory of 2776	2740	DllCommonsvc.exe	96
PID 2740 wrote to memory of 2776	2740	DllCommonsvc.exe	96
PID 2740 wrote to memory of 2768	2740	DllCommonsvc.exe	97
PID 2740 wrote to memory of 2768	2740	DllCommonsvc.exe	97
PID 2740 wrote to memory of 2768	2740	DllCommonsvc.exe	97
PID 2740 wrote to memory of 2196	2740	DllCommonsvc.exe	111
PID 2740 wrote to memory of 2196	2740	DllCommonsvc.exe	111
PID 2740 wrote to memory of 2196	2740	DllCommonsvc.exe	111
PID 2196 wrote to memory of 2804	2196	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc2349e52b4345d3d2784d54acf3840db439146cbc14a73f6d1916226ab3600b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bc2349e52b4345d3d2784d54acf3840db439146cbc14a73f6d1916226ab3600b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\de-DE\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\CreateDisc\SonicResources\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\265fR5m4JO.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2804
      - C:\Program Files\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
        7⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:788
        
        C:\Program Files\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"
        9⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1408
        
        C:\Program Files\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat"
        11⤵
        
        PID:1924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1684
        
        C:\Program Files\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
        13⤵
        
        PID:1464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2336
        
        C:\Program Files\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat"
        15⤵
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1576
        
        C:\Program Files\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
        17⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:976
        
        C:\Program Files\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
        19⤵
        
        PID:812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2536
        
        C:\Program Files\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
        21⤵
        
        PID:876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:984
        
        C:\Program Files\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        23⤵
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2448
        
        C:\Program Files\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
        25⤵
        
        PID:1924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1060
        
        C:\Program Files\Windows Sidebar\fr-FR\services.exe
        
        "C:\Program Files\Windows Sidebar\fr-FR\services.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"
        27⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\de-DE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\fr-FR\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\fr-FR\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Cursors\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Cursors\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\ehome\CreateDisc\SonicResources\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ehome\CreateDisc\SonicResources\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\ehome\CreateDisc\SonicResources\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\ServiceProfiles\LocalService\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\ServiceProfiles\LocalService\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32752995f85dad6b3c81ebcc6ccdba14

SHA1
ce65b1cc08435413b468408dee08be4e890a0105

SHA256
1c6b779b64652866dd656423224db00ebfffda1bb4a15ed7294ce169eabfe3be

SHA512
b7f2dd5027534ec709e0a46bcd0e51a1c36afaa6cd5e9375d009182366ee82c8c5074c7674e787812fdd9771510edfc4f88d39248f747a8cf2e031878999eeeb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a72b2d1febcec486cedd925c18fed90f

SHA1
c508c2e4ad7f8520693e899ec3c0fd34d2ba5db3

SHA256
b6ac7e0e42f73625475680f431c13c34c2cb49b8ed2f26ddcebce474947ee7c0

SHA512
c784e0e525b9ff87e81422f43e93fe49fc4acd84fc6ef2a7cc888dabef7d142de3a39a1bcae579a3d6e50b66ea9f7af3b6e208e4677bbea1f29c2d8b6e88f6d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94ea15a686a372ded81cb2d4358f98d6

SHA1
0d8e78e02ddb9295de9867fa1d5bcd2a8448a9ca

SHA256
17d3134c118893f5d428fa905020f9ddf23d5c8f757a6f15c0c638e04ae6413c

SHA512
4f153edef2602572fc5a4d265fb1021219b614ef1166b38d2bff6fd81f0177422cad9f03ac84e27a56c546ec7428485a847ae53fa7d4214e9de597c970b6a13e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e102fdabd02b9b07b7f966a7cd9f20b8

SHA1
06b35d3b4a662709d842a10302002850b86192a2

SHA256
ecc7d1b258fb16ae8d28bcb3dc97a16390088122408cc1b80c92ac48e663d4bc

SHA512
60ab6bdb68483f4e79ebf445d32456e7d21d44d1e08134b95ccd6cd076646ef38872ebe1f601569775239fb38b29f55e582101e56f90a74249d5fd49e4227457

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be4240198483e202bdfa3454ad45f329

SHA1
687ab05cf0a51a35309c91848dffc694ed9ae897

SHA256
20dcdc3d1223d80ff1e92fcf536f389c0604250b833e68a43725ab37876a0d26

SHA512
6219a89690b2b8e299087e1282286b2e819d42afa2b2279ecc4a70bf65cb6d1cec436f11b4da9e887dcd7393f3a679fa7afdbf8aa42a77087ffa044b9bbc39d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ae2f63209d4f0f45976db093c583187

SHA1
61c0cf122a777d073f56e9a51ee466327e16a9d3

SHA256
9e566979817e95082ef4a24e646046b7b3853c199ee831ea14b94202d0447663

SHA512
19f4ddb345f59207ae4cdb6ca293323113c154bd03dac5afff9e770aa80731736b3869133b2c0bc4d01e690aa5a5873ea5cddedad7c1d6abe72781d83e14223c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffd4f1021902c8b8e49fa51ce893a667

SHA1
f1c790a4b1bbc293bd189e32a980a3df96a4f2b5

SHA256
654b55ac93145165c7115e739a2b7256836e14953f6dcf6f7e30e63cd91f25a4

SHA512
7327afa409bd4bbe750998515077ce91287a077db8fd518c0e248ae48f5cacc44cd322b50372c8ed239ccbdd28ea62f5d52120845f414b831b408540475be5ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3eace29096d758612e0d94f506473795

SHA1
73fcfcfb6b5250ccdcd37aad3a7942ede0dfa17a

SHA256
41872da2b4057aec82d5b15b4d83d8d4783b585dd4a68e2028afddea9d66ff34

SHA512
732dcbf0f481c458b351c3c467ab8cb414c59c83950ee593f960857e87b16b3753b117f62a45f27e44cd39eb5d35b695d03837eae9d27af5ecaa3fa0dabc487b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
839b1661ca98a22b306e3e01ade537ff

SHA1
5af959f7eb5b4def1a813d2a1a25f1a1ba0378ae

SHA256
d4506704a333d26d03fde67edd0dd3d383f41d152b32c6a3eccc175171e01255

SHA512
1bdaa77cbddbb396b6382564e14ff4855991c0e9883164e0ec3ccf1df4774dc511fcbcf3b7ac171ff097cd98e73105607831b9890d88f143fda2861f502a9a8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f30c3f905eac68accd7d2e2038d1ec3

SHA1
48e0acaac4d494ccc57dde988f67414027963d79

SHA256
69c358a2392b924f2855a82bfd70acbf00792d7c407936f9edc324a41547062f

SHA512
4c75c15eb2f601531f9f79667e796f5c82b28be9e7e3300ef93ca1d9e0b03e34b3dbc3b9d5cf9e0d99fd0b90f6d46cc35d679894f901070f533444c5e8680c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\265fR5m4JO.bat

Filesize
216B

MD5
24d1fcbe1160fa9821662ae1f15a4939

SHA1
f5169f98780bad6aff797b5837542a88f6f30417

SHA256
31c5b7b8b0eb1e40f62e2474d74bc99359066bdbff503d9ca0c46644b3c5a8aa

SHA512
8412163a095a4423ac19de2954fc4bb91ab0afdcf3d9653407d97111bd4e63c1bd043304a2fceae183c25c125f2eb638c7cef56f6098e365360f2c7fbdc6af01

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

Filesize
216B

MD5
ee2891fc093b66604e01ee0d7562366f

SHA1
7e21c169b3ad89dd2c18d79ad12c770d5feb2e40

SHA256
1c6f49d0b55c7cb1d7e5ee2c222e9e49c43b89191fdb02f45064a81cc914129a

SHA512
34193ec88881a877592cee165c85bd8d7295752ec415f0e8a3ae863c1ae4749465eb0e9e6b1bd1cc1c99c90130155968d619ef17fe6cb8b2c26578787e307d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\5irhJyFUC1.bat

Filesize
216B

MD5
eab81d763c2816b8e61f368ac04ae4d4

SHA1
7bafc32a8e07a30b527a85abaa409d3357f3b3f9

SHA256
09542010692ab9cfc93c5ad4572c9f8521bdf0014cd4814858cf809098c2c671

SHA512
0d5b8b20f61d7c2977938f6337c9d4ffc87a4f602713bb2f72c56ec9ec9dc743e164e556c49b75b07a54210f0226958da63fd6cbb65d307c9dfdb1203ef4e38d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat

Filesize
216B

MD5
f8132ff706ca0274a4557656fb23890c

SHA1
59c565090827432107f376bf94c312645064bc61

SHA256
6cb1ee4a00a187bd3e1cd0be6097ffa3e57719eb2dc358c34551c3bb2549372a

SHA512
c047c22cef14a24522b88acfb9a29aed24748f594012730253be0bb00653978a3e765bea1b91ffb1f6266c86a1bee47eaa5eb641b5b1108b508d857c5228eaee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab84BC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

Filesize
216B

MD5
fcf4620d44cc5479b55b0044b4fea79c

SHA1
91921134b7a4db2f5f36233b63c902498f03b751

SHA256
b540e4a82fdf31baf4852e1978bf9d1c325348faa47851cbf9b810fe74ca9a36

SHA512
f5a3df165b935d71cb5b2658999f976776f3e0a26eed56b37d620ef49a3725d26f302da48fd5af738bc37981eea21226075b54717de02b39ad56109bbb310e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat

Filesize
216B

MD5
7c55bc689451004a6b6f52808e2fbb84

SHA1
974164793a362bf39b72c64b4125a301bcd7b1f7

SHA256
e7f256c724da6b309897320976132dcc4779b1c7ede9c33beacdb1b1d2beaa0e

SHA512
dba03e4c9f23fcf98211d09a77793330b100adf0a734c03cdc63366de120324f3e0c1e8f788eb0c2fbd5cd9ac8ab6064438f95f8424aaec59a4f04899db3216d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

Filesize
216B

MD5
970def175f2ade0a97af5ef14bf13f01

SHA1
7b30c0ed6d53bb32272901a85ef8ae99ef6c6123

SHA256
b484ff0441f1b4da51065b5911cbb4310d25136daf8615310f8d45a7ee181561

SHA512
7b405acae175d3f823b7d5cb2c25cc72c07be0c364ba652677db891a4f245c3b4ca79aef384564c5ad09a08dd83ba20b5f5184ad78ef36457af40f9af22f7f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar84CE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat

Filesize
216B

MD5
b12cec805433f70d7c967d3d2fb619ec

SHA1
b1b9eb95b567469606834c3aba479d078b424afc

SHA256
c68fcb5d61e2d5841be6611c9ae301592558aaf2f88ddc358c0b57943c48b5b7

SHA512
7ea6a9f016dff898f38adc7e9a4dd3f8977404c23fe591f75f79093c9b763ec7011b8f0e76a57cce7a17647dc8e18c92012f7e4355ae8c970e97dab48cf8a38f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat

Filesize
216B

MD5
61232e8291107a006217411bcc9d21d6

SHA1
e19b1c234b7f206724250e6a004e99f637e56e2a

SHA256
463b5bd7b09121bf4288680b564b78c5d485fbb11dab1f498cfe9838711ac07e

SHA512
28bd400a9e1742c73c9fbb2d56ee15bcf4803516b5adeceb2795c30193eec58746a25d95a80fb68dcca0983cc41488e8e5ce4e5a505c0a7623e438a5a1618105

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
216B

MD5
24126d8d29dedf6e554fdaa25c0d9a97

SHA1
d6b484da0d652e75242425f95354d07f4a0bb431

SHA256
21c498bfc2dff11f8a2193ae805d003725ba57b57519a34375497ba2d8af6948

SHA512
07a66d16657847ed75100b43b7d4868ea0b20ca4140a83d7cd17205c7b862541e9595d80991a317879398ed748e1896e8a4c38e047c08365c8c214f4529df795

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

Filesize
216B

MD5
35630726c0e146bee545df62398b9ea1

SHA1
9202648f075cc540e141898d1ae18064b1bf7061

SHA256
6ca919dfd80ef4d3413b321b7248cee33beb02bf3bcdf7b08c23e1dd0ba1f2f2

SHA512
15f137b8f3b930515ba4e73f47b0428821b3716d252ef69868cf3e3d4d1acd0bc8b40a360eda0c7fe29f222af18ea972f57e79bb4a95d47e81e6d0a04d6c6029

Download Submit
C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat

Filesize
216B

MD5
e1caaf1b0882e152d4458a6d6f372b1a

SHA1
230297fd963ab1c0df261c5ac0c6393f35306926

SHA256
762bae409a872b1307ffe0dbab51679ce3331fbbafbb85405f96b2a23871f239

SHA512
fa8073c759404036ea4853ad106482df62cd629974560ae1155c6f23067052426be6693c8f0b8fee39e80c3359cb5d0d15eb8b69c0164b5c5e6cdcd2820599f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
13df499d9857bdc493452c3769b1e20f

SHA1
e12ee30c4cfa1cae41f6af5172f5a8d83614a45f

SHA256
a76881382d102fb8805b0642fd003cddbf0323f607a937d94a5623d27fdf36c6

SHA512
44b8e07d6c918910f03a46ff12f801e673c763611da847ceaca851fb3def3b6e6bbf7897684cbdff1bc8a32f93dafe8d2f9a1c730316875804f1c6623056a5fa

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/740-131-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/740-132-0x00000000005F0000-0x0000000000602000-memory.dmp

Filesize
72KB

Download
memory/868-61-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/868-62-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/912-489-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/1072-429-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/2232-609-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/2544-191-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2740-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2740-13-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2740-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2740-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2740-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2760-669-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/2856-369-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2996-549-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download