dcrat | b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe
Size

1.3MB
MD5

fe76cbb1b1116a2b0ca20f5dbe8e2652
SHA1

4ae28f39a440b341ed2d47647ed02b626138fa52
SHA256

b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d
SHA512

6a3415db11955ec02c88d8221bc98f9af6e3b0949bd2485e3b42806b10ff5fa75f3d8599af4f41984d71e5b7bfd4908d0fb1d5a4684f3492fab647c21f3357f3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1232	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2752	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2752	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d36-9.dat	dcrat
behavioral1/memory/2144-13-0x0000000000C70000-0x0000000000D80000-memory.dmp	dcrat
behavioral1/memory/2968-95-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2508-185-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/2564-245-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2288-305-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/2424-542-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/1928-602-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat
behavioral1/memory/2428-663-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1864	powershell.exe
2412	powershell.exe
992	powershell.exe
1856	powershell.exe
2352	powershell.exe
2468	powershell.exe
2904	powershell.exe
2204	powershell.exe
1904	powershell.exe
1696	powershell.exe
876	powershell.exe
3020	powershell.exe
880	powershell.exe
1784	powershell.exe
2372	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2144	DllCommonsvc.exe
2968	cmd.exe
2508	cmd.exe
2564	cmd.exe
2288	cmd.exe
1000	cmd.exe
2156	cmd.exe
1904	cmd.exe
2424	cmd.exe
1928	cmd.exe
2428	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2168	cmd.exe
2168	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
33	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\it-IT\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\it-IT\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\fr-FR\27d1bcfc3c54e0	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\fr-FR\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\System.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\tracing\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\System.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2104	schtasks.exe
2060	schtasks.exe
628	schtasks.exe
1484	schtasks.exe
1860	schtasks.exe
2056	schtasks.exe
1636	schtasks.exe
2360	schtasks.exe
1516	schtasks.exe
1328	schtasks.exe
2604	schtasks.exe
3000	schtasks.exe
1676	schtasks.exe
2088	schtasks.exe
2940	schtasks.exe
1036	schtasks.exe
2964	schtasks.exe
2696	schtasks.exe
568	schtasks.exe
1232	schtasks.exe
2020	schtasks.exe
1300	schtasks.exe
1604	schtasks.exe
1924	schtasks.exe
2592	schtasks.exe
1160	schtasks.exe
2384	schtasks.exe
1640	schtasks.exe
2408	schtasks.exe
2560	schtasks.exe
2980	schtasks.exe
1948	schtasks.exe
1684	schtasks.exe
2528	schtasks.exe
2632	schtasks.exe
304	schtasks.exe
1912	schtasks.exe
2448	schtasks.exe
764	schtasks.exe
1660	schtasks.exe
1284	schtasks.exe
2872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2144	DllCommonsvc.exe
2144	DllCommonsvc.exe
2144	DllCommonsvc.exe
2372	powershell.exe
2204	powershell.exe
2352	powershell.exe
1784	powershell.exe
876	powershell.exe
3020	powershell.exe
2904	powershell.exe
1864	powershell.exe
1696	powershell.exe
880	powershell.exe
2412	powershell.exe
1904	powershell.exe
1856	powershell.exe
992	powershell.exe
2468	powershell.exe
2968	cmd.exe
2508	cmd.exe
2564	cmd.exe
2288	cmd.exe
1000	cmd.exe
2156	cmd.exe
1904	cmd.exe
2424	cmd.exe
1928	cmd.exe
2428	cmd.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2144	DllCommonsvc.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2968	cmd.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2508	cmd.exe
Token: SeDebugPrivilege	2564	cmd.exe
Token: SeDebugPrivilege	2288	cmd.exe
Token: SeDebugPrivilege	1000	cmd.exe
Token: SeDebugPrivilege	2156	cmd.exe
Token: SeDebugPrivilege	1904	cmd.exe
Token: SeDebugPrivilege	2424	cmd.exe
Token: SeDebugPrivilege	1928	cmd.exe
Token: SeDebugPrivilege	2428	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1760	548	b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe	31
PID 548 wrote to memory of 1760	548	b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe	31
PID 548 wrote to memory of 1760	548	b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe	31
PID 548 wrote to memory of 1760	548	b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe	31
PID 1760 wrote to memory of 2168	1760	WScript.exe	32
PID 1760 wrote to memory of 2168	1760	WScript.exe	32
PID 1760 wrote to memory of 2168	1760	WScript.exe	32
PID 1760 wrote to memory of 2168	1760	WScript.exe	32
PID 2168 wrote to memory of 2144	2168	cmd.exe	34
PID 2168 wrote to memory of 2144	2168	cmd.exe	34
PID 2168 wrote to memory of 2144	2168	cmd.exe	34
PID 2168 wrote to memory of 2144	2168	cmd.exe	34
PID 2144 wrote to memory of 2372	2144	DllCommonsvc.exe	78
PID 2144 wrote to memory of 2372	2144	DllCommonsvc.exe	78
PID 2144 wrote to memory of 2372	2144	DllCommonsvc.exe	78
PID 2144 wrote to memory of 1784	2144	DllCommonsvc.exe	79
PID 2144 wrote to memory of 1784	2144	DllCommonsvc.exe	79
PID 2144 wrote to memory of 1784	2144	DllCommonsvc.exe	79
PID 2144 wrote to memory of 992	2144	DllCommonsvc.exe	80
PID 2144 wrote to memory of 992	2144	DllCommonsvc.exe	80
PID 2144 wrote to memory of 992	2144	DllCommonsvc.exe	80
PID 2144 wrote to memory of 1904	2144	DllCommonsvc.exe	82
PID 2144 wrote to memory of 1904	2144	DllCommonsvc.exe	82
PID 2144 wrote to memory of 1904	2144	DllCommonsvc.exe	82
PID 2144 wrote to memory of 2412	2144	DllCommonsvc.exe	83
PID 2144 wrote to memory of 2412	2144	DllCommonsvc.exe	83
PID 2144 wrote to memory of 2412	2144	DllCommonsvc.exe	83
PID 2144 wrote to memory of 876	2144	DllCommonsvc.exe	84
PID 2144 wrote to memory of 876	2144	DllCommonsvc.exe	84
PID 2144 wrote to memory of 876	2144	DllCommonsvc.exe	84
PID 2144 wrote to memory of 2352	2144	DllCommonsvc.exe	85
PID 2144 wrote to memory of 2352	2144	DllCommonsvc.exe	85
PID 2144 wrote to memory of 2352	2144	DllCommonsvc.exe	85
PID 2144 wrote to memory of 2468	2144	DllCommonsvc.exe	86
PID 2144 wrote to memory of 2468	2144	DllCommonsvc.exe	86
PID 2144 wrote to memory of 2468	2144	DllCommonsvc.exe	86
PID 2144 wrote to memory of 2204	2144	DllCommonsvc.exe	87
PID 2144 wrote to memory of 2204	2144	DllCommonsvc.exe	87
PID 2144 wrote to memory of 2204	2144	DllCommonsvc.exe	87
PID 2144 wrote to memory of 1696	2144	DllCommonsvc.exe	88
PID 2144 wrote to memory of 1696	2144	DllCommonsvc.exe	88
PID 2144 wrote to memory of 1696	2144	DllCommonsvc.exe	88
PID 2144 wrote to memory of 1864	2144	DllCommonsvc.exe	89
PID 2144 wrote to memory of 1864	2144	DllCommonsvc.exe	89
PID 2144 wrote to memory of 1864	2144	DllCommonsvc.exe	89
PID 2144 wrote to memory of 1856	2144	DllCommonsvc.exe	90
PID 2144 wrote to memory of 1856	2144	DllCommonsvc.exe	90
PID 2144 wrote to memory of 1856	2144	DllCommonsvc.exe	90
PID 2144 wrote to memory of 880	2144	DllCommonsvc.exe	91
PID 2144 wrote to memory of 880	2144	DllCommonsvc.exe	91
PID 2144 wrote to memory of 880	2144	DllCommonsvc.exe	91
PID 2144 wrote to memory of 2904	2144	DllCommonsvc.exe	93
PID 2144 wrote to memory of 2904	2144	DllCommonsvc.exe	93
PID 2144 wrote to memory of 2904	2144	DllCommonsvc.exe	93
PID 2144 wrote to memory of 3020	2144	DllCommonsvc.exe	94
PID 2144 wrote to memory of 3020	2144	DllCommonsvc.exe	94
PID 2144 wrote to memory of 3020	2144	DllCommonsvc.exe	94
PID 2144 wrote to memory of 2968	2144	DllCommonsvc.exe	108
PID 2144 wrote to memory of 2968	2144	DllCommonsvc.exe	108
PID 2144 wrote to memory of 2968	2144	DllCommonsvc.exe	108
PID 2968 wrote to memory of 908	2968	cmd.exe	109
PID 2968 wrote to memory of 908	2968	cmd.exe	109
PID 2968 wrote to memory of 908	2968	cmd.exe	109
PID 908 wrote to memory of 2376	908	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe
"C:\Users\Admin\AppData\Local\Temp\b082a1886dc2e8b6418e5ed851e2a3334cacfc06ae6868069f160df3fc7ab03d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\it-IT\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2376
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"
        8⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2784
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        10⤵
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2608
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
        12⤵
        
        PID:952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1672
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
        14⤵
        
        PID:2092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2304
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
        16⤵
        
        PID:1532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:628
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat"
        18⤵
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2176
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        20⤵
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2372
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat"
        22⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2468
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"
        24⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Defender\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Templates\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\tracing\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Windows\tracing\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Links\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Links\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Links\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\ModemLogs\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Windows\ModemLogs\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\Accessories\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\Web\Wallpaper\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\Wallpaper\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b7ec04523b6e4d9d3bf76cfbbeaa9ee

SHA1
5b40170ca28ca72ecd9a5070fbca54d9dafc714a

SHA256
dc6c2c419937b295047882a3b6d5c141f61969e891a6234e5787be3dd5f0de9e

SHA512
3543465ef66a0f065c962de117a688c0bd9ec61e7a98e7f1010a65ba18c736fe4cb2e7e1f609d93d6360ff6e5ee7b35df3a2dd2d3cc67dadd0f5efa716fa5caf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5812607527d3626b6653b3baa5a2749e

SHA1
9cbd1ce5db2f1bdbf10c01054bb9979d5f7759db

SHA256
2c00c2b9896420d4cdda1f10d23f7971be9a7bbe2bab6b33d40c4ae2242f30b6

SHA512
dcecc3ef7fccf259ebfc59583cd2b795faf1cca8e8c92aa46f7910a9285ecd820ddc390807c0ea99ffcf0cebad514fd2fdb60e056f99af8ce1a51b2e4105bf20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5a821afa3946276aad50e67ecb50d4a

SHA1
6398c3eaef622d535b96dca39c23957953b9bd25

SHA256
baeaf99db32f11f9ce21145f396a0aa2308e582e4535df2c3df11542959c41f8

SHA512
238c7982cc7c296a9f887198e88e6192811f79ad474be8f703163a5d50c11f0acc3048fc6dd54ebedc8cfbedc286594b54e6a081d94916d200e6710037ca9a3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5227002c13e46e75abef95b6d050de44

SHA1
cf2814487014a21da771ef0d0c8846163638ddb8

SHA256
937140e45148d30bc6949d46272f708ac1a9505e16a8034111b7b6b6058df6c7

SHA512
336661b14126fe8466ab1ac14e961142c641b896bbb14a4269c33d8f80d583edade6120212f67c8111166627ab9ef2cb92c14add7fa88eec2a886c2028b355e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2856346ef50757fa34618bc531eb8951

SHA1
a63335e5a4d866a7c1c2cb6e208d2dd466be200b

SHA256
518381f4091cb3720b0d83aaec8fde017ca38a102ab32c616a58c2964da6d5f6

SHA512
92c5978305b110187e36c20e8606c21ef36999927bba2fe596d04845ecab272c3a893a3937460af248bee9218a57ccbed0cf989feb21896155156ad632ce84da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76259cf7f1d317155973d8b15f57159c

SHA1
fd68bb628a8ec92d7c2080b101abc0a3598b5fbd

SHA256
7f199625ab403004b0387befe8d6ad62e2c8cba4d98f52be8c1436a8e144eb9f

SHA512
f71dd9d0e94918256a87412776cf548f20beaf3b2e04e761987e849b44893b9dfb4a03e7e8b04fb7085e174b98989e99c9fd2fce8d0c0ba7191a17baa4e1d11e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd717ba1a2c76ee274a83b9b5c19c328

SHA1
7364bcd321aad6fd5fe50e3d8c2470dd8dca35aa

SHA256
9367bbb8087d01d85c39de87d6c62c4966a6ce76837e61941511a66aca435aa7

SHA512
e5017f7820625e5b487a353f1e1abcca1e4f3f43ca705251098d3bac58f8496f59d156fb63eb45998a08baf3c52b67d62ac523e85330250c32234f552a378c95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae36d09ae16787e710e1996fa0ff2967

SHA1
72226dcce7c9bfdfaffee52a64354ff795bf1ba4

SHA256
243fde3572bbc90fb766379e0a5a95653979ddc887d1d0f95fc79e0b2c3734bc

SHA512
b7df8a1d4ed92e1646e5e0a126c1d3515e111a2601aa413bcbdb167c63d7153786c533fa8fe5e12532f94750c12558f13416d926df7e9ac033576b5d1580eee6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bc10f73b5512d90016f854da2b4d967

SHA1
b6331cdf3ce84965a21ca020e51c24c410787a47

SHA256
704be5952e03179b6102ce56d64bc917590e42bd955e8b127558415b335affbe

SHA512
8d6b7e6cd27ffdf8c1c81bdd8865f7bd479a05cefa8b08e9c442df11c352092db7d4ac5687e7e0125a462dc8f8e825776374d94fcd21b692932913cbdc6c7b69

Download Submit
C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat

Filesize
225B

MD5
a003c0fbabfdeaefb24708eeb84271e1

SHA1
d2a6b6411e71ed4e5908ce50c1b64c85b3f02589

SHA256
e428469ea057e7edea7f8065e41f91c8b5da085f37cfd4dbb4fce112c4579258

SHA512
8cf79060d76e85e5a8944073cbb884ca8ef82892664f3d90ddfcbb22efa1cfcd0ddafced208ee52efe198dbb6627f4e98177911d9dc8674365c7f9f63edb1818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab33A0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

Filesize
225B

MD5
225748923e14118fe0bd25d7f2620398

SHA1
571500099e39773c65b193ffe602c10160020228

SHA256
16b30e685ef84dc4dd86c08cce9f4796578200b1260f0aa7e1cc20338b6ba158

SHA512
2cdf83a1dfafe3aba3b4380b5629089b538356b280489546982cc74b097f2df44ed45a6760856e621a87a5e105aee993b1859a829455626442f189bd1e38b1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

Filesize
225B

MD5
c21b2340499eb50772c4cc3b17cd0e87

SHA1
157e2997072a65035578ad6d7ee6b0a1b4e76f06

SHA256
07c73e81aa80d6db3654cdf523f8e2056b2d1f743162f535ba64697b64e0d564

SHA512
1bb1ca16541125e011f61a0b001322417c931dd7ecdd998097a769d6b4f875b9409c92a047891fb5c47d2f9bfc2dbcf805e884a1041144c3ebdd1faae2845013

Download Submit
C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

Filesize
225B

MD5
4d532cec26a2e2b9e3c40eb5787abed6

SHA1
e148ee716f9ea858cde6d3999cb97fa80d8e7c13

SHA256
96dea8e033a0404f359b1565726a092944da24cf8b99a2cf39a66f6950ca24e7

SHA512
82656e2b8bcf6557e678cc5314e1a31cbc76cc92309b0ceb885161bff9e0b3eb704059ad4673f06d50805c0170060b127b66948d0071fb36fd6c4c23a941f599

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar33C2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
225B

MD5
db95c38f7f1b2c3e95a9b32d00b787b4

SHA1
e414912599504671b5ca48a51d6b27c78fcc1d00

SHA256
8c312cfe6e1640056f569b1a11ff51d965eafdd721d1cb51955f1ea0e0c182f6

SHA512
a1bd5ac2f0fdc7d9be46b8d7a082bc4fc24fb50d2b6f8359d7a2af16053176e06948f48fb02670042c540113150635f583bac31285ebf97b9bad6d3ddbd30b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat

Filesize
225B

MD5
027393395ea25df5610f09e0b6256077

SHA1
f3f3ef030b1236e568fb86006558b7b86494a00c

SHA256
6af1c4d66adccd96c938fa12333b7b193f019314f774ae9922c016e1ea91e096

SHA512
cb466f134ef83978b471c3b7945a82c0aa0931b0bf7695d1f26edfcb1a6e17755cf829071a6861f9e845852ce6fa84628a05106de0221931d1014f1620623aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mv5UKbIUPK.bat

Filesize
225B

MD5
214c7e6044a778845c64803288800cfd

SHA1
f703985ae10ec53993b4319964db5044da4248a0

SHA256
0838fefc98fd690bc04512c4bbcb8946130a0471beb77a4c1558b04f30dee636

SHA512
5ddee9c51d03addf6ceb312a47508557bd8977d1cf47f28cd271fd5c17f5d7b2e9c01e8e900c8b974298ffa150fc52d7c2e518c70c72d2f05c04278023ce652d

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
225B

MD5
8410bc45520e4e06e6938c10775b34ca

SHA1
f1023aa93e349870b35e399c58f452afd72939a9

SHA256
9874312655fcd8af4f86db42cdc4bc7edadd568ba50143fe177dfb549bcb5d38

SHA512
97adc20eafb3d8d170ba1cb942dc02449474ac2d29b5e3d30b3a4c406eec4d8602afb85e0bfed81025f8b52b191d6d20198ad442fa43788660d26802b03e23c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat

Filesize
225B

MD5
1a9d7f42c71559e97d96ee1b52e88664

SHA1
b1bfc2aff02460cae556a0a5f799f47e685bda77

SHA256
107a7b898c09dd37efe1c0415b42f262798c226a27dfb025536b235696807077

SHA512
5386ea62f22f672eb04a2d16a7ff3fec791f7b51609d85ef655654ae9f85a1864f58392eea781e1154b4d573236122edc60572b0c11c01c41036b98a8c32c45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

Filesize
225B

MD5
5deba3543e7b77e3092ef9cb6ec748ad

SHA1
5fb7fc84bea0add847a9eb229b904781b783c6f6

SHA256
c99b67f2d4afa34c354b61c75b185a25f445437f520fea38bf54306aab4a3128

SHA512
bdae24993d31f8249d2037379b5c3317d0037f0081793730530649cd3fd09d4d936b07f73472d51cb97db343bf6ac22d5c43a1dd7c6a038b13f1ddcba48922d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8a94b499bc0b232b659b1b7bb984e31f

SHA1
8cfe84a56bb9eb33332959034322acdaa6033a82

SHA256
29d831ee80d26c8ea9210239c8aae8e733d7c67892f4a00fdf9d7377163650a3

SHA512
105512bba284de06e14e03b818db13b125b2e2092f8cf2c9bbb6f915a0b977ebf090da13db3b8533d17d069700eb4348ac7ac3197b0adc7f0f737d19dcb755dc

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1784-63-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/1928-603-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1928-602-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/2144-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2144-17-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2144-16-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2144-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2144-13-0x0000000000C70000-0x0000000000D80000-memory.dmp

Filesize
1.1MB

Download
memory/2288-305-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/2352-80-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2424-542-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2428-663-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/2508-185-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/2564-245-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2968-126-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2968-95-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download