dcrat | 41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Size

2.3MB
MD5

1e83ded2729ce777053c604e7d667c38
SHA1

e4de4580f9e80703961c6df8b3dc687d6ff16cda
SHA256

41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309
SHA512

6c032fee11131744a6234b9011e700faa12aaa194afc8d32f1206d61bbe397b7b4f9f278192e32883379e0ecb178b1aedf426285745c23a127e9db2495867ad1
SSDEEP

49152:P581k6pWQwY9zhWLCGUdeuGMvLq0jvYQxkm:P58C6pgTEO0jvYQR

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2576	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2576	schtasks.exe	30

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2124-1-0x0000000000CE0000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/files/0x00080000000190e0-17.dat	dcrat
behavioral1/memory/2356-49-0x0000000001090000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/2728-58-0x0000000001270000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/1784-87-0x00000000012B0000-0x0000000001500000-memory.dmp	dcrat

Executes dropped EXE 11 IoCs

pid	Process
2356	csrss.exe
2728	csrss.exe
1484	csrss.exe
2412	csrss.exe
1088	csrss.exe
1784	csrss.exe
2648	csrss.exe
2316	csrss.exe
1944	csrss.exe
3012	csrss.exe
956	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	pastebin.com
7	pastebin.com
11	pastebin.com
21	pastebin.com
23	pastebin.com
4	pastebin.com
13	pastebin.com
15	pastebin.com
17	pastebin.com
19	pastebin.com
25	pastebin.com
9	pastebin.com

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\b16bb1caa594b8	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\b16bb1caa594b8	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Google\6203df4a6bafc7	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\886983d96e3d3e	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Uninstall Information\winlogon.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\f3b6ecef712a24	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\b16bb1caa594b8	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Java\jre7\42af1c969fbb7b	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Google\lsass.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Uninstall Information\cc11b995f2a76d	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files\Java\jre7\audiodg.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\ja-JP\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
File created	C:\Windows\PolicyDefinitions\ja-JP\b16bb1caa594b8	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\MuiCache	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\MuiCache	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\MuiCache	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\MuiCache	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\MuiCache	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\MuiCache	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\MuiCache	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\MuiCache	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\MuiCache	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\MuiCache	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\MuiCache	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2456	schtasks.exe
1312	schtasks.exe
1044	schtasks.exe
1772	schtasks.exe
2952	schtasks.exe
2176	schtasks.exe
1148	schtasks.exe
1752	schtasks.exe
3036	schtasks.exe
2452	schtasks.exe
2008	schtasks.exe
372	schtasks.exe
1948	schtasks.exe
1068	schtasks.exe
1348	schtasks.exe
2132	schtasks.exe
2416	schtasks.exe
2588	schtasks.exe
2612	schtasks.exe
1708	schtasks.exe
2328	schtasks.exe
1300	schtasks.exe
1860	schtasks.exe
3000	schtasks.exe
2096	schtasks.exe
3008	schtasks.exe
1100	schtasks.exe
1092	schtasks.exe
2540	schtasks.exe
1156	schtasks.exe
2960	schtasks.exe
1616	schtasks.exe
1956	schtasks.exe
2288	schtasks.exe
2720	schtasks.exe
3028	schtasks.exe
3012	schtasks.exe
1508	schtasks.exe
2500	schtasks.exe
396	schtasks.exe
1972	schtasks.exe
1280	schtasks.exe
1964	schtasks.exe
2928	schtasks.exe
2580	schtasks.exe
2892	schtasks.exe
2716	schtasks.exe
2888	schtasks.exe
2432	schtasks.exe
1732	schtasks.exe
1628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2124	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
2124	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
2124	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
2356	csrss.exe
2728	csrss.exe
1484	csrss.exe
2412	csrss.exe
1088	csrss.exe
1784	csrss.exe
2648	csrss.exe
2316	csrss.exe
1944	csrss.exe
3012	csrss.exe
956	csrss.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
Token: SeDebugPrivilege	2356	csrss.exe
Token: SeDebugPrivilege	2728	csrss.exe
Token: SeDebugPrivilege	1484	csrss.exe
Token: SeDebugPrivilege	2412	csrss.exe
Token: SeDebugPrivilege	1088	csrss.exe
Token: SeDebugPrivilege	1784	csrss.exe
Token: SeDebugPrivilege	2648	csrss.exe
Token: SeDebugPrivilege	2316	csrss.exe
Token: SeDebugPrivilege	1944	csrss.exe
Token: SeDebugPrivilege	3012	csrss.exe
Token: SeDebugPrivilege	956	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2356	2124	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	82
PID 2124 wrote to memory of 2356	2124	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	82
PID 2124 wrote to memory of 2356	2124	41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe	82
PID 2356 wrote to memory of 2344	2356	csrss.exe	83
PID 2356 wrote to memory of 2344	2356	csrss.exe	83
PID 2356 wrote to memory of 2344	2356	csrss.exe	83
PID 2344 wrote to memory of 2836	2344	cmd.exe	85
PID 2344 wrote to memory of 2836	2344	cmd.exe	85
PID 2344 wrote to memory of 2836	2344	cmd.exe	85
PID 2344 wrote to memory of 2728	2344	cmd.exe	86
PID 2344 wrote to memory of 2728	2344	cmd.exe	86
PID 2344 wrote to memory of 2728	2344	cmd.exe	86
PID 2728 wrote to memory of 2964	2728	csrss.exe	87
PID 2728 wrote to memory of 2964	2728	csrss.exe	87
PID 2728 wrote to memory of 2964	2728	csrss.exe	87
PID 2964 wrote to memory of 2508	2964	cmd.exe	89
PID 2964 wrote to memory of 2508	2964	cmd.exe	89
PID 2964 wrote to memory of 2508	2964	cmd.exe	89
PID 2964 wrote to memory of 1484	2964	cmd.exe	90
PID 2964 wrote to memory of 1484	2964	cmd.exe	90
PID 2964 wrote to memory of 1484	2964	cmd.exe	90
PID 1484 wrote to memory of 2908	1484	csrss.exe	91
PID 1484 wrote to memory of 2908	1484	csrss.exe	91
PID 1484 wrote to memory of 2908	1484	csrss.exe	91
PID 2908 wrote to memory of 2540	2908	cmd.exe	93
PID 2908 wrote to memory of 2540	2908	cmd.exe	93
PID 2908 wrote to memory of 2540	2908	cmd.exe	93
PID 2908 wrote to memory of 2412	2908	cmd.exe	94
PID 2908 wrote to memory of 2412	2908	cmd.exe	94
PID 2908 wrote to memory of 2412	2908	cmd.exe	94
PID 2412 wrote to memory of 884	2412	csrss.exe	95
PID 2412 wrote to memory of 884	2412	csrss.exe	95
PID 2412 wrote to memory of 884	2412	csrss.exe	95
PID 884 wrote to memory of 3048	884	cmd.exe	97
PID 884 wrote to memory of 3048	884	cmd.exe	97
PID 884 wrote to memory of 3048	884	cmd.exe	97
PID 884 wrote to memory of 1088	884	cmd.exe	98
PID 884 wrote to memory of 1088	884	cmd.exe	98
PID 884 wrote to memory of 1088	884	cmd.exe	98
PID 1088 wrote to memory of 2892	1088	csrss.exe	99
PID 1088 wrote to memory of 2892	1088	csrss.exe	99
PID 1088 wrote to memory of 2892	1088	csrss.exe	99
PID 2892 wrote to memory of 2716	2892	cmd.exe	101
PID 2892 wrote to memory of 2716	2892	cmd.exe	101
PID 2892 wrote to memory of 2716	2892	cmd.exe	101
PID 2892 wrote to memory of 1784	2892	cmd.exe	102
PID 2892 wrote to memory of 1784	2892	cmd.exe	102
PID 2892 wrote to memory of 1784	2892	cmd.exe	102
PID 1784 wrote to memory of 2776	1784	csrss.exe	103
PID 1784 wrote to memory of 2776	1784	csrss.exe	103
PID 1784 wrote to memory of 2776	1784	csrss.exe	103
PID 2776 wrote to memory of 2072	2776	cmd.exe	105
PID 2776 wrote to memory of 2072	2776	cmd.exe	105
PID 2776 wrote to memory of 2072	2776	cmd.exe	105
PID 2776 wrote to memory of 2648	2776	cmd.exe	106
PID 2776 wrote to memory of 2648	2776	cmd.exe	106
PID 2776 wrote to memory of 2648	2776	cmd.exe	106
PID 2648 wrote to memory of 1708	2648	csrss.exe	107
PID 2648 wrote to memory of 1708	2648	csrss.exe	107
PID 2648 wrote to memory of 1708	2648	csrss.exe	107
PID 1708 wrote to memory of 1984	1708	cmd.exe	109
PID 1708 wrote to memory of 1984	1708	cmd.exe	109
PID 1708 wrote to memory of 1984	1708	cmd.exe	109
PID 1708 wrote to memory of 2316	1708	cmd.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe
"C:\Users\Admin\AppData\Local\Temp\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe
  "C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\LocalLow\Sun\Java\EJd69rIsmW.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2344
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2836
  - - C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe
      "C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe"
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\LocalLow\Sun\Java\S4Mb4wPoYb.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2508
      - C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe
        
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe"
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\LocalLow\Sun\Java\sg5tFMTiWx.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe
        
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe"
        8⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\LocalLow\Sun\Java\Ft4wDuDLLm.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe
        
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe"
        10⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\LocalLow\Sun\Java\wmyYtdK9wm.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe
        
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe"
        12⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\LocalLow\Sun\Java\foWeuNjz6H.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe
        
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe"
        14⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\LocalLow\Sun\Java\OtHqfsL7hH.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe
        
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe"
        16⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\LocalLow\Sun\Java\5ZuQQn5xd9.bat"
        17⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe
        
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe"
        18⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\LocalLow\Sun\Java\PHSdn7sdcQ.bat"
        19⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe
        
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe"
        20⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\LocalLow\Sun\Java\AjzBor9eUT.bat"
        21⤵
        
        PID:1280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:608
        
        C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe
        
        "C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe"
        22⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\LocalLow\Sun\Java\CVKg01t4CF.bat"
        23⤵
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Java\jre7\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jre7\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\LocalLow\Sun\Java\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 14 /tr "'C:\Windows\PolicyDefinitions\ja-JP\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\ja-JP\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de3094" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\ja-JP\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309.exe

Filesize
2.3MB

MD5
1e83ded2729ce777053c604e7d667c38

SHA1
e4de4580f9e80703961c6df8b3dc687d6ff16cda

SHA256
41fbd73eb45783d323558185ed38027ec0cb64bb37729328ce12d8dd670de309

SHA512
6c032fee11131744a6234b9011e700faa12aaa194afc8d32f1206d61bbe397b7b4f9f278192e32883379e0ecb178b1aedf426285745c23a127e9db2495867ad1

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\5ZuQQn5xd9.bat

Filesize
221B

MD5
a15ae35c94ea7f182d671af95ea8fdff

SHA1
ff1a7068481e11c0f320788034135ab6aa98d464

SHA256
423e85ef51eecac52453183194a5229eead03046d40e6a1d28c718abd4d32a19

SHA512
9626fb08b2cde0a36988904a4eded2eb28c1e1d526d2ac080c5e756fd74a6bbd9b15246499f2e506a82d93464954d2444c230759e771780a0f45cb2bcfdfea9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\AjzBor9eUT.bat

Filesize
221B

MD5
9cc623311e1bcc0502c6c245eb0c724b

SHA1
b2c7d1a82d833a6840b8100c823f85e47b7b492b

SHA256
49b4c755cf5c892fd32c4b9d59437186836e71eed87335ad0f86c2a6821b7fc1

SHA512
507634af4f96dae87010573a8375f556ba4057bbdea9ca7f3bf71fb84e8e3378d8eff2e42d38ee240e46deb0fdea93e38060009e0ad2fb99cafc56fb09a0ebcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\CVKg01t4CF.bat

Filesize
221B

MD5
3145df9d42d6c28b9fb7ce3069e38ed0

SHA1
0758a4dd1bbfe1746d4f8d7bb3a0ab5388f27682

SHA256
90ff889310d0f5b082f59202ed6f0df7bd94cb2df436282f0c37ebc98a67f71b

SHA512
e9164970178843dd46b613c75c36ecb77645c4806d459bf87e43da62f71102862f2626cd1cbd797f880f09995683145896cbced8338761fec48730a437e4ce50

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\EJd69rIsmW.bat

Filesize
221B

MD5
c26771d0f19233689270ea262defdac4

SHA1
a9a59f92ccacc56d123d9c179eb71e104c6102fc

SHA256
c36a265ee52c64342951d210b6bb7d9a5a796c72d695a801b6fb53a099d3f759

SHA512
cee54d0bcd52a6dc1a0b4f35a950afea6874c2313d430ac9e4bcb59fd6baaee1314afcf30a8b82bce22d69903694af7b4f77e287c82beb96a063c4a2ac1bdee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Ft4wDuDLLm.bat

Filesize
221B

MD5
fde84786eecfdd40dda0397c839f9379

SHA1
db59ffd090562100715d52639bee2e8dd17689a6

SHA256
6571c282613ed0a1091ac2d948f8a34e857b75ee3e32d50680af76c155693bb3

SHA512
7e5286038799c84536fb7c6ab2ee99678feffaef5f8220cb5270d68085dd4392126ddc00a3e4219f40a6872aaeb654b03e3cf99a2253f3feb8337f97126d5376

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\OtHqfsL7hH.bat

Filesize
221B

MD5
403f0629d799f2555a04e37de0776c1f

SHA1
928a3aab9e9ec5748edfff13c372d64a8fb8a48a

SHA256
b4e65ab81f1a47d1ed25cac50fee8ac63dc1f4637b2732d66dadc54af86867d9

SHA512
d1dffbd740573796558a051064f974185e786c09ce1e30a7ca193ef17d500b7f29e3923d16bbfe357c9424d5102fa6119d6172aa0173707c0700dbc04d835505

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\PHSdn7sdcQ.bat

Filesize
221B

MD5
bf308b5c8fbb38e5ac75a5459cae553e

SHA1
018c2711d90777fb1889e9ced42f521119ee402f

SHA256
96d42755ae077c080a3391fdb947462ae5e8c71dedb9c7b438b52ced6945337c

SHA512
30a9ed6f8de1118cc89ed71527f2cdd82e04cb0c74f209b4858a9a17960cec73a50fada8610d6e9087171a5ee17eb6fbd07a388cd3c6868df8849913ec3a3215

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\S4Mb4wPoYb.bat

Filesize
221B

MD5
a0bfeefb99efa9faa7a1b1ec4751c542

SHA1
35f0d8d6624f162be52237e67508093909706b18

SHA256
6c4aae9202b068a75084c111e01ee61c54924ffd1db80eaf96718529b127110a

SHA512
54ba6ce90c4b9ba5d582d732d8127a266d6a740a26540254d5bc1f6ecb8b16b73a4eab2a0e1126edfebdf2b9aafff9a661b3acd4db1303f836c29a5e560ee437

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\foWeuNjz6H.bat

Filesize
221B

MD5
32a58c500dabaedabd7d17e81c577670

SHA1
3013f55bacfaa86d96f721d41edabf439e22ba99

SHA256
a00bd61d2b43a7bebc8127e2fafc5cd26a3a5a654ccdc4e3a8b9a46f9df32bd2

SHA512
a18fa872ac2d60715fde9f993d331b4fe8cb2823d63ed8dc018dfe09b925d97e99ea7830ef8ad975fd229ca6dd96d3604c66ec3a3b0814586fc56029c57a6ac9

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\sg5tFMTiWx.bat

Filesize
221B

MD5
ca168d96d4b57190881c86da20cd0267

SHA1
7452ae712a2dfcbb46bcb65e4479a8d68ddb89c2

SHA256
f4ac21df3befd870272abb2431cd3cd3f58650f2ded463348f93f4157bd5ee7d

SHA512
27de39d082a3b579873411259d4c1d8a4ffc4bc18d9620a5c06f7e3ef64b8c84820e537c7d269f05ad91f66b9e3dec854c676a9cdea1c9c499999c41e7df8362

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\wmyYtdK9wm.bat

Filesize
221B

MD5
b14f13a2ab7f012f2fcc5ea8850ac4a0

SHA1
6141e717f3f78c109c609e48b06ba14295356f7e

SHA256
50ff3398173e67104e5c1c5654a4c7b18d3420a49cfe0a5ff8d6d1749ca1d02a

SHA512
16fe0ce7ea7d9a34ca80ff51fd3e1d655a82e74563d764605e2d22cd673a05da7c2e7d165458fa265685fc0aa4aac634a2846337fea0ee8c4afaed5ff85d0247

Download Submit
memory/1088-80-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/1484-65-0x0000000000B40000-0x0000000000B96000-memory.dmp

Filesize
344KB

Download
memory/1484-66-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/1784-87-0x00000000012B0000-0x0000000001500000-memory.dmp

Filesize
2.3MB

Download
memory/1784-88-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1944-109-0x00000000005E0000-0x0000000000636000-memory.dmp

Filesize
344KB

Download
memory/1944-110-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2124-3-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2124-7-0x0000000000440000-0x000000000044E000-memory.dmp

Filesize
56KB

Download
memory/2124-8-0x0000000000520000-0x0000000000528000-memory.dmp

Filesize
32KB

Download
memory/2124-4-0x00000000003F0000-0x0000000000406000-memory.dmp

Filesize
88KB

Download
memory/2124-50-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2124-2-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2124-6-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2124-0-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

Filesize
4KB

Download
memory/2124-1-0x0000000000CE0000-0x0000000000F30000-memory.dmp

Filesize
2.3MB

Download
memory/2124-5-0x00000000004D0000-0x0000000000526000-memory.dmp

Filesize
344KB

Download
memory/2356-49-0x0000000001090000-0x00000000012E0000-memory.dmp

Filesize
2.3MB

Download
memory/2356-51-0x0000000000380000-0x00000000003D6000-memory.dmp

Filesize
344KB

Download
memory/2412-73-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/2648-96-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2648-95-0x0000000001260000-0x00000000012B6000-memory.dmp

Filesize
344KB

Download
memory/2728-58-0x0000000001270000-0x00000000014C0000-memory.dmp

Filesize
2.3MB

Download
memory/3012-117-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download