dcrat | 8cb4745661be818b7365422b2dad6ac80fde31012f6f9d9376f53c857b718574

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8cb4745661be818b7365422b2dad6ac80fde31012f6f9d9376f53c857b718574.exe
Size

1.3MB
MD5

e942df4022b582e12d56d7969db6cfbf
SHA1

560f16b7d0d4365bc23c9161b90e8045ac88bf75
SHA256

8cb4745661be818b7365422b2dad6ac80fde31012f6f9d9376f53c857b718574
SHA512

81c61fcb3e2663d392a347221292b7727be089912e3252d760839ba199e86215ed7c132b86c6e31b1f32dbb9a19fb0331e0b84eea61195003eb933ca2b67dd65
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	1948	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1948	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d4a-9.dat	dcrat
behavioral1/memory/2676-13-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/1324-156-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/2252-216-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1824-276-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2656-395-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2408-455-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/2708-515-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 19 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
632	powershell.exe
1780	powershell.exe
580	powershell.exe
2376	powershell.exe
2692	powershell.exe
1264	powershell.exe
2908	powershell.exe
2844	powershell.exe
2564	powershell.exe
2108	powershell.exe
2144	powershell.exe
2104	powershell.exe
2932	powershell.exe
2304	powershell.exe
2460	powershell.exe
2128	powershell.exe
2208	powershell.exe
2740	powershell.exe
3020	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2676	DllCommonsvc.exe
1324	lsass.exe
2252	lsass.exe
1824	lsass.exe
528	lsass.exe
2656	lsass.exe
2408	lsass.exe
2708	lsass.exe
2504	lsass.exe
1588	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2840	cmd.exe
2840	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Purble Place\fr-FR\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Purble Place\fr-FR\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8cb4745661be818b7365422b2dad6ac80fde31012f6f9d9376f53c857b718574.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2376	schtasks.exe
3036	schtasks.exe
3024	schtasks.exe
2236	schtasks.exe
2168	schtasks.exe
528	schtasks.exe
2656	schtasks.exe
1588	schtasks.exe
1056	schtasks.exe
2216	schtasks.exe
2008	schtasks.exe
2832	schtasks.exe
2884	schtasks.exe
2108	schtasks.exe
2212	schtasks.exe
1324	schtasks.exe
2000	schtasks.exe
2352	schtasks.exe
2488	schtasks.exe
860	schtasks.exe
2520	schtasks.exe
552	schtasks.exe
1804	schtasks.exe
352	schtasks.exe
2612	schtasks.exe
2172	schtasks.exe
2180	schtasks.exe
2332	schtasks.exe
1796	schtasks.exe
1692	schtasks.exe
1268	schtasks.exe
1752	schtasks.exe
2816	schtasks.exe
984	schtasks.exe
2452	schtasks.exe
772	schtasks.exe
2772	schtasks.exe
2076	schtasks.exe
1128	schtasks.exe
1920	schtasks.exe
3000	schtasks.exe
2540	schtasks.exe
2512	schtasks.exe
2292	schtasks.exe
1472	schtasks.exe
980	schtasks.exe
1228	schtasks.exe
1300	schtasks.exe
1492	schtasks.exe
1344	schtasks.exe
2916	schtasks.exe
2912	schtasks.exe
1248	schtasks.exe
2428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2692	powershell.exe
2128	powershell.exe
2932	powershell.exe
2304	powershell.exe
2108	powershell.exe
2104	powershell.exe
2144	powershell.exe
1264	powershell.exe
2564	powershell.exe
3020	powershell.exe
2376	powershell.exe
2844	powershell.exe
632	powershell.exe
2908	powershell.exe
580	powershell.exe
2740	powershell.exe
2208	powershell.exe
2460	powershell.exe
1780	powershell.exe
1324	lsass.exe
2252	lsass.exe
1824	lsass.exe
528	lsass.exe
2656	lsass.exe
2408	lsass.exe
2708	lsass.exe
2504	lsass.exe
1588	lsass.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	DllCommonsvc.exe
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	580	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1324	lsass.exe
Token: SeDebugPrivilege	2252	lsass.exe
Token: SeDebugPrivilege	1824	lsass.exe
Token: SeDebugPrivilege	528	lsass.exe
Token: SeDebugPrivilege	2656	lsass.exe
Token: SeDebugPrivilege	2408	lsass.exe
Token: SeDebugPrivilege	2708	lsass.exe
Token: SeDebugPrivilege	2504	lsass.exe
Token: SeDebugPrivilege	1588	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1132	2172	JaffaCakes118_8cb4745661be818b7365422b2dad6ac80fde31012f6f9d9376f53c857b718574.exe	30
PID 2172 wrote to memory of 1132	2172	JaffaCakes118_8cb4745661be818b7365422b2dad6ac80fde31012f6f9d9376f53c857b718574.exe	30
PID 2172 wrote to memory of 1132	2172	JaffaCakes118_8cb4745661be818b7365422b2dad6ac80fde31012f6f9d9376f53c857b718574.exe	30
PID 2172 wrote to memory of 1132	2172	JaffaCakes118_8cb4745661be818b7365422b2dad6ac80fde31012f6f9d9376f53c857b718574.exe	30
PID 1132 wrote to memory of 2840	1132	WScript.exe	31
PID 1132 wrote to memory of 2840	1132	WScript.exe	31
PID 1132 wrote to memory of 2840	1132	WScript.exe	31
PID 1132 wrote to memory of 2840	1132	WScript.exe	31
PID 2840 wrote to memory of 2676	2840	cmd.exe	33
PID 2840 wrote to memory of 2676	2840	cmd.exe	33
PID 2840 wrote to memory of 2676	2840	cmd.exe	33
PID 2840 wrote to memory of 2676	2840	cmd.exe	33
PID 2676 wrote to memory of 2932	2676	DllCommonsvc.exe	89
PID 2676 wrote to memory of 2932	2676	DllCommonsvc.exe	89
PID 2676 wrote to memory of 2932	2676	DllCommonsvc.exe	89
PID 2676 wrote to memory of 2692	2676	DllCommonsvc.exe	90
PID 2676 wrote to memory of 2692	2676	DllCommonsvc.exe	90
PID 2676 wrote to memory of 2692	2676	DllCommonsvc.exe	90
PID 2676 wrote to memory of 2740	2676	DllCommonsvc.exe	91
PID 2676 wrote to memory of 2740	2676	DllCommonsvc.exe	91
PID 2676 wrote to memory of 2740	2676	DllCommonsvc.exe	91
PID 2676 wrote to memory of 2304	2676	DllCommonsvc.exe	93
PID 2676 wrote to memory of 2304	2676	DllCommonsvc.exe	93
PID 2676 wrote to memory of 2304	2676	DllCommonsvc.exe	93
PID 2676 wrote to memory of 2844	2676	DllCommonsvc.exe	94
PID 2676 wrote to memory of 2844	2676	DllCommonsvc.exe	94
PID 2676 wrote to memory of 2844	2676	DllCommonsvc.exe	94
PID 2676 wrote to memory of 2908	2676	DllCommonsvc.exe	96
PID 2676 wrote to memory of 2908	2676	DllCommonsvc.exe	96
PID 2676 wrote to memory of 2908	2676	DllCommonsvc.exe	96
PID 2676 wrote to memory of 580	2676	DllCommonsvc.exe	97
PID 2676 wrote to memory of 580	2676	DllCommonsvc.exe	97
PID 2676 wrote to memory of 580	2676	DllCommonsvc.exe	97
PID 2676 wrote to memory of 2208	2676	DllCommonsvc.exe	99
PID 2676 wrote to memory of 2208	2676	DllCommonsvc.exe	99
PID 2676 wrote to memory of 2208	2676	DllCommonsvc.exe	99
PID 2676 wrote to memory of 2128	2676	DllCommonsvc.exe	100
PID 2676 wrote to memory of 2128	2676	DllCommonsvc.exe	100
PID 2676 wrote to memory of 2128	2676	DllCommonsvc.exe	100
PID 2676 wrote to memory of 2460	2676	DllCommonsvc.exe	101
PID 2676 wrote to memory of 2460	2676	DllCommonsvc.exe	101
PID 2676 wrote to memory of 2460	2676	DllCommonsvc.exe	101
PID 2676 wrote to memory of 1780	2676	DllCommonsvc.exe	102
PID 2676 wrote to memory of 1780	2676	DllCommonsvc.exe	102
PID 2676 wrote to memory of 1780	2676	DllCommonsvc.exe	102
PID 2676 wrote to memory of 632	2676	DllCommonsvc.exe	103
PID 2676 wrote to memory of 632	2676	DllCommonsvc.exe	103
PID 2676 wrote to memory of 632	2676	DllCommonsvc.exe	103
PID 2676 wrote to memory of 3020	2676	DllCommonsvc.exe	113
PID 2676 wrote to memory of 3020	2676	DllCommonsvc.exe	113
PID 2676 wrote to memory of 3020	2676	DllCommonsvc.exe	113
PID 2676 wrote to memory of 2564	2676	DllCommonsvc.exe	115
PID 2676 wrote to memory of 2564	2676	DllCommonsvc.exe	115
PID 2676 wrote to memory of 2564	2676	DllCommonsvc.exe	115
PID 2676 wrote to memory of 1264	2676	DllCommonsvc.exe	116
PID 2676 wrote to memory of 1264	2676	DllCommonsvc.exe	116
PID 2676 wrote to memory of 1264	2676	DllCommonsvc.exe	116
PID 2676 wrote to memory of 2108	2676	DllCommonsvc.exe	117
PID 2676 wrote to memory of 2108	2676	DllCommonsvc.exe	117
PID 2676 wrote to memory of 2108	2676	DllCommonsvc.exe	117
PID 2676 wrote to memory of 2104	2676	DllCommonsvc.exe	118
PID 2676 wrote to memory of 2104	2676	DllCommonsvc.exe	118
PID 2676 wrote to memory of 2104	2676	DllCommonsvc.exe	118
PID 2676 wrote to memory of 2376	2676	DllCommonsvc.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8cb4745661be818b7365422b2dad6ac80fde31012f6f9d9376f53c857b718574.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8cb4745661be818b7365422b2dad6ac80fde31012f6f9d9376f53c857b718574.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Documents\My Pictures\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\plugin2\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Purble Place\fr-FR\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIfaJsbzNd.bat"
        5⤵
        
        PID:1808
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2080
      - C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
        7⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2088
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"
        9⤵
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2484
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
        11⤵
        
        PID:288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2316
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat"
        13⤵
        
        PID:992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2512
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat"
        15⤵
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1920
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat"
        17⤵
        
        PID:2200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1572
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"
        19⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1472
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        21⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3000
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Documents\My Pictures\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Documents\My Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Documents\My Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jre7\bin\plugin2\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\plugin2\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jre7\bin\plugin2\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Users\Public\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Purble Place\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\Purble Place\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Tasks\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\PrintHood\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\PrintHood\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f95e7a80c0b11e89ff8ade6b3a473a3b

SHA1
ce677357fbac47cdb9b58925ca6b000b216c7c5e

SHA256
6abf479398bbce50dd036530fa06fa3db26eb17acf720f6b95c609fe7c12e04e

SHA512
60a2cd122f14212b0fa187ec2b814e72c2b9697976dcbb4a9f9a0fd3c88a4ae14c29437d1e26a50821bd0e4e1e5bd70c70588c9b9b29d6df2f16988bf1e51b30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbebf4dd931326549b88ad6ff8429931

SHA1
4a31362e85943c094907311d704594c32435f752

SHA256
ebc5ed5feb58445e157a9c202ba4371d8ae9cd093c87a73909ebc047a6c29fdd

SHA512
a06ad054319c6d2429ab2f5a8f92e46c52724a52c2a887a2b6be4c9c95d108eb893afaf50ff356f4c4be0fbe8ee271d6152c3326bae8425c3d58f0a2879049bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b2aaa021ab638ab0f444ee13af81c3d

SHA1
89dc5ff287a26926ce654087aad4ddb9754a2870

SHA256
e9f69813e841217c02462ca64480b473048ce588f00e1bde6e3fedebd9ca4aef

SHA512
48986758544f16c763e10a9cb41767fd9cf24f969451fdfe7881cc69618571e1ad9aaee0ed29889e8fef652052acb32e151293e3a5600498ae913c3f9c52623c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
447bfcac9892593291acdc86122d14b0

SHA1
e8685a7e704c3f757a26aeafc5a71d3f7c777a36

SHA256
c20f3d5371fc4894b0689f762b5bf8a864500ecdce292252dff44ce8138e078a

SHA512
3d5f145752a00c6e1e3ecef016baa4bf2b204c64b256e2fc24ddcb56a48cb5de247ada2478fc5cc91dcf133d428569ce4f450ecbaf494f736f2c000e288f91fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c18808083ec3ca01b046fd36cf88257f

SHA1
798201474f5259466967821a7aae75ed2a934b2e

SHA256
0e1c0c8927772b9d174ac981e469a1d469e553d56a752624f4f684f2da6b8d90

SHA512
989e91536118735a63a14d160b3472c5890337875c72e8af6055f2c33c1afceb3097ab01c3832191c0b3fc15b3f2d36daddc4517c88642ad82aa5baff97dd6c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c307e16669e07ff2abbf2e2a6a1f42b

SHA1
6243ffbe15b944e23705722ce6a8ade37a075c37

SHA256
a3f0fa93d3637ab470f9fb680c03b057f4d27f40831a564acd0df9ecb741012d

SHA512
a20cb57bc86c24c5c646767718aef347e183a2cb38337012170e6704880433fea192b2e303c5dcd8e5a1acec00de7b260b1da2b1228259d9d38d22cbb93e7d8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a5ac6865c9cb648af4ca5243c616bcd

SHA1
58546f4943c755477aeded857def2f7084dfb348

SHA256
abf0d6fd7d7c1ad71f2997a039de57a3d0b5ef89b6265311d50eedb5c78cc535

SHA512
cc96c0a76aa25b04952064f5079a3cce5751232fd90e0fee3c15283b31f3e7ef976782183a09ffe2ebc7ce9c9bebd9413f7556d880803006cf29c04ea723eb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat

Filesize
192B

MD5
4faa16af1ad6e7e4be5cd3148f189f80

SHA1
34d0176639df840aadc985f3e7f1f5ad4b1501ee

SHA256
733179ccf79bb3b3ace470a73476c1107e1d7a9dc514c439480e84b79fb34559

SHA512
4484e0239a4556cf07d343c927df52019691250c94f49a6cbe83e40fbb8127191136c6e4f73bd8d03e04590a42ea2a45a8491e406ea9280b7ed4e300777b125b

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
192B

MD5
0d460057038e1700e0344ce3f3c34c82

SHA1
c3d36e91bfd79ffa7e69f7b7393a44d0e44ea037

SHA256
bfde2fb25c85687ac9969a4a545e5cc4de9db01bdd7048ce9d265377dfbf7b6f

SHA512
c19d3cfc594f4a71945744c0cdc6dcf574a00f1753f1bc911d03f14523ff53f72e5d0a08efbbc33d717cb1af31d9847649b8f0f95d85b0ec600fd39aee7ec167

Download Submit
C:\Users\Admin\AppData\Local\Temp\8wkcP7O697.bat

Filesize
192B

MD5
1fcc0a877927739e1d265bc15316e27a

SHA1
fe8d498754306b8e07557619fd2ece523816a5d4

SHA256
c84b44117ff362343753ae9badd75262f9fcc09e99c27dd8ccda38c32ccae191

SHA512
f3fbcf2899911fec13205ae0334a77bef6c9fe5d5ac90b0215ddeb00c4754d2454bce2fe0b6aa30fdffa45f8dd91050857da672296d27fe1d5dbea5ba1a04a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE2C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat

Filesize
192B

MD5
f630080c60762d84f3adc76c9fe8ac1a

SHA1
be5d971f9fe167bc18b624c8d4ce444fd192accf

SHA256
7525c653bc65acf3516c5a5e40b562aabb91c257480b5d1242393f665f1da7df

SHA512
4f43166665dd8286c5fc4b36166a181538b092e25f372818883b9df658224cd1e78cb4f9ac708fea4d04080da5e754de5e75163054d7d0177dfe2a8895f848bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE3E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIfaJsbzNd.bat

Filesize
192B

MD5
cb5e1cd6bc4f25f84d06f34fb76e4e69

SHA1
09b3583b3f7b30063b87b300e2c56bfa6146a134

SHA256
f91d6913e536edf070a639899add83680f384ea3edc944f83da3b7bac3213fce

SHA512
69d17920eb4a39883e0e165a7f0a63b9e3c409c661d282b0fbb4533016b60826443996f3d36f81014df3280f27e574e50fc0e91dbddaceae72fcf5723f257596

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

Filesize
192B

MD5
1c27a0439c2b1bf8124c3ace9d4e3268

SHA1
602fc7c99e581748f6d1adbcf50c2ce241a5b39b

SHA256
bd33b9612676242c961fd4262deb4f06a601e9512a5bd87d82e22b9b3a029bd5

SHA512
661ec68accaa8d3e2892644e28b59d0dc57892133660ec1a834e0f642c58c36e15dc2683847418c730eb555a234524e492c57a793abeadd0f17588098fbf6118

Download Submit
C:\Users\Admin\AppData\Local\Temp\ezHXLeVHih.bat

Filesize
192B

MD5
a6375af1520e38c847dbe55081dc8d7f

SHA1
a646a2e845af2c3d80da388bbd06c60582766d75

SHA256
c1f6060fb7ece4125e3542ad8991972815897cdd77510d86257df474f5cfcaf8

SHA512
0f0e5970c031a6c911270bc5abaecdc34a236c07c26dc119aa1e39110de1649c4087e2ffe438e2944382b52987228a770dafda249515740ed9d126f95bd08dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

Filesize
192B

MD5
83509aedf85d3c3668030a5e46ee1f84

SHA1
e55951c79ecece0a6b74ab0cf670614eb73e0804

SHA256
f76e37e33b7cce2ae247b66f76bcb6279daa84035c4eba45f42a523781014f33

SHA512
d95b1245435467420c3b097a9ed5833ebe73bacf5f1b81f5a21bf688499ea4677e161d342fbcd20e18c71ec6473768597f7b4878a5890b4ef298389a083b4aa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\qX4ufk0Q6M.bat

Filesize
192B

MD5
2a7ed5ff9f727267d5c41e3637404056

SHA1
e7b75887a8ebf9a09c1b47c600559314da260bc1

SHA256
a61d38c3c1ca96d03e1c7859a5006e3427d1091f711546a4f0894bda16829b22

SHA512
a51c2eb16acf0164c10f751db4c4e5d07b7ab45cbcd443a9ae778339e0d1f7404d1c54e8dc406e26fe1253d6516c05051a3aba8ea4d7b60d1ef68b0bd56a63ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
22a4baced2509107031a9111eefb3b23

SHA1
f7a89a3a8793011ad9673dfc210da91ff11d16d6

SHA256
b4bfab5437ee34db93e24500fbc683d30f581c24f282c0717449d2d3fe600c68

SHA512
4fb8c254fd7a679e291f2be3ac83650211de1194f05e00727734f920f106f9233c362ffd081c35ae7d9f635dd90e81592a3b9dc2c703a820a19e89c6cc0f1c3b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1324-157-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/1324-156-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/1588-635-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1824-276-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2252-216-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2408-455-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2504-575-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2656-395-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2676-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2676-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2676-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2676-13-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/2676-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2692-77-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2692-79-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2708-515-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download