dcrat | 8d6283494341b7ba5e9c8831ccca027ecccfcd6914fed48bf5346a7091df0658

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8d6283494341b7ba5e9c8831ccca027ecccfcd6914fed48bf5346a7091df0658.exe
Size

1.3MB
MD5

8ce8638a041c4b0de9a098a59ce956fa
SHA1

ee416e7c589410c72fe4135befcebdf6af50b5c4
SHA256

8d6283494341b7ba5e9c8831ccca027ecccfcd6914fed48bf5346a7091df0658
SHA512

d8a0052b5035ac73c156e24aeeec7d08eabdb7d9bc706c1928165545352b66c187af233b197d80380a0694fb664fe097e38f09a254d36380759df4d0a0b8cac8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 51 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2928	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2928	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d1f-12.dat	dcrat
behavioral1/memory/2864-13-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/1508-58-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2028-315-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/2780-375-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/380-435-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/2004-496-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2152-616-0x0000000001140000-0x0000000001250000-memory.dmp	dcrat
behavioral1/memory/1616-676-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
2828	powershell.exe
2660	powershell.exe
2656	powershell.exe
2080	powershell.exe
2772	powershell.exe
2768	powershell.exe
2412	powershell.exe
2744	powershell.exe
2904	powershell.exe
2376	powershell.exe
2880	powershell.exe
1668	powershell.exe
2124	powershell.exe
2112	powershell.exe
2888	powershell.exe
2644	powershell.exe
492	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2864	DllCommonsvc.exe
1508	services.exe
2644	services.exe
3012	services.exe
2028	services.exe
2780	services.exe
380	services.exe
2004	services.exe
1152	services.exe
2152	services.exe
1616	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2496	cmd.exe
2496	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Purble Place\it-IT\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\a76d7bf15d8370	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8d6283494341b7ba5e9c8831ccca027ecccfcd6914fed48bf5346a7091df0658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 51 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2940	schtasks.exe
944	schtasks.exe
2624	schtasks.exe
1252	schtasks.exe
1480	schtasks.exe
2696	schtasks.exe
2100	schtasks.exe
2680	schtasks.exe
772	schtasks.exe
2540	schtasks.exe
1952	schtasks.exe
2704	schtasks.exe
2144	schtasks.exe
1088	schtasks.exe
352	schtasks.exe
1628	schtasks.exe
2448	schtasks.exe
2020	schtasks.exe
1444	schtasks.exe
2384	schtasks.exe
1588	schtasks.exe
2216	schtasks.exe
2804	schtasks.exe
2176	schtasks.exe
2036	schtasks.exe
1940	schtasks.exe
1724	schtasks.exe
1584	schtasks.exe
1916	schtasks.exe
1936	schtasks.exe
1228	schtasks.exe
2028	schtasks.exe
1440	schtasks.exe
2260	schtasks.exe
1200	schtasks.exe
1744	schtasks.exe
1532	schtasks.exe
844	schtasks.exe
1944	schtasks.exe
2556	schtasks.exe
1848	schtasks.exe
2184	schtasks.exe
2848	schtasks.exe
2052	schtasks.exe
1212	schtasks.exe
3024	schtasks.exe
1420	schtasks.exe
2380	schtasks.exe
2844	schtasks.exe
1148	schtasks.exe
2352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2864	DllCommonsvc.exe
2864	DllCommonsvc.exe
2864	DllCommonsvc.exe
2864	DllCommonsvc.exe
2864	DllCommonsvc.exe
2864	DllCommonsvc.exe
2864	DllCommonsvc.exe
2864	DllCommonsvc.exe
2864	DllCommonsvc.exe
2112	powershell.exe
2124	powershell.exe
2772	powershell.exe
2828	powershell.exe
2080	powershell.exe
2880	powershell.exe
1508	services.exe
2888	powershell.exe
2412	powershell.exe
2768	powershell.exe
1668	powershell.exe
2732	powershell.exe
2376	powershell.exe
2904	powershell.exe
2660	powershell.exe
2644	powershell.exe
2656	powershell.exe
492	powershell.exe
2744	powershell.exe
2644	services.exe
3012	services.exe
2028	services.exe
2780	services.exe
380	services.exe
2004	services.exe
1152	services.exe
2152	services.exe
1616	services.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	DllCommonsvc.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1508	services.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2888	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	2660	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	2644	services.exe
Token: SeDebugPrivilege	3012	services.exe
Token: SeDebugPrivilege	2028	services.exe
Token: SeDebugPrivilege	2780	services.exe
Token: SeDebugPrivilege	380	services.exe
Token: SeDebugPrivilege	2004	services.exe
Token: SeDebugPrivilege	1152	services.exe
Token: SeDebugPrivilege	2152	services.exe
Token: SeDebugPrivilege	1616	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2412	2376	JaffaCakes118_8d6283494341b7ba5e9c8831ccca027ecccfcd6914fed48bf5346a7091df0658.exe	30
PID 2376 wrote to memory of 2412	2376	JaffaCakes118_8d6283494341b7ba5e9c8831ccca027ecccfcd6914fed48bf5346a7091df0658.exe	30
PID 2376 wrote to memory of 2412	2376	JaffaCakes118_8d6283494341b7ba5e9c8831ccca027ecccfcd6914fed48bf5346a7091df0658.exe	30
PID 2376 wrote to memory of 2412	2376	JaffaCakes118_8d6283494341b7ba5e9c8831ccca027ecccfcd6914fed48bf5346a7091df0658.exe	30
PID 2412 wrote to memory of 2496	2412	WScript.exe	31
PID 2412 wrote to memory of 2496	2412	WScript.exe	31
PID 2412 wrote to memory of 2496	2412	WScript.exe	31
PID 2412 wrote to memory of 2496	2412	WScript.exe	31
PID 2496 wrote to memory of 2864	2496	cmd.exe	33
PID 2496 wrote to memory of 2864	2496	cmd.exe	33
PID 2496 wrote to memory of 2864	2496	cmd.exe	33
PID 2496 wrote to memory of 2864	2496	cmd.exe	33
PID 2864 wrote to memory of 2080	2864	DllCommonsvc.exe	86
PID 2864 wrote to memory of 2080	2864	DllCommonsvc.exe	86
PID 2864 wrote to memory of 2080	2864	DllCommonsvc.exe	86
PID 2864 wrote to memory of 2376	2864	DllCommonsvc.exe	87
PID 2864 wrote to memory of 2376	2864	DllCommonsvc.exe	87
PID 2864 wrote to memory of 2376	2864	DllCommonsvc.exe	87
PID 2864 wrote to memory of 2124	2864	DllCommonsvc.exe	88
PID 2864 wrote to memory of 2124	2864	DllCommonsvc.exe	88
PID 2864 wrote to memory of 2124	2864	DllCommonsvc.exe	88
PID 2864 wrote to memory of 492	2864	DllCommonsvc.exe	89
PID 2864 wrote to memory of 492	2864	DllCommonsvc.exe	89
PID 2864 wrote to memory of 492	2864	DllCommonsvc.exe	89
PID 2864 wrote to memory of 2772	2864	DllCommonsvc.exe	90
PID 2864 wrote to memory of 2772	2864	DllCommonsvc.exe	90
PID 2864 wrote to memory of 2772	2864	DllCommonsvc.exe	90
PID 2864 wrote to memory of 2112	2864	DllCommonsvc.exe	91
PID 2864 wrote to memory of 2112	2864	DllCommonsvc.exe	91
PID 2864 wrote to memory of 2112	2864	DllCommonsvc.exe	91
PID 2864 wrote to memory of 2768	2864	DllCommonsvc.exe	92
PID 2864 wrote to memory of 2768	2864	DllCommonsvc.exe	92
PID 2864 wrote to memory of 2768	2864	DllCommonsvc.exe	92
PID 2864 wrote to memory of 2412	2864	DllCommonsvc.exe	93
PID 2864 wrote to memory of 2412	2864	DllCommonsvc.exe	93
PID 2864 wrote to memory of 2412	2864	DllCommonsvc.exe	93
PID 2864 wrote to memory of 2732	2864	DllCommonsvc.exe	94
PID 2864 wrote to memory of 2732	2864	DllCommonsvc.exe	94
PID 2864 wrote to memory of 2732	2864	DllCommonsvc.exe	94
PID 2864 wrote to memory of 2888	2864	DllCommonsvc.exe	95
PID 2864 wrote to memory of 2888	2864	DllCommonsvc.exe	95
PID 2864 wrote to memory of 2888	2864	DllCommonsvc.exe	95
PID 2864 wrote to memory of 2880	2864	DllCommonsvc.exe	96
PID 2864 wrote to memory of 2880	2864	DllCommonsvc.exe	96
PID 2864 wrote to memory of 2880	2864	DllCommonsvc.exe	96
PID 2864 wrote to memory of 2744	2864	DllCommonsvc.exe	97
PID 2864 wrote to memory of 2744	2864	DllCommonsvc.exe	97
PID 2864 wrote to memory of 2744	2864	DllCommonsvc.exe	97
PID 2864 wrote to memory of 2828	2864	DllCommonsvc.exe	98
PID 2864 wrote to memory of 2828	2864	DllCommonsvc.exe	98
PID 2864 wrote to memory of 2828	2864	DllCommonsvc.exe	98
PID 2864 wrote to memory of 2660	2864	DllCommonsvc.exe	99
PID 2864 wrote to memory of 2660	2864	DllCommonsvc.exe	99
PID 2864 wrote to memory of 2660	2864	DllCommonsvc.exe	99
PID 2864 wrote to memory of 2904	2864	DllCommonsvc.exe	100
PID 2864 wrote to memory of 2904	2864	DllCommonsvc.exe	100
PID 2864 wrote to memory of 2904	2864	DllCommonsvc.exe	100
PID 2864 wrote to memory of 1668	2864	DllCommonsvc.exe	102
PID 2864 wrote to memory of 1668	2864	DllCommonsvc.exe	102
PID 2864 wrote to memory of 1668	2864	DllCommonsvc.exe	102
PID 2864 wrote to memory of 2644	2864	DllCommonsvc.exe	103
PID 2864 wrote to memory of 2644	2864	DllCommonsvc.exe	103
PID 2864 wrote to memory of 2644	2864	DllCommonsvc.exe	103
PID 2864 wrote to memory of 2656	2864	DllCommonsvc.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d6283494341b7ba5e9c8831ccca027ecccfcd6914fed48bf5346a7091df0658.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8d6283494341b7ba5e9c8831ccca027ecccfcd6914fed48bf5346a7091df0658.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Purble Place\it-IT\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
        6⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1992
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat"
        8⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2640
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        10⤵
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1880
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"
        12⤵
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1928
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat"
        14⤵
        
        PID:2644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2908
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"
        16⤵
        
        PID:2344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2556
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"
        18⤵
        
        PID:1252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2964
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
        20⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2476
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"
        22⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2668
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ServiceProfiles\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Purble Place\it-IT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Purble Place\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\Purble Place\it-IT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f24973b0530a0e0b8ad0f7db3e5d0abb

SHA1
779bd553cc77db13d16b1ba3764ab499a78cf28f

SHA256
d43288aecb53258ff80ebfce33bcd93bad346d0783d28b78265e73ee73441280

SHA512
370245f800d8f5b07c7087960d9c3799c196069f58c1c2154dc340c406f4662ba027a85c039e2af0a97e0981b4e8e6d63e2e54fd77e194042bba06e3c20ee248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ffdff1bbb7fdcaa3549f1c1b82cfcef

SHA1
b1e42cda697d6c8898acb4c4d23e5cfb421b1842

SHA256
999cc8f37eb237ad4dfdd663dc894c8f6542dcc6369232ae18061e059c52e86d

SHA512
44b4b14ac264f152de741e2024e566a0d8ba4c4aa7d26f796d9a0c2c8f6ad255eaaa0d7567f05e6a1967ca2f8d41d0399bbcc4999c21b78105f77cbac422d745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7802257e8ef8ccb4937fba5d4f0135fd

SHA1
ccc7dbba60cc7bacede85ab317103210dcfe626c

SHA256
fe094786f55ff22c9b23631b5c968dbce364aaf0df0c2c8134e70af9aec7fc01

SHA512
dcdee32ef70297c28092f83955bc5243c08e22bd6cbac7bba1c7af04b0adf250e5a75bf05a3c339faf3e7d5dd84b5d6ad7c9e5df132f5e3fe38a63b02b90e926

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63c1ab61c2f3bc2fec813bf11d329072

SHA1
5821b9550848efe6a9fcfac6fb8bfead4ed696f5

SHA256
a52051cf252daaceb813b124fca7581f07134995a8b186a124ac536b6859ceb5

SHA512
5745ded905315100896fa1454da6fde5f0c73bfcccf45ee152f94407e961481a480aab5226906d90a38a5df594eba4699bd2a908b4067f83ef405cb4b1cbc70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
509e298d5ece8a5809f46b86fe4377af

SHA1
f7ef95a8c79d50140401ed83940eceb27a76f786

SHA256
225a0ab3f32d7a005ecf273cfd7557e1879977585e618eb9d8fba8d4b0c8ce70

SHA512
7b0d33f283913c78eeeabdaf1f59db995d70ea6f4690626e181e0515b8de9325321251c00f2330667bb78cfa8fae9aa8685bfcf092729814cf6655e5cecb6e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98db75a951c9378739d1bb8a3a3e6352

SHA1
055e2c5e1a97c82f650a206a1bb19728119abff2

SHA256
abec18f8b41dd1995efdabcc4b1dffe924faee1e0e03ed71e3b50e3a9d7694e0

SHA512
c0a2153e1fc3fec73665835f06721ebb651d41ff3b4d2d59e41b828a712cdb20c8acd5d1bc9376d3e4b7326f4007b33143afefabf377e7aec0a2f7a41c99960a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a7a1b44d8dea4b954ffd3b034a590c1

SHA1
c9f5c5999234d79a8ac97c8e760ddf93d26e364f

SHA256
0504384f1a011eea90b5cdb4dea36c686a3e56be5b480190e74fc7c13b0ceb77

SHA512
9d6ccb8f3de8856083a7284de359ecbc81421374ff1fd7d887e974533318d2a2aae90999205905f6e7dc5f5e134cb6d10c364fad4d58383af71fc5a442ce9fb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cbbc5647a513e2af0a5bd6c51d566cb

SHA1
02ffe35008db1391cd29627d25b5453afd94d2ab

SHA256
6bde3d494c6794702b8dd3a4f9393182603bfc4583c8ae0c2bb08d4f80c12054

SHA512
525bc51a8019e9cd77503773f8b7c9d40d0a8d6dfd6ee0a096596c73285fd353dca31de6d93ed13b9bd3a79934fcc55fd165e6b16c634ea687e35a1231cc29c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat

Filesize
226B

MD5
b1deaa9775da3eaf3463376aedc639da

SHA1
185f1be0dc94949c8196110dcdfe93a3654f100e

SHA256
41dccd5e2db1df4a0c06119b0f7fb4ec831b958bd7bcc66fc2bb62fbc65c064c

SHA512
5251f1694879b6857a9fc4015fc2cd179d8ec4d1e1713628b9189935e92c4a5e43cac427961ff7cd9c0ce64ed49de25f7c0869af478e933e6d564b6e1d84539d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

Filesize
226B

MD5
9cc801557567d70bc2812a6ac7cdde23

SHA1
760da3f46ae860b08ed7a6b7f304a31bb0f538cb

SHA256
c79ce61ee6be55c0aa6f42202c2be702dd20091416b96cacbafab80663526e19

SHA512
fca503257b872e4b8d025b1801d3bf97e71041262ddea557dc4132b5da6c6d1fc1bbaac73bdb12e16f1d64cce884b7a6761cc2a328bab9c8ef2c5df9e7533738

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat

Filesize
226B

MD5
51d72430b3273cb111a22aaeb535bf48

SHA1
b5edd026eca5903f8649f3516f531faecc95b0ee

SHA256
749f172fa3c959902a25fd9d683ba30facb8fc2766c8c5d17c3e7ab1803ea31e

SHA512
e93b8ef2057eedeaf3a71f27a857a9e201f48953d881ccda9e7b140da4516bf7911ede3bffe05bc155fc259feda9d5fa99ca09b2a2513c300bd577ed2df19fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF3C3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\N7XO3McAFn.bat

Filesize
226B

MD5
29b167a934f161b705e6a2a074ce008f

SHA1
179585ce56523604f1a5ee62787ce5d48ce8efbc

SHA256
ab8bad088f720b6bd7fa6705802ecc7fbe3c685e017d9e3d886317e63135b1e0

SHA512
4708afb6d983e1fb59d297283087430e1a9ad0426ae1fec282b43d7e73e4badcb975763cb2b6141adf4dc1bba7767df5370a828bdd51662b55dda38d1b36fac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

Filesize
226B

MD5
295f266e2d16c4dc08f631d6c4ad1e20

SHA1
84468930df688d37b1641b76f3e10bcfb2136b7a

SHA256
f2ef0bd3a42b34c7209e64ffd4d46707cd853e5bd45655714b1dcd95b9413932

SHA512
4356872202e5f2da9629170117f0f51b20a0d97f0a0bfe93ae83cdece7f2171a44768849c33e3a25b67c38b176cc92158256399cf7bdc8dd382ddb70f97c6d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat

Filesize
226B

MD5
e5227a7f119d44b5875b9cd7f83f6ada

SHA1
29963d5238b015e18b93a784363007fc7443bc58

SHA256
a03b95186de56c5d8cf3f4949f90fc410d47d304b3c798007cd14d24cb234efc

SHA512
809dab8148677c08629717b3518212e388d0903d900fdd813f3f64b3ea7560a2d8f335856d8d22f6d941e4ef280b08036916452f521f499e38b15fa69ac8e2b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF3E5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat

Filesize
226B

MD5
f8c82ffd220a7b51857f1bd72fbcb262

SHA1
824ec3ccea4199617a5a91c4a112e45cedf24e33

SHA256
6ba870a37b86bff2e40961ff5d65b586320f72d96c7e6ec18eab9d3d654a0b93

SHA512
d8354cb9ae9998caf050b4ed5d7606e5e7dd95047b4e66a26e07b4fa10353464585edf1427e449f9e9cbb563567918ccf6a582b3c27f68bc722a9fb7ea2c0a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\owZfSNRP11.bat

Filesize
226B

MD5
00351756f59d3e3578af4a9dbbbad1d8

SHA1
462eef074f70e36d0472a709bfaac27675405a19

SHA256
1a013e692dad367f76f5d358440a746c4e0c9c2c7f78d807b1a7d0ab43e3be95

SHA512
e4809a7621008548adb6685832429477ab755e3557a379503ac4c984e008f80386a36446f8a7b5ab2d9da87376ec9b992e401c9b072623cb2090dae1760f1316

Download Submit
C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat

Filesize
226B

MD5
c2222c262916e37ee40bf899067fca45

SHA1
5a445e58a7b035e094d11efb0f3aa2533725bfef

SHA256
c44c5e52782498ab9bfeeeff7c096fdf3cce0ad505031f5a0d6096aecb05546c

SHA512
989af9e552d8ffec342553f83aa513e301699bf85a1e4a5189617e435f909b53be1defedf3596369474a7bf09cf761bb812944a4a50e5129ab6006e2cae7188c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0ca3c424eea8170179bd06f7b3af606e

SHA1
bd3fa0d0ee2855464a70549f8b9558ceb11e2918

SHA256
16a25c29c50e8176c65bf0a3dc8e7e2b2fdf9b4248ec8e49e3a15bd2ae581065

SHA512
fb92d4f97b2631e9419d1809aa990f40ce08830bb3e072654eeff1d9c0a005ca5e3b559561336cd0a946ec08d30d4d0cc256498a6baf3e3182a8891873afb93c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/380-435-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/380-436-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1152-556-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/1508-99-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1508-58-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/1616-676-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2004-496-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/2028-315-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2112-73-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2124-74-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2152-616-0x0000000001140000-0x0000000001250000-memory.dmp

Filesize
1.1MB

Download
memory/2780-375-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/2864-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2864-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2864-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2864-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2864-13-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download