dcrat | fcf899eefb5a488b6721e6deb1b7dadd695e44843991bf2d88d880f226a1d4ea

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fcf899eefb5a488b6721e6deb1b7dadd695e44843991bf2d88d880f226a1d4ea.exe
Size

1.3MB
MD5

4f30c61b0b3d69d5f4cd3ca1c676cba8
SHA1

76f5bd3e58e8972b64bd382d28c24cec4281440b
SHA256

fcf899eefb5a488b6721e6deb1b7dadd695e44843991bf2d88d880f226a1d4ea
SHA512

bbd45167b654948adc0a0497c72bbfd8495e42b4efe3d8273d8f0798d60574f92b860d34cc8e4096061535230e8deab6b9c578f6a6031bee3242c7cac297c8fd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2232	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2232	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d69-10.dat	dcrat
behavioral1/memory/2228-13-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/3068-54-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/744-194-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/960-255-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2968-315-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/1504-435-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/840-495-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/2684-555-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1560	powershell.exe
2324	powershell.exe
1704	powershell.exe
2304	powershell.exe
2240	powershell.exe
2620	powershell.exe
1104	powershell.exe
2384	powershell.exe
2612	powershell.exe
1824	powershell.exe
2108	powershell.exe
1576	powershell.exe
2188	powershell.exe
2472	powershell.exe
896	powershell.exe
2604	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2228	DllCommonsvc.exe
3068	conhost.exe
744	conhost.exe
960	conhost.exe
2968	conhost.exe
276	conhost.exe
1504	conhost.exe
840	conhost.exe
2684	conhost.exe
2832	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2956	cmd.exe
2956	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
34	raw.githubusercontent.com
4	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\it-IT\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\de-DE\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\it-IT\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\de-DE\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SoftwareDistribution\ScanFile\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\SoftwareDistribution\ScanFile\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\Speech\Common\de-DE\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fcf899eefb5a488b6721e6deb1b7dadd695e44843991bf2d88d880f226a1d4ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2260	schtasks.exe
2564	schtasks.exe
3000	schtasks.exe
2568	schtasks.exe
1160	schtasks.exe
2988	schtasks.exe
1516	schtasks.exe
1968	schtasks.exe
2728	schtasks.exe
1460	schtasks.exe
1644	schtasks.exe
1992	schtasks.exe
396	schtasks.exe
968	schtasks.exe
2272	schtasks.exe
1092	schtasks.exe
2688	schtasks.exe
2116	schtasks.exe
692	schtasks.exe
2432	schtasks.exe
1956	schtasks.exe
2464	schtasks.exe
1980	schtasks.exe
1732	schtasks.exe
2856	schtasks.exe
2724	schtasks.exe
524	schtasks.exe
1324	schtasks.exe
1424	schtasks.exe
1720	schtasks.exe
1996	schtasks.exe
2268	schtasks.exe
2424	schtasks.exe
2508	schtasks.exe
2960	schtasks.exe
1492	schtasks.exe
2216	schtasks.exe
2028	schtasks.exe
2780	schtasks.exe
3020	schtasks.exe
2132	schtasks.exe
1932	schtasks.exe
2912	schtasks.exe
2024	schtasks.exe
2280	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2228	DllCommonsvc.exe
2228	DllCommonsvc.exe
2228	DllCommonsvc.exe
2228	DllCommonsvc.exe
2228	DllCommonsvc.exe
3068	conhost.exe
2472	powershell.exe
1824	powershell.exe
1560	powershell.exe
896	powershell.exe
1576	powershell.exe
2612	powershell.exe
2108	powershell.exe
2240	powershell.exe
2604	powershell.exe
2304	powershell.exe
1104	powershell.exe
2188	powershell.exe
1704	powershell.exe
2384	powershell.exe
2324	powershell.exe
2620	powershell.exe
744	conhost.exe
960	conhost.exe
2968	conhost.exe
276	conhost.exe
1504	conhost.exe
840	conhost.exe
2684	conhost.exe
2832	conhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	DllCommonsvc.exe
Token: SeDebugPrivilege	3068	conhost.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	1824	powershell.exe
Token: SeDebugPrivilege	1560	powershell.exe
Token: SeDebugPrivilege	896	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	744	conhost.exe
Token: SeDebugPrivilege	960	conhost.exe
Token: SeDebugPrivilege	2968	conhost.exe
Token: SeDebugPrivilege	276	conhost.exe
Token: SeDebugPrivilege	1504	conhost.exe
Token: SeDebugPrivilege	840	conhost.exe
Token: SeDebugPrivilege	2684	conhost.exe
Token: SeDebugPrivilege	2832	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2080	1740	JaffaCakes118_fcf899eefb5a488b6721e6deb1b7dadd695e44843991bf2d88d880f226a1d4ea.exe	30
PID 1740 wrote to memory of 2080	1740	JaffaCakes118_fcf899eefb5a488b6721e6deb1b7dadd695e44843991bf2d88d880f226a1d4ea.exe	30
PID 1740 wrote to memory of 2080	1740	JaffaCakes118_fcf899eefb5a488b6721e6deb1b7dadd695e44843991bf2d88d880f226a1d4ea.exe	30
PID 1740 wrote to memory of 2080	1740	JaffaCakes118_fcf899eefb5a488b6721e6deb1b7dadd695e44843991bf2d88d880f226a1d4ea.exe	30
PID 2080 wrote to memory of 2956	2080	WScript.exe	32
PID 2080 wrote to memory of 2956	2080	WScript.exe	32
PID 2080 wrote to memory of 2956	2080	WScript.exe	32
PID 2080 wrote to memory of 2956	2080	WScript.exe	32
PID 2956 wrote to memory of 2228	2956	cmd.exe	34
PID 2956 wrote to memory of 2228	2956	cmd.exe	34
PID 2956 wrote to memory of 2228	2956	cmd.exe	34
PID 2956 wrote to memory of 2228	2956	cmd.exe	34
PID 2228 wrote to memory of 896	2228	DllCommonsvc.exe	81
PID 2228 wrote to memory of 896	2228	DllCommonsvc.exe	81
PID 2228 wrote to memory of 896	2228	DllCommonsvc.exe	81
PID 2228 wrote to memory of 1824	2228	DllCommonsvc.exe	82
PID 2228 wrote to memory of 1824	2228	DllCommonsvc.exe	82
PID 2228 wrote to memory of 1824	2228	DllCommonsvc.exe	82
PID 2228 wrote to memory of 2472	2228	DllCommonsvc.exe	83
PID 2228 wrote to memory of 2472	2228	DllCommonsvc.exe	83
PID 2228 wrote to memory of 2472	2228	DllCommonsvc.exe	83
PID 2228 wrote to memory of 2612	2228	DllCommonsvc.exe	84
PID 2228 wrote to memory of 2612	2228	DllCommonsvc.exe	84
PID 2228 wrote to memory of 2612	2228	DllCommonsvc.exe	84
PID 2228 wrote to memory of 2188	2228	DllCommonsvc.exe	86
PID 2228 wrote to memory of 2188	2228	DllCommonsvc.exe	86
PID 2228 wrote to memory of 2188	2228	DllCommonsvc.exe	86
PID 2228 wrote to memory of 1704	2228	DllCommonsvc.exe	88
PID 2228 wrote to memory of 1704	2228	DllCommonsvc.exe	88
PID 2228 wrote to memory of 1704	2228	DllCommonsvc.exe	88
PID 2228 wrote to memory of 1576	2228	DllCommonsvc.exe	89
PID 2228 wrote to memory of 1576	2228	DllCommonsvc.exe	89
PID 2228 wrote to memory of 1576	2228	DllCommonsvc.exe	89
PID 2228 wrote to memory of 2324	2228	DllCommonsvc.exe	90
PID 2228 wrote to memory of 2324	2228	DllCommonsvc.exe	90
PID 2228 wrote to memory of 2324	2228	DllCommonsvc.exe	90
PID 2228 wrote to memory of 1560	2228	DllCommonsvc.exe	91
PID 2228 wrote to memory of 1560	2228	DllCommonsvc.exe	91
PID 2228 wrote to memory of 1560	2228	DllCommonsvc.exe	91
PID 2228 wrote to memory of 2384	2228	DllCommonsvc.exe	92
PID 2228 wrote to memory of 2384	2228	DllCommonsvc.exe	92
PID 2228 wrote to memory of 2384	2228	DllCommonsvc.exe	92
PID 2228 wrote to memory of 2604	2228	DllCommonsvc.exe	94
PID 2228 wrote to memory of 2604	2228	DllCommonsvc.exe	94
PID 2228 wrote to memory of 2604	2228	DllCommonsvc.exe	94
PID 2228 wrote to memory of 1104	2228	DllCommonsvc.exe	96
PID 2228 wrote to memory of 1104	2228	DllCommonsvc.exe	96
PID 2228 wrote to memory of 1104	2228	DllCommonsvc.exe	96
PID 2228 wrote to memory of 2240	2228	DllCommonsvc.exe	97
PID 2228 wrote to memory of 2240	2228	DllCommonsvc.exe	97
PID 2228 wrote to memory of 2240	2228	DllCommonsvc.exe	97
PID 2228 wrote to memory of 2108	2228	DllCommonsvc.exe	98
PID 2228 wrote to memory of 2108	2228	DllCommonsvc.exe	98
PID 2228 wrote to memory of 2108	2228	DllCommonsvc.exe	98
PID 2228 wrote to memory of 2304	2228	DllCommonsvc.exe	99
PID 2228 wrote to memory of 2304	2228	DllCommonsvc.exe	99
PID 2228 wrote to memory of 2304	2228	DllCommonsvc.exe	99
PID 2228 wrote to memory of 2620	2228	DllCommonsvc.exe	100
PID 2228 wrote to memory of 2620	2228	DllCommonsvc.exe	100
PID 2228 wrote to memory of 2620	2228	DllCommonsvc.exe	100
PID 2228 wrote to memory of 3068	2228	DllCommonsvc.exe	103
PID 2228 wrote to memory of 3068	2228	DllCommonsvc.exe	103
PID 2228 wrote to memory of 3068	2228	DllCommonsvc.exe	103
PID 3068 wrote to memory of 584	3068	conhost.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fcf899eefb5a488b6721e6deb1b7dadd695e44843991bf2d88d880f226a1d4ea.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fcf899eefb5a488b6721e6deb1b7dadd695e44843991bf2d88d880f226a1d4ea.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SoftwareDistribution\ScanFile\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\it-IT\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\de-DE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        6⤵
        
        PID:584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1100
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat"
        8⤵
        
        PID:516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2460
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
        10⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1516
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat"
        12⤵
        
        PID:1820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1312
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        14⤵
        
        PID:2484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3004
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
        16⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1028
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
        18⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1868
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat"
        20⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1796
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat"
        22⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Favorites\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\SoftwareDistribution\ScanFile\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\ScanFile\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\ScanFile\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files\DVD Maker\it-IT\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\it-IT\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows NT\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Journal\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c0387547fbb4e89077f67dd4df83d10

SHA1
aa79c76868c11dcfb1e954000cf22be93a7297eb

SHA256
59281ab77ed7357d57f2cc432cf7ff564984202e7d37f4736275d720e37cb81d

SHA512
0ef4f21246428753b2226168820014d51d911a1dcb12f551088e1cfd554ec32b164c09a4521d04cd9d50699f44e5fdbcda29955efb2b4753e328d786f4fd00d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d20d0fb65a6bdf9690c0f7f23e83f24

SHA1
58fe3a76e6a78846869b9efdd0977ba9ec3ed0a2

SHA256
5c4733492cbd3563c150cc0e882dce22808380711a9e7b2b295c9af6bdef43e1

SHA512
150aa2b0f7b8928cfd39be411486d4a9fae6c023a8dc6e9b9a6d3b12eb32ff1e2e5fb2c5b820aa72e73464fa93b6a5aecd9a265e035539b0bb309b7a8d4ae703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcac6bd0254bedcc385066f95cfb46a3

SHA1
38a37f2411dbbde46c47493974896e42f2d9e54c

SHA256
3306e87460055da2d4378623d285400061c985c109fe2b71d8abcfdc87758831

SHA512
048b117b41494492438de41ed6385fc3d367b7a9c71ac3722f266b8567acbffc8410f244d86b4af956ca5e8937f6c5729a2178d2e6b79fb3361c0f91399bf1be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b15ac126ff705f79d835c4b1bc6a666

SHA1
2f51ffbfb75f1670674a6018fac0741d4ddf116d

SHA256
78e3bf1cbdd8991e8a1415a037090385bc40c861eb9cf0d7c3a64d8b43de6483

SHA512
c65f16b3779a428aba846776da53bf24c8c432ea58a243ffdba0da210e1e0c00dd47aa9f037da20629d24d935762a677deaaf95554086e2c23ad59f77e39a69a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
462babb62c14943da602545fcd5e93c2

SHA1
e4327df18b70364e70a29ff191f31ebc59043846

SHA256
7fba02063340ba1fad0f000fb324150388ecc2823154f05a8f393d91f3bcd837

SHA512
f197576af95e67ffaf401296330d68be7c068dde8b712357b41d617df398a66daa74a56be6772965cbcfc7ef4bf02ce230a05baee7859e934b3f32f795a60c40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d26714cc6401bf79ac2f4f882a066707

SHA1
45234bb6d0943a04815cb0bbd0719b83a1dcde7b

SHA256
23434e9e55fa26ce8577760beaee8df8baa5e153f97fdb26386eea2fe7407af1

SHA512
f286384f1eda293c9f783765575eab6fa87e8d38e08907ac295651faca1d32cb297069b54d02de9f1e20e23dccbb66ccd3f16857ba8053577a27e6f9dbd59b03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
835c2f657046a853ba9f3941cdba7a88

SHA1
c40b942ffc6cbd5e916fe70c7b16717358ae0e7c

SHA256
2eaf754496f9465bd3298968250c6453631e0cea3be68f9f9635171ed091df4f

SHA512
6472e6edca609250dd625f3dff37ca6c0267a023db08423aa7f3484ae2dff2cb4defb8c935409763881f93943decfe90c1e49d50c2362ac49d29b4eefc41c0be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a90edb55dfab07591e1dd5cf021660aa

SHA1
eae4c38bd759264b853b16d5a35767ff22db60d6

SHA256
d218f5b286aa3fbe6bc79947670162a47ef3f8aeeda57f8ef7de494ff5ff35f6

SHA512
ba8a0a731a8c6abf4235f21a6836bc0a5beba4feac3da18316f2839fec521f717594aebf75608f0e2518e174b8b9bb9a228e280d4eb8f73bdbce7f0471bf25c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zXOrWkEHk.bat

Filesize
225B

MD5
392b7f768511a696040639ac4d4f8e51

SHA1
bcaae1c798d42b2dc8de9f14dd6046e9804f747a

SHA256
11bacdba03e9e8db5c9b7d271f2a1798c29048d1ae472b5219842cbaf8e1b68c

SHA512
237ffb9af42d780b2bde5c607d0c0383e0506ea2f4ca10a7af8cf273def89a204a53102a22ca153f033a9a40fc4e2f035ec8b0be035f2a52141d705968580ede

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab170C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat

Filesize
225B

MD5
e45af32651d0733656e57be2f8886493

SHA1
acf3191f5f13e920c2ba06aff8984b24bf879840

SHA256
aee4bc754e284107134601a157ec220925893a8358df96c87edaea3f9608f274

SHA512
22b6920afaf97d82cba8e9e8448b6cdaebadccabdc13f07183d516e497fa24d13fc1a286a74a7ffa9543f233667bd325896046635c255cfe2e78005fe31785d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
225B

MD5
49eb9ae04c70a847737279212ae00758

SHA1
c80c304bbc872e45810b4fa6ec4e4dd39a291684

SHA256
7ad5b09eb91c521c53f05b91ef973d9796f3e1c5605629d2cb0fe8f5178546af

SHA512
97126a3f802f34878144cc6b476a906dcdfecbba29c94c42660540282543ea7806407d88d320ba3332af41ff483d7c3f4cba0aede3a634682ad952e39c6dbea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1827.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\W3ML2JPNvQ.bat

Filesize
225B

MD5
bd972fda2818ac6c8b2cfa770fb73e86

SHA1
72088c5a4da6f3c8e4186b02181d132abe2491ac

SHA256
96425c18b229f13a711f899643ed0b1e9e94de4e047886b986af276de8e8d7f5

SHA512
7647953881157989b2b8283c9e6417ed453caf63075ab29b762760274c1a76bdd545ef26e3bf29c148696967c8a762b0be39533b44bc2cfe7a82c5142aea003d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat

Filesize
225B

MD5
ffe8af670671ec9641d84b593256cfb7

SHA1
256a02dfb8416ad511e7f384c821e9b537566e03

SHA256
69603ae04c3d20e4e0ae01b855dc0a419cda5a185c21a48e63aa8fa9a07dc54e

SHA512
7b060bc53aa559dc8b4edfd7d6a605ebab535fbada00d7300fdbb69503d4697c50c10d7504345d76e6142a181c76a9af747beb7683a522ca7c7ed7316a83bb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6hK16ZrMt.bat

Filesize
225B

MD5
d14b4cb95f12bd70811f58e495ea1371

SHA1
78307615c8cc9470cf9f40ed005446cf8ff5f36c

SHA256
4c4cca388735ce5ef0f12d4e2c0dd071ec8ba4a30b99bd6ce07a35f2307b4b77

SHA512
f66d846963b9729c8c93d1ea49a77ee0d1db739f99bdaeac00eb0cfac10c719f4efed7c43d86356985422decc63811b7f9ed8e56f89cd02ef74c97ab5f6e8be6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat

Filesize
225B

MD5
1d59c03e1a38eaef6c62408984325701

SHA1
7687ba95c42972f62b9ff9e394c73a0120179970

SHA256
5b225097bcec0ff8f3da64d871a8f97f0dba2de2139374a75e8070127766d191

SHA512
b9e347e5dddabfd7bde4f7af3df1a74e5d256ec28ee741fc00288c133d205729cf18adb5fa7ec65026613d4b63d215d78b3ba14f4d038211e892e0f5dc69ba3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

Filesize
225B

MD5
84dbc9c1ac70ace746d84f2d94d73c19

SHA1
c10f42298bc033bc110e20432e422614802b8f35

SHA256
f9536aff7a8104ab5b73c0f550fee29f00b2370bf59ae76347513a8fcdc4d5ed

SHA512
5e9113da9d17425ee286d59bd65821b310603bc5efedfbdb1fe2b4b67e5311fd40feff331a892efbb415b7665c952b1fe40a67d94a69101b28d24ab46aaa24d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
225B

MD5
8dd8683736c9d62a522748441f677865

SHA1
0c7096c409d38c87079cc2beab4aa9fc9f0cd516

SHA256
3349c818c3b0c5294967f00c05be1d232954b7f25a801cddd97f6405cfd45241

SHA512
95082f1ce45021edeed76a089187b143c9ff7a76d076ee2b70fe1ae2b27dead7244a86f8a5efeee69ef205f210d260d8aab3c94e4e13c824ecc59f2876f08feb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bad26d4d6e9702218a79e486e90eb642

SHA1
bbf17d7536f197d8d8140f2b2d7f1f42d8565f9e

SHA256
136415be6dc6c0b5f0f46854f737a33ba02f97700982e5d488421c0608b5d337

SHA512
d0492d3e6361961cfd0ab7e107c7792a6f7470bc63e58a33d03a3f96afddc065df630d3e6555b9892265a2ec42548df22815f3cebd97f1bfe0a506f98e32a1d5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/276-375-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/744-195-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/744-194-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/840-495-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/960-255-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/1504-435-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/1824-135-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

Filesize
32KB

Download
memory/2228-17-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2228-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2228-13-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/2228-16-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2228-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2472-100-0x000000001B0D0000-0x000000001B3B2000-memory.dmp

Filesize
2.9MB

Download
memory/2684-555-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/2968-315-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/3068-54-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download